The proliferation of e-business activities is having an impact on legal liability
and first-party risks faced by companies, whether they know it or not. The purpose
of this article is to identify some of the ways these risks can be managed by
way of indemnity and insurance provisions in contracts. Due to space limitations,
this article will touch on just some of the important issues to consider. (More
information on this topic will be provided at the Tech-eRisk Seminar.)
New and/or Different Risks to Which Companies Are Exposed
For illustrative purposes, let's focus on a company that is contracting with
a third-party service provider for particular services that involve e-business
activities. Such contracts typically involve some type of outsourcing, such
as a particular back room function (e.g., payroll), an information technology
function, a logistics/distribution function, etc. The key point is that these
contracts involve one or more of the following activities.
- The company is providing sensitive information about its customers/clients
and/or employees to the service provider.
- The company is giving access to its internal computer systems to the
service provider.
- The company is sharing proprietary intellectual property with the service
provider (whether software, hardware, or business process).
- The company and the service provider are communicating with each other
via the Internet, and sensitive company data is being transmitted to the
third party via the Internet.
Because of these activities, the company that has contracted for services
that involve e-business activities is exposed to a variety of risks, some of
which are unique to e-business activities. Legal liability risks include the
following.
- Information about the company's customers/suppliers and employees are
subject to theft, which can lead to claims of invasion of privacy and other
legal liabilities.
- Some person or organization alleges that some of the proprietary software,
business process, or other thing used by the company or the service provider
infringes intellectual property rights.
- The service provider fails to perform, which can lead to claims for
pure financial loss sustained by the company's customers or clients or downstream
users.
- The company is responsible for destruction or corruption of the service
provider's or another person's or organization's computer data, software,
or programs (collectively, "data").
First-party risks include the following.
- The company's important information assets (e.g., any information reduced
to electronic form and residing on the company's computer system) are subject
to theft by the service provider or another third party, which can lead
to lost business income because a competitor obtains the information.
- The company's computer system is subject to corruption by the service
provider or another third party, whether accidentally or intentionally,
which can lead to lost business income and extra expense.
The foregoing is a high-level discussion of the risks faced by companies
as they conduct e-business activities. In short, the risks include, but are
not limited to, intellectual property infringement, invasion of privacy, pure
financial loss, damage to/corruption of data, and impairment of a computer system.
Indemnity Provisions To Address the Risks
Importantly, legal liability and first-party risks produced by e-business
activities can be managed in part by indemnity and insurance provisions in contracts.
But because some of the risks faced by companies conducting e-business activities
are unique to those activities, traditional indemnity and insurance provisions
simply are not adequate for e-business contracts.
With respect to the indemnity provisions of a contract involving e-business
activities, risk managers and a company's contracting personnel responsible
for reviewing such contracts should take care to ensure that the contract addresses
certain risks. On the legal liability side, one typically sees the following
risks divided into separate indemnity provisions: intellectual property infringement,
privacy, pure financial loss, and general indemnity (limited to bodily injury
and property damage). However, it is very important to note that in some contracts,
you see only two indemnity provisions, one for intellectual property infringement,
and one for general indemnity not limited
to bodily injury and property damage (which means it can include indemnity for
privacy and pure financial loss risk).
Regardless of how the contract is set up with respect to the indemnity provisions
(i.e., whether four different indemnity provisions or two), the key point is
that the risk manager or contracts person reviewing the contract must understand
how the contract addresses indemnification for third-party claims for intellectual
property infringement, privacy, pure financial loss, and bodily injury and property
damage (including data). Those provisions must be reviewed and negotiated to
ensure that the risks for which the company wants to be defended and indemnified
by the service provider are addressed.
Also, all the good work that can go into such provisions are going to be
for naught if the contract contains any type of consequential damages waiver
and/or limitation of liability clause that does not except the service provider's indemnity obligations to the company
for third-party claims. These provisions can be found in separate clauses, or
in one and the same clause, in a contract, but they deal with two different,
albeit related issues.
The consequential damages waiver (CDW) clause will set forth the types of
losses that the company cannot claim against the service provider, period. That
is, the company is waiving the right to
claim certain losses against the service provider. In contrast, the limitation
of liability (LoL) clause does not waive the company's right to claim a particular type of loss against the service provider.
Rather, it places a monetary limit on the amount of a particular type of loss
that can be claimed. For example, if the company can claim up to $1 million
in costs to restore data that was damaged/corrupted by the service provider,
such costs will not be listed in the CDW, but rather will be listed in the LoL.
In any event, regardless of whether CDW and LoL provisions in a contract
are listed in separate clauses or in one and the same clause, it is vitally
important that risk managers and contracting personnel for the company ensure
that any such provisions expressly except the service provider's indemnity obligations
to the company under the contract. If they do not, they might limit the service
provider's indemnity obligations to the company for third-party claims, making
all the hard work done on the indemnity provisions for naught.
Finally, the consequential damages waiver and/or limitation of liability
clause will also impact the ability of the company to obtain compensation from
the service provider for any first-party losses sustained by the company. [Remember,
the indemnity provisions typically only address what happens when another person
or organization (other than the service provider) brings a claim against the
company.] So, if you want the service provider to be liable to you for first-party
loss (e.g., lost profits, extra expenses, cost to restore lost/corrupted data,
etc.), you need to make sure they are not excluded by the consequential damages
waiver clause or overly limited by the limitation of liability clause.
Insurance Provisions To Address the Risks
In traditional contracts, the company would simply require standard insurance
policies to ensure that the service provider had the financial wherewithal to
carry out its indemnity obligations under the contract, and to otherwise shift
risks under the contract to the service provider's insurers. A typical contract
would require the service provider to maintain workers compensation and employers
liability, automobile liability, commercial general liability, and perhaps also
foreign general liability and/or umbrella liability.
However, these traditional policies are problematic when it comes to addressing
the unique risks associated with e-business activities. If you look at the previous article in this column, traditional general liability
insurance policies cover less and less e-business risks. The service provider's
general liability insurance might not respond to third-party claims for invasion
of privacy when it comes to theft of private information (where was the "publication
or utterance"?), damage to/corruption of data (now expressly excluded by traditional
general liability coverage), pure financial loss (typically not covered even
by traditional general liability coverage), and a host of the intellectual property
risks posed by e-business activities.
So, what can a company do in this situation? The company should expand the
types of insurance policies required in its contracts and also expand the descriptions
of coverages that it wants the service provider to maintain. There are any number
of ways to do this. For example, the company's insurance provisions can insert
an omnibus e-business insurance requirement that sets forth the types of coverages
required and permits the service provider to maintain the coverage in one or
more types of insurance policies (e.g., internet liability, professional liability,
crime, etc.). Or the company can set forth several types of insurance policies
the service provider is to maintain (professional liability, Internet/e-business
liability, and crime) and explain the types of coverages that each insurance
policy should address.
Regardless of which method is adopted, it is important that the company spell
out the types of risks that will be covered by the insurance being required
to be maintained. That's because the insurance policies that can address these
risks are not standard. Depending on which insurer's form is used, a professional
liability policy can actually cover more than an Internet liability policy can
with respect to these risks. So it is not sufficient to merely require that
the service provider maintain a certain type of insurance. Rather, you have
to spell out the types of risk the insurance, regardless of the label or name
you're giving it, is required to cover.
Concluding Remarks
Reviewing and negotiating indemnity and insurance provisions in contracts
is an important risk management function for companies to carry out. However,
traditional indemnity and insurance provisions in contracts are are inadequate
for contracts involving e-business activities. Such contracts require specialized
indemnity and insurance provisions that can, and should, be obtained. Hopefully,
this article provides some useful information in that regard.
More information on this subject will be provided at the Tech-eRisk Seminar.