Most prudent businesses today carry at least certain standard insurance coverages to protect against risks and liabilities arising out of the conduct of their business. These threshold coverages usually consist of a Commercial General Liability (CGL) policy, coupled with a workers’ compensation and employer’s liability policy and a commercial automobile liability policy. However, the provision of technology-related products and services entails certain unique risks not faced by the “ordinary” business, and a business engaged in providing those products and services (and their customers) run the risk of a very unpleasant surprise when a claim is made and the business discovers that these standard insurance products may not provide coverage. As such, businesses that provide technology-related products and services – from software development and licensing to IT professional services and data hosting – should be aware of additional insurance products that are available to insure against the risks that are unique to their business operations.
Why Isn’t a CGL Policy Enough? Though the exact terms of coverage may vary from policy to policy and from insurer to insurer, CGL policies generally protect a business from a third party’s claim of negligence that results in bodily injury or physical damage to property. In addition, a CGL policy may provide coverage against infringement of certain intellectual property rights if the alleged infringement occurs in the course of advertising or marketing the business’ goods and services.
However, CGL policies typically exclude certain risks that are actually quite common in the provision of technology-related products and services. For example:
- Defects in Products and Services/Contract Performance Disputes – a failure or error of a technology product or service is more likely to result in financial damage to a third party than to cause bodily injury or physical damage to a third party’s property – but purely financial losses caused by the negligence of an insured are usually excluded from coverage under the CGL policy. This means that a CGL policy will quite likely not protect a business against claims arising out of programming errors, software performance, or the failure of products and services to perform as promised in a contract.
- Subcontractors – technology service providers often supplement their work force through the use of subcontractors and independent contractors – but the acts of subcontractors and independent contractors are usually not covered by a CGL policy.
- Professional Services – errors and omissions arising out of the provision of professional services (for example, IT consulting and implementation services) are usually excluded from coverage under a CGL policy.
- Data Breaches – in the past, many courts have construed CGL policies to not provide coverage for data breaches (for example, in some cases, on the rationale that data is not tangible “property” and, in other cases, on the grounds that a data breach did not constitute “publication” of private information to qualify for coverage as an “advertising injury”); to avoid an uncertainty, many insurers have now begun to expressly exclude data breaches from coverage under a CGL policy.
- Infringement of Intellectual Property, especially Patents – as noted above, most CGL policies exclude coverage for claims arising out of the infringement of intellectual property rights if the infringement does not occur in connection with “advertising” – but even then, claims of patent infringement are almost always excluded from coverage under all circumstances. Given the proliferation of infringement claims by “patent trolls” and other non-practicing entities (NPEs), lack of coverage against such claims is a significant area of concern for all providers (and customers) of technology-related products and services.
Additional Insurance Technology Companies Should Consider. The following are some additional available insurance coverages that are more specifically tailored to the risks and liabilities faced by providers of technology-based products and services and so may be used to fill “gaps” left by a CGL policy. Of course, the terminology for a given type of coverage may vary from insurer to insurer, and not all insurance policies provide the same coverage; in addition, certain of the coverages listed below may already be included under another insurance product or added as a rider. In short, the devil is in the details, so you should always consult with your insurer or broker and review each policy carefully to make sure that a given insurance product meets your needs.
1. Technology Errors and Omissions (Tech E&O). Tech E&O coverage is a species of the more well-known professional liability/professional errors & omissions coverage, and it often supplements the CGL policy in important ways specific to a technology-related business. Tech E&O insurance generally protects the insured against a third party’s (such as a customer) claims of financial loss caused by either (i) the failure of the insured’s product to perform as promised, or (ii) an act, error, or omission committed by the insured in the course of its performance.
- Tech E&O applies to claims arising out of the performance of professional services. To avoid confusion, it is important to note that “professional services” not only include the rendering of services but also the offering or provision of technology-related products as well. For example, IT/network consultants, website designers and cloud storage companies provide technology services, while software licensors and hardware manufacturers offer technology products.
- Tech E&O provides coverage for defects in products and certain services/contract performance disputes. As noted above, failure or error of a technology product or service more often gives rise to purely financial damage (for example, monetary loss caused by failure to deliver as promised or failure to meet contractual service levels) rather than causing bodily injury or physical damage to a third party’s property. As such, Tech E&O coverage is a good complement to a CGL policy – if there is no coverage under the CGL policy because there is no physical damage or bodily injury caused by the error, a Tech E&O policy may provide coverage (and, conversely, a CGL policy would provide coverage where the error does cause physical damage or injury, which is usually excluded from the Tech E&O coverage). It is important to note, however, that the Tech E&O coverage does not provide blanket coverage for all contract performance claims or disputes. Generally speaking, Tech E&O policies only cover those defects or performance issues that arise out of the negligence of the insured (or, in some cases, its unintentional acts or omissions) – Tech E&O coverage does not protect an insured against its intentional failure to perform in accordance with a contract.
- Tech E&O often provides coverage for the negligent acts of your subcontractors and independent contractors.
- Tech E&O often provides coverage for claims of copyright infringement arising out of the covered activities of the insured. This can be especially useful against claims that your software or other work product was used without an appropriate license or was “copied” from copyrightable subject matter owned by a third party.
However, there are still important risks that a typical Tech E&O policy generally does not cover. For example, Tech E&O policies typically do not protect the insured against:
- Claims of patent infringement; or
- Data breach or other failure to protect personally identifiable information.
As these risks are typically not covered by either a CGL policy or a Tech E&O policy, the business should continue to consider the availability of other protections to mitigate these risks.
2. Data Breach and Malware – Cyber Risk Insurance (a/k/a Cybersecurity or Privacy and Network Liability Insurance). Protection against cyber risk may be obtained via a separate policy or, sometimes, may be added as coverage under another policy, such as a Tech E&O policy. As with any insurance product, coverage for cyber risk can vary widely from policy to policy, especially with respect to the scope of coverage and associated policy limits and sub-limits. Nonetheless, cyber risk coverage differs from typical CGL and Tech E&O polices in two important ways:
- Cyber risk coverage expressly provides coverage for data breaches; and
- In addition to protecting the insured against liabilities to third parties (which may include not only customers, business partners, and regulatory agencies but also the business’ own shareholders), cyber risk policies often cover the insured’s own losses arising out of a breach. These losses can include, for example:
- costs of investigating the breach;
- expenses of data restoration and recovery;
- business interruption and expenses to get “up and running” again (which may include, under certain policies, “extortion” payments necessary to retrieve or restore data that has been encrypted or otherwise held for ransom by criminals); or
- costs of any legally-required data breach notification and, if applicable, costs of credit monitoring for persons whose non-public information was compromised in the breach.
With respect to liabilities to third parties arising out of a data breach, a well-crafted cyber risk policy can protect the business against:
- costs of defending against third party lawsuits and payment of settlements or judgments against the insured; and
- costs of defense to investigations and prosecutions brought by regulatory or administrative agencies, along with payment of any resulting fines and penalties levied upon the insured.
Additional practical benefit. Of course, actually obtaining coverage against data protection risks is the ultimate benefit of acquiring cyber risk coverage; however, even merely reviewing the application forms can be of practical benefit to the business. This is because the application process for cyber risk coverage often includes a detailed questionnaire regarding the data protection and security practices actually employed by the business, which can can serve as a useful “self-assessment” to identify areas in which the business can improve its data protection and security practices.
3. Patent Infringement Liability Insurance. Patent litigation in the technology sector is at an all-time high, and this is attributable in large part to the proliferation of suits by “patent trolls” and other NPEs – entities who acquire patents for the primary purpose of enforcing them against others for monetary gain rather than actually utilizing the patents to create or market useful goods or services. However, claims of patent infringement are almost never subject to coverage under a CGL policy. (While some policyholders have successfully argued that such claims are in fact covered under the “advertising injury” provisions of a CGL policy, such successes are rare and very fact-dependent.)
Given this, some insurers have recently begun offering insurance products specifically tailored to protect the insured against third party patent infringement claims. The terms of available patent infringement liability policies can vary significantly, though the cost of such policies is uniformly high, no doubt owing to the costs of mounting a defense to a patent infringement claim and the potential for high damages awards if the defense is unsuccessful. Nonetheless, as with any insurance product, there are certain variables in the scope of protection purchased that can be tailored to help manage the purchase price, such as:
- whether the policy covers the defense of a patent infringement claim only or covers both defense of the claim and indemnification obligations owed to a third party;
- whether the policy covers other attendant costs and expenses incidental to a patent infringement claim, such as product redesign costs; and
- whether the policy protects against any and all patent infringement claims or merely protects against “weak” cases commonly associated with “patent trolls” (in the latter situation, the policy may state that coverage will not apply unless the insurer determines that the insured stands a substantial chance of success against the infringement claim).
When considering whether to purchase patent liability infringement insurance, it is important to keep in mind that most policies will exclude coverage for a given patent infringement claim if the insured had previously been threatened by the owner of the patent or was otherwise aware of a risk that it would be sued for infringement of that patent.