Most applicable data privacy and security laws will hold your organization equally liable for a breach whether it was your fault or that of your third party vendor. Risks of data loss, data corruption and data theft are of paramount concern. Such risks are not limited to the organization's actions or omissions, but increasingly those of its vendors. When the worst happens, how do you manage the financial cost of data losses?
IT professionals can help their organization better manage and reduce the financial risks when negotiating for IT services or products by understanding how insurance can help cover IT losses. Look for the insurance requirements in your vendor agreements, and know to what extent your organization may be able to cover some of these risks under its own insurance program. Insurance is usually handled by an organization's risk management department or outside agent, but it's important for the IT professional to have some understanding of the relevant types of IT insurance polices in order to craft appropriate insurance-related protection for their vendor agreements.
There are a number of different insurance products that may be available to protect against loss arising from IT-related risks. We'll cover several in the following discussion. Basically, there is insurance within your own organization and then the insurance that vendors will provide.
Commercial Property Insurance is your organization's standard policy that may cover data loss. However, these policies often only provide coverage for reconstruction of lost data if there has been an actual physical damage to the systems holding the data. Cyber Liability Insurance will potentially provide protection against a wide range of losses arising from cyber-related risks. These policies are often written in a "menu" format, where the insured can pick and choose from a number of different coverage types.
Most cyber insurance policies will cover damages arising from unauthorized access to a computer system, theft or destruction of data, hacker attacks, denial of service attacks and malicious code. Some policies also cover privacy risks like security breaches of personal information and may apply to violations of state and federal privacy regulations. Reimbursement for crisis management expenses may also be an option, such as legal and public relations expenses. Policies may include business interruption coverage if you lose revenue after an attack or if your vendor is shut down by an attack or goes out of business.
On the vendor end, Technology Errors and Omissions Liability Insurance will be the primary form of liability insurance your vendor should have to cover damages you or others may suffer as a result of its negligence. It provides coverage for claims arising from its professional IT services. For example, it covers claims by third parties that are based on programming errors, software performance or, in some cases, the vendor's services failing to work as warranted in an agreement. Without this coverage, your vendor lacks insurance coverage for liability associated with its IT services or products.
Language in agreements should clearly specify the insurance expectations that you have for the vendor. Although these will vary based on the services that are provided by any particular vendor, the following is a sample of what to look for.
Required Insurance Coverage means that the vendor shall obtain, pay for and maintain Professional liability (Technology Errors and Omissions or other Cyber-Liability Insurance) in full force and effect during the term of any agreement. Vendors need to provide an actual copy of the insurance policy prior to the activation of any agreement with all dates and coverage terms clearly stated. Many vendors may hesitate to provide a full copy of their policy. However, given that these policies are not standardized and provide (or exclude) a wide variety different coverage, it is critical to obtain a copy of the policy and to review it to ensure that it actually provides coverage for loss arising from the services that the vendor is providing under the agreement.
Claims Made Coverage defines the extent to which any insurance coverage required is maintained on a "claims-made" basis, such insurance shall cover all acts, errors or omissions on the part of the vendor during the term of the agreement. It should be continuously maintained following the expiration or termination of the agreement, assuming damages and claims might be made well after the agreement expires. This is known as "tail coverage." Most of the protection against third party suits provided under Technology Errors and Omissions and/or Cyber Liability policies will be provided on a "claims-made" basis (i.e., it will only cover claims made while the policy is in force). For this reason, it's critical to ensure that the vendor maintains the coverage in force not only during the term of the Agreement, but provides tail coverage for at least two to three years afterward, if not longer. Certificates of Insurance are evidence for all coverage agreed upon and should be furnished to the customer before the agreement is activated. The IT professional does not have to be an expert in insurance; however, being familiar with the types of insurance available and the limitations of each can help the IT department ensure that the organization is in the best position possible to protect its valuable assets.
Christopher C. Cain is a partner with the law firm of Foley & Lardner LLP, practicing in the firm's Information Technology & Outsourcing practice. He routinely counsels clients on the legal, technical and transactional issues arising in technology transactions. Ethan Lenz, CPCU, is a partner in the firm's Insurance Industry practice and has extensive experience providing risk management and insurance coverage-related advice to commercial clients, including in the context of IT agreements. They can be reached at [email protected] and [email protected], respectively.