Product Fundamentals: Information Technology Liability (“ITL”) Insurance
Reliance on technology is increasing. So too are the obligations and potential liabilities of those providing technology services and products. The climate that the global COVID-19 pandemic created further fuelled this dependence, and with it, the need for technology companies to be at the forefront of product and service delivery. The Commonwealth Government’s response to COVID-19 -particularly its $1.2 billion budget commitment to the Digital Economy strategy, will undoubtedly continue to create growth in this sector in the long term.
Who needs ITL Insurance?
Companies that provide technology services or products are exposed to the risk of legal actions. Such actions may allege errors and omissions in code, intellectual property infringement, breach of confidentiality, IT product failure and other technology related injury.
Those who procure this insurance can include anyone from start up application developers to multinational hardware and software developers, all IT consultants, systems integrators, those who store or warehouse data telecommunications and online media.
What is IT liability?
An ITL policy generally comprises two policy sections being, professional indemnity (“PI”) and general liability comprising public and products liability (“GL”).
PI covers the policyholder’s legal liability arising from acts, errors and omissions in the course of designing, specifying and developing software and hardware components. As regards traditional coverage provided by a PI policy, see our article here.
GL covers the policyholder’s liability for damages arising from personal injury or property damage alleged to be caused by the failure of its sold, distributed or supplied IT products, or for its legal liability for personal injury or property damage arising from the services it performs. As regards traditional coverage provided by a GL policy, see our article here.
In recent times coverage under ITL policies also incorporates cyber insurance. As regards traditional coverage provided by a cyber policy, see our article here. This additional coverage section is now commonly being included to cover liability arising from intellectual property infringement by way of a data breach. This in itself is being driven by contractual requirements (to complement indemnities that are now commonly being given by IT providers in IT service agreements).
By their very essence IT products and services are interrelated. That means, in the event of a claim, it is likely there may be ambiguity whether loss is resultant of a ‘product’ or ‘service’ failure. It is important to ensure cover is held with the same insurer across PI, GL and Cyber to avoid disputes between insurers. If the policies are placed with different insurers, a claim may potentially fall between the two policies.
Nature of contract
The PI and cyber sections of an ITL policy are “claims made”. Allegations against the policyholder must first be made against the policyholder, and notified to insurers, during the period of insurance.
The GL section is occurrence based and covers losses first happening during the currency of a policy period.
Key features that are provided by the policy:
ITL covers the policyholder for legal costs and expenses incurred in the course of defending actions alleging they have failed in providing their products or services. In the event that the policyholder has legal liability as alleged, the policy will pay any damages including claimant’s costs and expenses.
The policy extends to cover claims brought by third parties alleging:
- Breach of the Australian Consumer Law
- Breach of contract: please do note however the coverage is ordinarily limited to liabilities implied at common law – regard should be had to our article: Onerous contractual terms impacting coverage for IT providers
- Breach of confidentiality
- Unintentional breach of third parties’ intellectual property rights
- Unintentional libel, slander or defamation
- Compensatory penalties, insurable at law, where actions are brought by regulators
- Network intrusion.
Who is covered by the policy?
The policy indemnifies the policyholder (being the entity named as the insured), its principals, partners, directors, and employees.
In the ordinary course, the policy will only cover the policyholder for its liability for claims that arise from any contractor or consultant (third party) it is responsible for or engages. Cover will not automatically extend to indemnify the third party. Insurers may extend the benefit of the cover to such third party, but policyholders must be aware that risk exists in doing so. Our recommendation is, wherever possible, that third parties hold their own IT Liability insurance.
Policy limit and excess
Each section of the policy has its own limit of indemnity. Generally the policy limit held under each section is dictated by contractual obligations. Otherwise the amount of cover will be informed by the risk your business is exposed to.
The PI policy limit is ordinarily for all claims and covered loss in respect of same that are notified during the policy period. The policy limit may be inclusive of legal costs that are incurred in the defence of a covered claim. Where the limit is stated as such, it means that the policy limit will be eroded by those legal costs and expenses. Where the policy limit is stated as “cost exclusive” it means that the insurer will pay in addition to the policy limit defence costs and expenses.
As regards GL the public liability policy limit applies for any one claim. The products liability is aggregated for all claims happening during the period. As regards cyber, there will be varying excess structures for each coverage section. Generally, the liability section will be higher than the first party loss coverage say for mitigation costs. Where there is agreed coverage for direct financial loss of money as a result of a cyber breach, we have seen significant excess structures applied: at a minimum these are $25,000 under some policies. For business interruption claims, a time deductible is applied, which can be the amount of the first 24 hours of lost profits being deducted from the total amount of the quantum of the claim for the entire loss of profit resultant of the breach.
It is common for the IT section to have a substantial excess compared to the Public and Products Liability section. This is due to the fact that the Professional Indemnity holds the increased exposures, in particular around financial loss claims which can be quite significant.
Common exclusions
- Known facts, circumstances and prior
- Intentional acts
- Contractually assumed liability
- Bodily injury and property damage
- Sale and or supply of your IT products, it is intended that this is covered under the GL section
- Liquidated damages or criminal fines and damages.
- Injury to you or your employees (Workers Compensation)
- Property damage to your own property (generally covered under accidental damage under a material damage policy)
- Illegal or deliberate behaviour
- Faulty workmanship (though resultant damage caused by that faulty workmanship should be covered)
- Breach of professional duty - this is covered under the PI section
- Assumed liability arising solely under a express contractual term
- Libel and slander (deliberate)
- Damage to registered vehicles whilst on the road.
- Known breaches of the system or intrusions that occurred prior to policy inception, or the retroactive date.
- Claims arising from the provision of products or services – the policy is in the ordinary course intended to respond to breaches of your network, not for errors in the provision of services or products: this cover is provided under the PI and GL sections.
- Contractually assumed liabilities
- Unencrypted portable devices
- Acts of war, terrorism, invasion, and/or insurrection
- Failure to maintain minimum security standards
- Payment card industry (PCI) fines and penalties, or other uninsurable fines and penalties
- Claims arising out of “bodily injury” and “property damage.
Claims examples
Company A (an IT Consultant), during the course of contracted hosting services to a client (Company B) inadvertently deleted the contents of their client’s server prior to backing up, which subsequently resulted in the loss of the Company B’s data. As a result, Company B sought reimbursement against Company A for losses sustained and in having the lost data re-keyed. Indemnity was granted under Company A’s Policy in the amount of $30,000.
Company A (a provider of IT Sales and Installation Services) was retained by a client (Company B) to implement and develop IT infrastructure and to support and undertake data migration from one network provider to another. During the course of the migration process, a disk drive was inadvertently deleted and Company B lost all of its data. Company B sought compensation from Company A in excess of $500,000 for lost data and rectification costs. Company A’s Policy was triggered and Insurers appointed panel Solicitors to assist in the defence and resolution of the claim in the amount of circa $350,000.
A software development company developed an electronic health records system for a medical centre. The software had a security ‘hole’ in it which was subsequently exploited by a hacker. Thousands of patient records are compromised and many of the affected consumers have now sought restitution.
Company A (an Internet Service Provider) was sued for breach of privacy by a number of subscribers after details of their internet searches were made publicly available online. Although the details were subsequently taken down, copies of this information were already in circulation, which included personal information such as the subscribers’ names, credit card information and medical conditions. Company A’s Policy responded and indemnity was granted in respect of defence costs and damages.
The Insured (Company A) provided Search Engine Optimisation (SEO) services to a laser eye surgery client (Company B). Proceedings were issued against both the Insured and its client by a competing laser eye surgeon (Company C) for breaches of intellectual property. It was alleged by Company C that Company B had been using a particular procedure name in their SEO services which was trademarked by Company C. Company A’s Policy responded and indemnity was granted in respect of defence costs and settlement.
Company A (a Distributor of Database Management Software) was sued by a software developer (Company B) who claimed that the distributor hired a number of its former employees who stole its source code and used it to develop a competing product. Company B sued Company A for breach of copyright and breach of confidentiality and sought damages in excess of $2,000,000 plus an injunction to prevent future sales.
The Insured (Company A), was retained by a client (Company B) to install security and networks systems. During the course of installing security cameras onsite, the Insured’s ladder fell and caused damage to a Third Party’s vehicle located in Company B’s car park. Company A’s Insurers extended indemnity under the policy and the Third Party’s claim was ultimately resolved in the amount of circa $15,000.
Our services
At Bellrock our role is to advise you on what insurances you will require at law, under contract and what a business of your nature, size and maturity will ordinarily hold. We act as your agents, and seek from the insurance market, the most adequate, appropriate and cost effective insurance for you, our clients. For more information about Bellrock’s role and important notices about retaining us, please refer to our articles: The role of Bellrock and Important Notices
Bellrock cannot act unless we are exclusively retained to represent you in the insurance market. Being represented by more than one intermediary may be disadvantageous to your prospects of obtaining the best possible deal. See our article on the benefit of engaging one broker, here.
For more information on how an IT Liability policy can provide cover for your business, please contact us via the from below.