A version of this article originally appeared in Law360 on August 25, 2016.
Technology services and software companies frequently face insurance issues when negotiating their intellectual property license or other services agreements, particularly in this era of data breaches and cloud computing. Numerous questions present themselves. Which party bears the risk in the event of a data breach? Does the company providing the indemnities have insurance to stand behind them? Whether your company is providing a service, engaging a vendor or negotiating a license agreement, keeping these five insurance issues top of mind can help safeguard your continued success.
Insurance as an Indemnity Backstop
Indemnification provisions are standard in commercial agreements, and these provisions frequently include boilerplate language that may be overlooked by a party. While such a provision will serve as the primary risk transfer mechanism in the agreement, insurance can provide an important backstop. If your company is providing the indemnity, you will want to check your policies to see if they provide coverage for the potential liabilities at issue. Many policies, including commercial general liability (CGL) policies, exclude coverage for liabilities assumed under a contract. For example, the Insurance Services Office (ISO) standard CGL form includes an exclusion barring coverage for bodily injury or property damage the policyholder is obligated to pay “by reason of the assumption of liability in a contract or agreement.” The exceptions to this are if the policyholder has the liability absent the contract or if the contract was previously identified as a covered “insured contract.” Other policies, however, such as technology errors and omissions (tech E&O) policies, do not include this limitation. Some tech E&O policies state that a breach of contract exclusion does not apply (and thus the policy provides coverage for) liability “assumed in any hold harmless or indemnity agreement.” If your company is being indemnified by the counterparty party, you will want to know whether that company has the financial resources, including insurance coverage, to stand behind the indemnity.
Data Breach Protection — Cyberinsurance
Like all companies, technology companies face the risk of a data breach. Your company’s contracts should be clear about which party bears that risk, including the expense of complying with breach notification laws, which can be substantial. State laws differ regarding who is responsible for providing notices to consumers in the event of a data breach — the maintainer of the data or the company whose data was compromised. If your company bears that risk (and even if it doesn’t), you will want to obtain some form of cyberliability coverage. Each company to the transaction may also want to ensure that the other company maintains an adequate level of cyberinsurance, and if possible, provides coverage to the other party. Because cybercoverage comes in many forms, it likely will not be sufficient to have the other party simply confirm that it maintains a “cyber” policy. Instead, you will want to understand the coverage modules it maintains, including coverage for breach response and notification costs, as well as consumer data breach lawsuits.
Technology Errors & Omissions (E&O) Coverage
Technology service companies should consider obtaining tech E&O insurance, which provides specific coverage for alleged negligent acts in performing a wide range of technology services. Covered services include data hosting, data processing, computer systems analysis, network management services and software programming. This coverage also extends to claims arising out of services performed by independent contractors, and frequently cover liability assumed under an indemnification provision. Because claims of bodily injury or property damage may be a more remote possibility than claims of negligence against a technology service company, tech E&O coverage may be more valuable to the company than CGL coverage. Tech E&O policies — which are one form of cybercoverage — also include other useful coverage, such as multimedia liability and data breach notification cost coverage.
Adding Additional Insured Parties to a Policy
Service providers frequently are asked to name their clients or vendors as additional insured parties on their liability policies. Whether they can be added to a policy depends on the type of insurance at issue and the assumed risks. For example, some CGL policies include a blanket endorsement covering any company for whom the policyholder agrees by contract to provide insurance. Tech E&O and cyberinsurers can also provide additional insured endorsements. An insurer may balk at a request to add the counterparty as an additional insured, or require additional information to underwrite that potential additional risk. As noted above, a company can also seek an endorsement to identify specific contracts that will be covered.
Appropriate Type and Amount of Coverage
Determining the right amount of insurance coverage for your company, or the amount it wants from a counterparty, ultimately is a business decision that depends on your company’s risk profile and the potential risks posted by a particular transaction. Your broker may be able to provide advice on the general amounts of coverage purchased by similarly situated companies in your industry and the incremental additional premium charged for increased limits of liability. When considering whether the other company maintains sufficient insurance coverage for the given transaction or to backstop its indemnification obligations, you may want to ask for proof of insurance that includes E&O, cyber and CGL coverage. If its limits of insurance are less than your company feels comfortable with, you can consider addressing the risk through other provisions in the agreement.