Commercial General Liability (CGL) insurance used to be sufficient to protect a business from most major potential claims and lawsuits. Today, with the prevalent use of technology and electronic information, it is no longer the case.
In this post, I analyze a court decision concerning a physical loss of IBM’s electronic data to demonstrate why you cannot solely rely on CGL insurance, and why more companies are starting to consider additional types of insurance for comprehensive protection. But, first, let me define CGL and data loss.
What is Commercial General Liability insurance?
CGL insurance is designed to defend you from potential tangible property damage, bodily injury and/or personal injury claims and lawsuits filed by a third party.
What is electronic data loss?
Broadly defined, it includes but is not limited to hacking, damaging, physically losing or the theft of electronic information important to your business. While there is much focus on loss caused by data breach, Verizon’s 2015 Data Breach Report identified that physical loss of data is also a significant issue – 55% occurs at work, while another 22% is caused by thefts of physical devices from an employee’s vehicle.
Physical loss of electronic data can happen to any company managing organizational or client information. Losing internal company data (a.k.a. first party data) could be very costly. However, the liability and expenses are even higher if a business loses any confidential client data (a.k.a. third party data) including Personally Identifiable Information (PII), or Protected Health Information (PHI). This type of loss exposes the business to a myriad of fines and regulatory charges. For instance, the Net Diligence’s 2014 Cyber Claims Study found that the average cyber claim payout for a mid-size company was $733,109, and $2.9 million for a large company. The study also noted that 47% of all cyber losses occur in small to mid-size businesses.
With increasing application of technology in most business processes in the past decade, companies are now facing new types of exposures, such as loss of electronic data, which is not considered tangible property damage, rather financial; therefore, it is not covered by CGL insurance.
Nevertheless, in the past, many businesses with a crafty counsel managed to interpret the CGL by finding a small loophole to secure coverage for data losses they caused to third parties. Hence, on May 1, 2014, the Insurance Services Office (ISO) eliminated coverage for the “access or disclosure of confidential or personal information” by closing this loophole that allowed data loss cases to find coverage under CGL. ISO reasoned that the CGL was not intended to cover these types of exposures when it was first introduced, and standalone policies, such as Cyber insurance, are now available to mitigate these losses.
Many business owners, nevertheless, still incorrectly assume that CGL covers financial damages resulting from electronic data loss. They also often mistakenly believe that general liability policy will protect them from their failure or negligence in performing their professional, or specialized services, such as technology or business consulting.
Court decision regarding IBM’s electronic data loss
In my analysis of IBM’s court case below, I discuss why a business needs additional types of coverage beyond CGL to protect against electronic data loss.
In 2007, IBM contracted Recall Total Information Management (RTIM) to have employee Personally Identifiable Information (PII), considered business data that was physically stored on computer tapes, moved from one location to another. RTIM subcontracted the transportation portion of the job to Executive Logistics (EL).
RTIM was responsible to IBM for the successful completion of the contract, while EL owed responsibility to RTIM for the transportation portion of the project.
The tapes with their electronic data were lost during transit. IBM incurred significant costs ($6.2 million) to notify their employees, arrange for credit monitoring, and staff call centers to answer questions. IBM sued RTIM for damages, which in turn held EL responsible for losing the information during transit.
Both contractors had general liability policies; however, when EL submitted the claim to their general liability insurance carriers, it was subsequently denied. As a result, the contractors negotiated $6.4 million to compensate IBM, and sued their general liability insurance carriers to recover their costs. In the end, the contractors lost on appeal as their CGL policies did not insure cyber or professional liability.
There are several key take-aways in this case that I think are important to discuss:
- The court determined that, apart from the nominal property damage caused by the physical loss of the tapes, the loss of electronic data isn’t considered property but financial damage and therefore, it is not covered by the standard CGL policy.
- So, what types of insurance would have been necessary for the contractors to be protected? RTIM and EL would have benefited from having both Cyber, and Professional Liability (PL)/Errors and Omissions (E&O) coverages, which neither contractor appeared to carry.
What do these policies cover? Cyber insurance, among others, protects a business against liability arising from loss or destruction of electronic data. PL/E&O insurance, on the other hand, protects professionals and businesses providing advice and/or service against a negligence claim that alleges financial loss or error and omission by the business.
- The contractors likely did not have PL/E&O policies, because at the time of the incident in 2007, many businesses still incorrectly assumed their CGL would cover all of their business operations including providing electronic data-related services.
Also, technology-related exposure was not viewed a rampant threat; therefore, very few business-to-business contracts included requirements for Cyber insurance coverage. Today, this is changing given the recent ISO decision and technology becoming prevalent in all business activities.
- I am surprised to see how many times the insurance carried by a business does not meet the terms of a contract they executed. Not considering carefully the insurance necessary prior to signing a contract could eventually lead to not having enough or any coverage. However, it is important to note that the service provider’s liability is defined not only by the insurance requirements but also by the entirety of the contract.
Given the court’s decision, I assume that the contractors entered into agreement with IBM without evaluating the terms of the contract and obtaining necessary coverage in advance.
- Sub-contracting a portion of a job does not relieve the prime contractor of his ultimate responsibility. Similarly to RTIM holding EL liable, in my experience, a number of businesses still sadly believe that they can transfer their contractual liabilities with a portion of a project to their sub-contractor. Unfortunately, as this case indicates, both parties can still be held legally responsible.
It took 8 years for the court to issue its verdict, which is not an unusually long time frame. Most cyber, professional and general liability cases are extremely time consuming and costly. It is, therefore, critical for any service provider to buy proper insurance today that can protect them for years ahead.
This case clearly demonstrates the importance of having Cyber and PL/E&O insurance in addition to CGL as the use of technology increases. If you have any questions regarding cyber or other liability coverages, contact me at jnapp@psafinancial.com.