The squeeze on E&O Insurance for technology companies
Most companies that sell technology-based products or services purchase Errors and Omissions (E&O) Insurance to indemnify them from liability caused by the failure of their products or services. When the vendor’s products or services require access to the clients’ confidential information – and especially personally identifiable information (PII) or protected health information (PHI) – the nature and extent of the vendor’s obligations can get more complicated.
The combination of traditional E&O exposures with rapidly evolving privacy/data security exposures has created new insurance coverage and claims-handling uncertainties. As a result, technology companies that handle, store or transmit their clients’ or customers’ sensitive data are increasingly getting squeezed when they buy E&O insurance policies.
On one side, the vendors are being subjected to increasingly stringent confidentiality and data security obligations by their clients and customers — who often contractually require their vendors to buy E&O insurance that covers these exposures. The clients/customers often require not only that the vendors buy prescribed amounts of coverage; they also stipulate, with increasing specificity, the privacy/data security coverage terms that the vendors and service providers are required to secure.
On the other side, the buyers of E&O insurance that work with or have access to their customers’ confidential data are finding that insurers have varied and inconsistent notions about how data security breaches are covered under E&O policies. As a result, these companies risk finding themselves on the “fault line” between E&O and privacy insurance, with significant legal exposures that may not be covered by their insurance.
When a customer or client provides PII or PHI to a vendor in connection with the performance of services, both parties are required to protect the confidentiality and security of that information. In one well-known example, the HITECH Act directly obligates “Business Associates” who have access to PHI of a Covered Entity (health plans, health care clearinghouses, and certain health care providers) to comply with HIPAA’s Privacy and Security Rules. If there is a breach, however, the direct responsibilities of the vendor and of the customer under applicable law will almost certainly be different. Generally the vendor must notify only its customer about the breach; the customer, as the owner of the breached information, must notify the affected individuals.
Buyers of E&O insurance of course want their insurance protections to match their data security obligations and liabilities. Many may be in for unpleasant surprises. We have had several extensive conversations with many top E&O insurers, focusing on realistic and foreseeable scenarios, about how they would handle privacy/data security breaches under their policies — and have received surprisingly varied answers.
The potential discrepancy between exposure and coverage is often exacerbated by the nature and extent of contractual obligations being imposed by clients and customers. There may be, for example, differences in definitions, breaches that are subject to contractual indemnification but not covered by insurance, and an allocation of responsibilities between vendor and customer that is misaligned with the vendor’s insurance coverage. By way of example, a contract provision we have seen in more than one instance may transform a garden-variety third-party E&O claim into a first-party claim that is subject to stringent sublimits.
Trying to synchronize the E&O insurance buyer’s exposures and insurance protections is a complex task that requires considerable coordination across various corporate departments and with the company’s lawyers and insurance brokers — and then extensive clear-eyed negotiations with insurers. The failure to coordinate effectively can result in significant legal exposures that are not covered by E&O insurance.
About the Author
John Doernberg is a Vice President at WGA. He is responsible for developing relationships and serving as a resource for WGA clients, with a particular focus on privacy, information security and risk management issues. Before becoming an insurance broker in 1995, he practiced law for more than ten years at major firms.