Although we have discussed privacy risk in various articles in this column
since its inception more than 4 years ago, privacy risk has never been as
publicized as it has been recently, given the rash of breach of privacy
incidents and lawsuits arising out of them that have occurred since late 2004.
This edition of the Cyber Insurance column is intended to briefly discuss
privacy risk from an insurance and contractual risk transfer perspective to
help risk managers, brokers, and others address the issue for their companies
and clients.
An understanding of the several different ways a company can be exposed to
claims of violation of another person's right of privacy is essential for
understanding how to structure an insurance and contractual risk transfer
program to try to address such risks. Set forth below is a brief description of
those risks, and key insurance-related information that needs to be kept in
mind.
Dissemination of Information in Violation of Right of Privacy
The first type of privacy risk has been the type of privacy risk that
companies have been facing for decades. It is when the company knowingly gives
information to another party, either orally or in written form, and that
dissemination of information violates a person's right of privacy.
For decades, general liability insurers have been covering this type of
privacy risk in the "Personal Injury" and "Advertising
Injury" coverage sections in general liability policies. Newer general
liability forms that combine these two coverages into one definition of
"Personal and Advertising Injury" describe the covered offense as
follows: "the publication or utterance of material that violates a
person's right of privacy."
Collecting Information in Violation of Right of Privacy
The second type of privacy risk may have existed for as long as the risk of
disseminating information, but it has only become publicized since the advent
of the Internet and e-Business activities. An example of this risk is when a
company collects information about persons visiting its website, without the
necessary privacy disclosures required by law or otherwise in violation of the
law of one or more of the jurisdictions where the website can be accessed.
Most, if not all, general liability insurers do not intend to cover this
type of privacy risk when they use the language quoted above, because the
activity of collecting information does not involve the act of
"publication or utterance," which means to disseminate information.
(Older general liability policies did not have this "publication
or utterance" limitation, and theoretically at least could have covered
this type of privacy risk)
Permitting the Theft of Information in Violation of Right of Privacy
This is the type of privacy risk that has exploded on the scene in the last
year as revelations of security breaches at several companies are revealed
almost on a monthly basis. It can occur several different ways, but for this
article, the following two scenarios are most important.
On the one hand, a company could have sensitive information (employee social
security numbers, birth dates, addresses, etc., and similar information about
key customers and/or suppliers) on its computer system. Somebody could steal
that information and use it for illegal purposes him or herself, or sell the
information, often to the international black market for such information which
has mushroomed in recent years.
On the other hand, a company could provide such information to a third
party, or give a third party access to the company's computer system so
they have access to such information. Such third party could be a key customer
or supplier, vendor of services (e.g., logistics or warehousing company,
payroll processing company, etc.), or outsourced information technology
company. Somebody could steal that information while it is residing on the
third party's computer system, or somebody could gain access into the
company's computer system by using the access rights that the company gave
to the third party (e.g., by stealing access codes, hacking into the third
party's system, and then getting into the company's system, etc.).
Does either or both of these two privacy scenarios involve "the
publication or utterance" of material that violates a person's right
of privacy in order to trigger the "Personal and Advertising Injury"
coverage in newer general liability forms? If you ask general liability
insurers, they say "no," because it involves the "theft and
use" of information by a non-insured, not the "dissemination of"
information by the insured. It is possible that coverage litigation on this
issue might ensue, and courts may or may not adopt the general liability
insurer's interpretation of how existing policy language applies to such a
privacy scenario. However, given the number of insurance products available in
the market today to expressly cover this type of risk to a certain extent, it
is suggested that companies would do better to expressly address the risk in
their insurance programs instead of waiting to see how the courts resolve the
issue.
Insurance Strategies for Addressing Privacy Risk
With respect to these three types of privacy risks, general liability
insurance should cover at least one—the insured's dissemination of
information in violation of a right of privacy. The coverage can be found in
the "Personal and Advertising Injury" coverage in current general
liability policies. It is highly unlikely that current general liability
insurance will cover the second type of risk—the insured's collection of
information in violation of a right of privacy. And it is debatable whether
current general liability insurance will cover the third type of
risk—permitting the theft of information in violation of right of privacy.
Given the foregoing, what should companies consider doing when it comes to
insuring these three different types of privacy risk? Clearly, companies should
continue to buy general liability insurance (e.g., commercial general
liability, foreign general liability, and umbrella liability).
But companies should review their general liability policies to see if the
"privacy" coverage is limited to "the publication or
utterance" of material that violates a person's right of privacy. If
so, they should seriously consider buying one of the newer insurance products
that expressly covers, at least to some extent, privacy risk as described in
this article. We say "at least to some extent" because the newer
policies on the market vary with respect to privacy risk covered. For example,
some only cover privacy risk arising out of the use of a computer, and of those
forms, some insurers cover the risk only with respect to when the insured's
information is residing on the insured's computer system and will cover the
risk of theft if the insured's information residing on a third party's
computer system only after receiving specific information about the third party
so that they can underwrite the risk. And some insurers cover more than
computer-related risk, offering an enterprise-wide privacy coverage, but offer
that coverage only to certain types of companies (e.g., financial services and
healthcare companies).
What are these newer types of policies? They go by various names, and
therefore cannot be described by use of one name, a point that is important to
note when constructing a contractual risk transfer program. Also, the coverage
can be provided by an endorsement to otherwise traditional media liability,
technology errors and omissions, or other type of E&O policy. That said, we
would note the following. When the coverage is limited to risk involving the
use of a computer, the coverage used to be called, "Internet Liability
Insurance" or "Cyber Liability Insurance," but the name that is
used most frequently today is "Network Security Liability Insurance"
or a variation of that phrase.
However, the important point is not the name or label used on the insurance
policy or endorsement, but rather the extent of coverage offered by the
product. There are several issues to consider when buying such coverage, a
discussion of which is beyond the scope of this article. Suffice it to say for
now that these policies and endorsements provide broader coverage for privacy
risk than the newer general liability forms in use today.
Contractual Risk Transfer Strategies for Addressing Privacy Risk
In addition to a company buying its own insurance to address privacy risk,
another important risk transfer/financing strategy for such risk is to address
the risk in indemnity and insurance provisions in contracts. It is becoming
more and more customary today to expressly address privacy risk in a variety of
different types of contracts, especially when either or both of the contracting
parties is giving the other party sensitive information or access to a computer
system. Contracts for logistics and warehousing services, payroll processing
services, and IT infrastructure outsourcing services are just examples.
A company that is providing sensitive information to the other party to a
contract, or giving the other party access to the company's information via
the Internet, will want to expressly state in the contract that the information
is confidential and is not to get into the hands of any other party. Such
company will also want to expressly state that if anyone other than the other
party to the contract gets some of the information, then the other party will
defend, indemnify, and hold the company harmless from all liability arising
from the leak of the information.
But such an indemnification and hold harmless provision is only as good as
the financial wherewithal of the party to the contract giving the indemnity.
What happens if that party does not have the financial means to fulfill its
indemnity and hold harmless obligations? To protect against that risk, the
company requiring the indemnity should also require that the other party to the
contract maintain certain types of insurance.
And here is where the discussion of insurance set forth above is
important—it is not sufficient in such a contract to simply require
that the other party maintain general liability insurance. To more fully
protect itself, the company seeking to transfer risk under the contract
must require that the other party maintain some type of insurance that
expressly covers the latter two types of privacy risk discussed in this
article.
Concluding Remarks
Companies have faced privacy risk for decades. But the increasing use of
computers and increase in e-Business activities exposes companies to privacy
risk in ways that have not been seen before. These new risks call out for
insurance and risk transfer strategies that go beyond traditional methods.
Hopefully, this article provides some guidance on what methods should be used
today.