Expert Commentary

Addressing Privacy Risk from an Insurance and Contractual Risk Transfer Perspective

Although we have discussed privacy risk in various articles in this column since its inception more than 4 years ago, privacy risk has never been as publicized as it has been recently, given the rash of breach of privacy incidents and lawsuits arising out of them that have occurred since late 2004. This edition of the Cyber Insurance column is intended to briefly discuss privacy risk from an insurance and contractual risk transfer perspective to help risk managers, brokers, and others address the issue for their companies and clients.

Cyber and Privacy Risk and Insurance
May 2005

An understanding of the several different ways a company can be exposed to claims of violation of another person's right of privacy is essential for understanding how to structure an insurance and contractual risk transfer program to try to address such risks. Set forth below is a brief description of those risks, and key insurance-related information that needs to be kept in mind.

Dissemination of Information in Violation of Right of Privacy

The first type of privacy risk has been the type of privacy risk that companies have been facing for decades. It is when the company knowingly gives information to another party, either orally or in written form, and that dissemination of information violates a person's right of privacy.

For decades, general liability insurers have been covering this type of privacy risk in the "Personal Injury" and "Advertising Injury" coverage sections in general liability policies. Newer general liability forms that combine these two coverages into one definition of "Personal and Advertising Injury" describe the covered offense as follows: "the publication or utterance of material that violates a person's right of privacy."

Collecting Information in Violation of Right of Privacy

The second type of privacy risk may have existed for as long as the risk of disseminating information, but it has only become publicized since the advent of the Internet and e-Business activities. An example of this risk is when a company collects information about persons visiting its website, without the necessary privacy disclosures required by law or otherwise in violation of the law of one or more of the jurisdictions where the website can be accessed.

Most, if not all, general liability insurers do not intend to cover this type of privacy risk when they use the language quoted above, because the activity of collecting information does not involve the act of "publication or utterance," which means to disseminate information. (Older general liability policies did not have this "publication or utterance" limitation, and theoretically at least could have covered this type of privacy risk)

Permitting the Theft of Information in Violation of Right of Privacy

This is the type of privacy risk that has exploded on the scene in the last year as revelations of security breaches at several companies are revealed almost on a monthly basis. It can occur several different ways, but for this article, the following two scenarios are most important.

On the one hand, a company could have sensitive information (employee social security numbers, birth dates, addresses, etc., and similar information about key customers and/or suppliers) on its computer system. Somebody could steal that information and use it for illegal purposes him or herself, or sell the information, often to the international black market for such information which has mushroomed in recent years.

On the other hand, a company could provide such information to a third party, or give a third party access to the company's computer system so they have access to such information. Such third party could be a key customer or supplier, vendor of services (e.g., logistics or warehousing company, payroll processing company, etc.), or outsourced information technology company. Somebody could steal that information while it is residing on the third party's computer system, or somebody could gain access into the company's computer system by using the access rights that the company gave to the third party (e.g., by stealing access codes, hacking into the third party's system, and then getting into the company's system, etc.).

Does either or both of these two privacy scenarios involve "the publication or utterance" of material that violates a person's right of privacy in order to trigger the "Personal and Advertising Injury" coverage in newer general liability forms? If you ask general liability insurers, they say "no," because it involves the "theft and use" of information by a non-insured, not the "dissemination of" information by the insured. It is possible that coverage litigation on this issue might ensue, and courts may or may not adopt the general liability insurer's interpretation of how existing policy language applies to such a privacy scenario. However, given the number of insurance products available in the market today to expressly cover this type of risk to a certain extent, it is suggested that companies would do better to expressly address the risk in their insurance programs instead of waiting to see how the courts resolve the issue.

Insurance Strategies for Addressing Privacy Risk

With respect to these three types of privacy risks, general liability insurance should cover at least one—the insured's dissemination of information in violation of a right of privacy. The coverage can be found in the "Personal and Advertising Injury" coverage in current general liability policies. It is highly unlikely that current general liability insurance will cover the second type of risk—the insured's collection of information in violation of a right of privacy. And it is debatable whether current general liability insurance will cover the third type of risk—permitting the theft of information in violation of right of privacy.

Given the foregoing, what should companies consider doing when it comes to insuring these three different types of privacy risk? Clearly, companies should continue to buy general liability insurance (e.g., commercial general liability, foreign general liability, and umbrella liability).

But companies should review their general liability policies to see if the "privacy" coverage is limited to "the publication or utterance" of material that violates a person's right of privacy. If so, they should seriously consider buying one of the newer insurance products that expressly covers, at least to some extent, privacy risk as described in this article. We say "at least to some extent" because the newer policies on the market vary with respect to privacy risk covered. For example, some only cover privacy risk arising out of the use of a computer, and of those forms, some insurers cover the risk only with respect to when the insured's information is residing on the insured's computer system and will cover the risk of theft if the insured's information residing on a third party's computer system only after receiving specific information about the third party so that they can underwrite the risk. And some insurers cover more than computer-related risk, offering an enterprise-wide privacy coverage, but offer that coverage only to certain types of companies (e.g., financial services and healthcare companies).

What are these newer types of policies? They go by various names, and therefore cannot be described by use of one name, a point that is important to note when constructing a contractual risk transfer program. Also, the coverage can be provided by an endorsement to otherwise traditional media liability, technology errors and omissions, or other type of E&O policy. That said, we would note the following. When the coverage is limited to risk involving the use of a computer, the coverage used to be called, "Internet Liability Insurance" or "Cyber Liability Insurance," but the name that is used most frequently today is "Network Security Liability Insurance" or a variation of that phrase.

However, the important point is not the name or label used on the insurance policy or endorsement, but rather the extent of coverage offered by the product. There are several issues to consider when buying such coverage, a discussion of which is beyond the scope of this article. Suffice it to say for now that these policies and endorsements provide broader coverage for privacy risk than the newer general liability forms in use today.

Contractual Risk Transfer Strategies for Addressing Privacy Risk

In addition to a company buying its own insurance to address privacy risk, another important risk transfer/financing strategy for such risk is to address the risk in indemnity and insurance provisions in contracts. It is becoming more and more customary today to expressly address privacy risk in a variety of different types of contracts, especially when either or both of the contracting parties is giving the other party sensitive information or access to a computer system. Contracts for logistics and warehousing services, payroll processing services, and IT infrastructure outsourcing services are just examples.

A company that is providing sensitive information to the other party to a contract, or giving the other party access to the company's information via the Internet, will want to expressly state in the contract that the information is confidential and is not to get into the hands of any other party. Such company will also want to expressly state that if anyone other than the other party to the contract gets some of the information, then the other party will defend, indemnify, and hold the company harmless from all liability arising from the leak of the information.

But such an indemnification and hold harmless provision is only as good as the financial wherewithal of the party to the contract giving the indemnity. What happens if that party does not have the financial means to fulfill its indemnity and hold harmless obligations? To protect against that risk, the company requiring the indemnity should also require that the other party to the contract maintain certain types of insurance.

And here is where the discussion of insurance set forth above is important—it is not sufficient in such a contract to simply require that the other party maintain general liability insurance. To more fully protect itself, the company seeking to transfer risk under the contract must require that the other party maintain some type of insurance that expressly covers the latter two types of privacy risk discussed in this article.

Concluding Remarks

Companies have faced privacy risk for decades. But the increasing use of computers and increase in e-Business activities exposes companies to privacy risk in ways that have not been seen before. These new risks call out for insurance and risk transfer strategies that go beyond traditional methods. Hopefully, this article provides some guidance on what methods should be used today.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Like This Article?

IRMI Update

Dive into thought-provoking industry commentary every other week, including links to free articles from industry experts. Discover practical risk management tips, insight on important case law and be the first to receive important news regarding IRMI products and events.

Learn More