Category: Cyber security

What insurance does your technology business need?

Tech E&O insurance, cyber security/ data breach insurance, Electronic Data Processing Insurance or  Digital Asset Insurance: Which insurance will meet all the needs of your technology business?

This article assumes that a technology company will normally already have basic commercial general liability insurance coverage and business property insurance or a business owner’s package with or without excess or umbrella insurance. These fundamental types of commercial insurance, while critically necessary, do not provide protection for everything due to exclusions contained in the policy and/or terminology and verbiage used in the insurance contract.   More than one type of insurance which is essential for tech companies are still lacking. For instance, Commercial General Liability sometimes covers damages for errors and omissions due to the failure of a product IF you have a tangible property loss, but most times it does not as there is no tangible property loss.  Another example is Umbrella insurance while desirable, often excludes any E&O coverage totally.  You still want to have an umbrella which adds higher limits of coverage to other types of insurance your company carries.  The real answer to which insurance will meet all of your tech companies needs is most likely “none of the above” but insurance policies can be combined to give you the maximum coverage possible.

So the tech company may need just one additional policy, or several more types of or stand-alone insurance policies to address risks which are foreseeable in the tech industry.  The two most well know types are cyber insurance/ data breach and professional liability or E&O Insurance.   Other types you may need would include are Electronic Data Processing and/or Digital Asset Insurance.  New products are emerging to meet the needs of technology and others may be added in the near future.  Technology insurance is not yet standardized. Adding one or more of the types of coverage which are available now  will add layers of protection to your existing insurance and can provide full protection for every conceivable risk when they are fitted together like pieces of a puzzle to solve the insurance quandary faced by your company specifically.

Small to midsize technology company’s face rapidly evolving roles and ever changing work climates on a routine basis.  In fact, it is very difficult to find a consensus on a singular definition for a “tech company”.

Insurance coverage for the technology industry is best selected by the role or the function of the company.  There are tremendous variances in “tech”   companies and how they operate and what they do.   If you are a technology company you could be a computer information technology company, a data storage company, a data management technology company or a computer technology company which manufactures computers or designs computer systems, or writes computer codes for certain industries; or builds operating systems for all types of products including tech gadget or apps. The company could even provide all of these services.  Any and all of the companies described above, along with hundreds of others, can be classified as a technology company.  But the functions performed by the company are the key to knowing what actions you need to have insured.

The demands for diverse  types of technology  fosters  the vast species of tech companies and leads to varying  claims  against  tech companies which usually arise due to either  the failure of the product provided by, or the services performed by the “technology “company, or both. So the owner must determine what specific coverage is tailored to protect the company’s products or performance from liability by thoroughly examining what insurance is available for this industry and what exactly does the insurance policy cover.

In most businesses or professions, Professional Liability or E&O (Errors and Omissions) is a critical need. Technology is no exception.  In the technology vernacular this is most frequently referred to as a Tech E&O policy. Let’s say that your tech company “Best Tech Company Ever” designed a computer system  for a client and selected ,but did not manufacture the components, and now manages and stores the data produced from the computer system and analyzes the raw data and provides analytic data to the client.   Undoubtedly, Best Ever Tech Company  needs to be fully covered for errors and omissions on the part of employees and owners. Tech E & O provides wide coverage for a host of services including data hosting, data processing, computer systems analysis, network management services and software  programming.  “5 Insurance Issues to consider in Tech Transactions,” http://blogs.orrick.com/insurance/authorD.Teshima

The BETC Company needs errors and omissions insurance with coverage for computer systems design, computer analytics, data management and data storage coverage.  Tech E& O would cover all of these provisions as negligent acts. However, E&O does not include intentional acts or torts so you still need another layer of protection.

BETC doesn’t need E&O coverage for manufacturing the system or the components, (products liability) but does need coverage for design of the computer system if it does not work as anticipated, either due to the parts or software not being compatible or other inherent flaws. The company could possibly need coverage for loss to the client’s income if the computer design of the new system caused the product not to work in the intended fashion. BETC also needs to be insured for its advice and recommendations on what components to purchase to make the system run efficiently, coverage for the result of their data analysis, if incorrect, or the system is unable to perform comprehensive analysis, and coverage for the data being stored for the client regardless of the methodology used for storage if there is a negligent error which causes a loss of data.

Tech errors and omissions should be sufficient for most employees but the owner needs to investigate whether the policy needs additional cover age for Officers and Directors Errors and Omissions who may not be involved in the technology side of the business.  This could be added by an endorsement or a rider to the BOP or Tech errors and Omissions.

Cyber Security is also advised for BETC.  Cyber security differs from E&O.   Cyber security covers network security failure and breach of data which are not the result of an employee’s negligent error such as an accidental error, but rather a direct act or attack usually by a hacker which can be accompanied by a demand for ransom.  Cyber security also covers an employee’s actions if intentional or fraudulent, rather than an error. Cyber security is very complex and there are various ways to structure a policy. ISO  has not yet issued a standard form for use.  There are numerous questions to consider and the owner should conduct a thorough risk analysis with his agent before deciding upon cyber security insurance policy.   Some of these are:

  • Does it cover both 3rd party liabilities for your client’s breach of their privacy and first party coverage for you the insured?
  • Does the triggering event language limit to an intentional breach or is  it triggered by any failure to protect data by the insured which is preferable
  • Is there coverage if the insured fails to disclose the breach
  • What event triggers the duty to defend? A liberal approach would be if a request for information is the trigger while the most restrictive is the actual filing of a law suit as trigger. You would want to have the earliest trigger possible
  • Are civil fines and penalties covered
  • Are notification costs covered? There is a wide variance in what cost are covered which varies according to each individual state. Does the coverage limit you to using vendors for notification which are picked by the insurance carrier?
  • Most importantly in some case does it cover data loss and the cost to regain the data?
  • Another major factor for consideration is does the policy exclude acts of terrorism or war. If excluded then be very wary and make sure that the policy clearly states that extortion, using ransom-ware or doxware and/or security breaches are not excluded under this clause.

As each technology company is unique the above list is representative only and not exhaustive. For a more in depth discussion see: “Analyzing Cyber Risk Coverage, http://http;//riskandinsurance.com/author/steve-raptis

In the past, coverage for computer equipment was based on business property insurance, however it often excluded   losses caused by computer viruses or hacking which newer Cyber insurance policies now cover.  Separate and apart from cyber security issues, Electronic Data Processing Insurance developed simultaneously and was designed to specifically address computer operations.  EDP insurance covers computer equipment, Media Data and Data Recovery. It is meant to cover break down of the equipment and resulting losses from inability to process the data. Another method is to add an enhanced super stretch such as those offered by the Hartford to a BOP, which can cover computer hardware and software as well as damages to the equipment from changes in temperature.  A change in temperature can be a major issue when large heat producing computers become damaged after a loss of power or equipment failure which then causes the heat to rise further: or can cause a sprinkler system to activate ruining the equipment.

There is also Digital Asset Insurance policies which are not as widely known. Historically, digital loss was covered by a clause in an existing cyber security policy which assigned a very low indemnity value to the digital assets and generally covered damages from natural disasters only. New solutions have been developed to go hand in glove with cyber security, or property insurance.  The value of the lost digital asset can be set at the time coverage is bound and the asset can be insured for up to millions of dollars. The value is set by the underwriter and assigned an indemnity value based on actual value or the data which is lost.  It also features insurer approved back up and data management and can be purchased even whether the data is on the premises in a data server center or a cloud applications

Technology companies are at high risk of loss due to proliferation of new technologies and the correlating data and information produced.   These businesses are changing the insurance world’s appetite for risk, steering away from natural disasters, and focusing on processes guided by humans and products developed by humans with the aid of data and data processing.  In short technology companies are entering uncharted ground and will blaze a new navigational chart for insurance   providers and carrier as they proceed along their course.  Careful insurance planning is critical to the company’s health so they are not blown off their course due to loss of data from error, theft, mistake or any other event.

 

Cyber Security, Data Breach and/or General Commercial Liability;

Can business owners safely terminate their cyber security/ data breach insurance relying on General Liability coverage as a safe harbor?

Cyber Security

On July 27, 2016 the U.S. Federal Court of Appeals for the Fourth Circuit held in Traveler’s Indemnity Company of America vs. Portal Health Care Solutions that a Commercial General Liability (CGL) does cover a data breach and the insurance company has a duty to defend the insured business on the class action claim filed against it.

This decision might lead businesses to believe that they do not need Cyber Security or Data Breach Insurance. While it may appear to be a cost saving measure now, it could result in a far greater liability in the event of a data breach claim against you.

  • The Portal case was filed in 2013. The decision therein hinges on the coverage under Part B of the CGL policy for Personal and Advertising Injury. Changes were made to CGL policies with exclusions and endorsements which became effective May 1, 2014 based on ISO’s suggested forms. While  adherence to ISO forms is not mandatory, it is widely recognized and usually adopted. To date the ISO exclusion and endorsements on data breach are available for use in 53 states depending on the carrier’s preference. So the Portal case may not be applicable to policy claims made after that date that do not contain Part B Coverage. This point will certainly be argued in the future should similar cases be filed after the effective date without containing Part B coverage language.
  • The Portal Health Solutions case is a departure from the previous holdings in other state court cases holding CGL insurance does not cover data breaches creating a conflict between the states. This may result in the case being certified by the Supreme Court of the United States. However, there is an absence of conflicting rulings between two Federal Courts of Appeals which is generally a trigger for the Supreme Court to accept a case.
  •  Each party has a right to file a Petition for Certiorari to ask the Supreme Court to review the case. In this case, only Travelers would have a reason to request review. The Supreme Court may want to hear the case because the Defendant Portable Health Solutions data consists of medical records which would fall under HIPPA privacy rules and the protection of these documents is legally mandated, so the Government would have an interest in protecting American citizen’s privacy and the members of the class action suit who were injured by the data breach.
  •  It also raises important questions in regard to cyber security in the form of cyber hacking of data, which is a growing national threat. Cyber security is considered to be the 5th highest underwriting risk for insurance carriers according to  the Swiss Re; Sonar report,May 2016..  Thus the Supreme Court has a duty  and an interest in protecting the safety of America’s citizens.
  •   Almost all businesses have some risk of data breach or a cyber security risk which impacts commerce and trade throughout the US.

 

Due to all the above factors, it is difficult to determine whether Traveler’s Indemnity will Petition for Certiorari, and whether the Supreme Court will accept the case. The better course of action for Travelers financially may be; to just cover the insured damages under the policy and then go on to fight another day in a case that does not have Part B coverage and the endorsements are on the newer ISO forms. However, Traveler’s may still have numerous policies outstanding with Part B coverage for personal injury and advertisement that compels them to address the question now.
Because of the ever growing risk associated with cyber security crimes, including extortion, kidnapping, and terrorism most major carriers have designed new types of insurance products to cover data breach and cyber s crimes presuming that general liability did not cover this instance based on previous court rulings. If this ruling is upheld without going to the Supreme Court it may still have far reaching impact for both the business community and the insurance industry, as it leaves the basic question unanswered regarding coverage after the inception of the  new ISO endorsements.

If the public perception is that you do not need data breach / cyber security insurance this could lead to a sizable loss for the insurance industry in litigation and loss of premiums which could lead to employee layoffs in insurance companies and business closings.

Bear in mind the insurance carrier payment for a data breach policy endorsement in the Target data breach case reached $44 million dollars. Generally, CGL policies do not have this high of an aggregate limit.

If the insurance carrier has to provide this insurance under a CGL policy without endorsement there will be significant losses under those policies. Costs for General Liability insurance will rise and be passed on to the insured.

Insureds may not have adequate insurance under their CGL as the policies are not designed to offer specialized coverage suited to each company’s needs and the aggregate limits may be too low, thereby financially harming the insured, and the injured party.

The insured may still have options to purchase specific policy endorsements or supplements if the products continue to be offered. Most likely they will be as the public awareness of the threat and the demand for the products is growing.

Consequently, until there is a complete resolution of this issue, the prudent business person should, at a minimum; retain their present cyber security/ data breach insurance. High risk industries should also purchase appropriate insurance products based on a thorough risk assessment or continue their existing coverage. It would be unwise to rely solely on your commercial general liability policy for data breach and cyber security risk.