Home > Property & Casualty > The squeeze on E&O Insurance for technology companies

The squeeze on E&O Insurance for technology companies

Most companies that sell technology-based products or services purchase Errors and Omissions (E&O) Insurance to indemnify them from liability caused by the failure of their products or services. When the vendor’s products or services require access to the clients’ confidential information – and especially personally identifiable information (PII) or protected health information (PHI) – the nature and extent of the vendor’s obligations can get more complicated.

The combination of traditional E&O exposures with rapidly evolving privacy/data security exposures has created new insurance coverage and claims-handling uncertainties. As a result, technology companies that handle, store or transmit their clients’ or customers’ sensitive data are increasingly getting squeezed when they buy E&O insurance policies.

On one side, the vendors are being subjected to increasingly stringent confidentiality and data security obligations by their clients and customers — who often contractually require their vendors to buy E&O insurance that covers these exposures. The clients/customers often require not only that the vendors buy prescribed amounts of coverage; they also stipulate, with increasing specificity, the privacy/data security coverage terms that the vendors and service providers are required to secure.

On the other side, the buyers of E&O insurance that work with or have access to their customers’ confidential data are finding that insurers have varied and inconsistent notions about how data security breaches are covered under E&O policies. As a result, these companies risk finding themselves on the “fault line” between E&O and privacy insurance, with significant legal exposures that may not be covered by their insurance.

When a customer or client provides PII or PHI to a vendor in connection with the performance of services, both parties are required to protect the confidentiality and security of that information. In one well-known example, the HITECH Act directly obligates “Business Associates” who have access to PHI of a Covered Entity (health plans, health care clearinghouses, and certain health care providers) to comply with HIPAA’s Privacy and Security Rules. If there is a breach, however, the direct responsibilities of the vendor and of the customer under applicable law will almost certainly be different. Generally the vendor must notify only its customer about the breach; the customer, as the owner of the breached information, must notify the affected individuals.

Buyers of E&O insurance of course want their insurance protections to match their data security obligations and liabilities. Many may be in for unpleasant surprises. We have had several extensive conversations with many top E&O insurers, focusing on realistic and foreseeable scenarios, about how they would handle privacy/data security breaches under their policies — and have received surprisingly varied answers.

The potential discrepancy between exposure and coverage is often exacerbated by the nature and extent of contractual obligations being imposed by clients and customers. There may be, for example, differences in definitions, breaches that are subject to contractual indemnification but not covered by insurance, and an allocation of responsibilities between vendor and customer that is misaligned with the vendor’s insurance coverage. By way of example, a contract provision we have seen in more than one instance may transform a garden-variety third-party E&O claim into a first-party claim that is subject to stringent sublimits.

Trying to synchronize the E&O insurance buyer’s exposures and insurance protections is a complex task that requires considerable coordination across various corporate departments and with the company’s lawyers and insurance brokers — and then extensive clear-eyed negotiations with insurers. The failure to coordinate effectively can result in significant legal exposures that are not covered by E&O insurance.

About the Author

John Doernberg is a Vice President at WGA. He is responsible for developing relationships and serving as a resource for WGA clients, with a particular focus on privacy, information security and risk management issues. Before becoming an insurance broker in 1995, he practiced law for more than ten years at major firms.

617.646.0336 JDoernberg@wgains.com Connect with John via LinkedIn


  1. January 14, 2012 at 10:54 am

    Excellent read! Everything in this post is spot on. As a tech underwriter for a top 10 carrier, I concur that the E&O climate is one that is getting increasingly heated and complex for tech companies.

    To reduce risk in this day and age, there are a couple pieces of advice I would offer to tech companies: 1) get a Good agent; one who is tech-savvy, and used to coordinating complex E&O coverages. 2) invest the time and resources to fully understand any and all contractual obligations your company ever was, is, or will be.

    It is important for technology companies to realize that the nature of the industry they work in, combined with an ever-changing Internet, makes it very tough to ever truly be underinsured.

    Great read!

  2. January 17, 2012 at 11:56 am

    Well said, John.
    We had quite the thread going on this topic over in the LinkedIn Cyber Privacy Security interest group.
    The consensus was that there is no consensus- so you are right on point in bringing it up.
    Here’s the link to the discussion: http://www.linkedin.com/groupItem?view=&gid=1842984&type=member&item=81031264&qid=6463c2e1-ac7d-4115-ba1f-d39c8c718a77&trk=group_most_popular-0-b-ttl&goback=%2Egmp_1842984

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s