The New Frontier
Information technology companies may explore the new frontier everyday, but do they know where their exposures lie? Will they be ready for the next big liability risk close encounter?
“Owners and or creators of IT companies are inherently creative and positive thinkers,” said Drew Bartkiewicz, assistant vice president of Conn.-based Darwin Professional Underwriters Inc., speaking on a panel at a Professional Liability Underwriting Society (PLUS) conference in Chicago. “As a group these business owners are looking for brokers to unlock the mysteries of what types of protection they should purchase. They are often surprised to learn where their exposures lie.”
Four main areas where technology businesses are often exposed for liability risks include intellectual property coverage and related issues such as copyright and trademarks; invasion of privacy and private information issues; loss of or damage to data, including security breach, laptop thefts, first and third party; and, breach of contract or professional negligence.
Internet based companies can be exposed to the same types of liability risks as most businesses face including exposures for such federal protections as the American Disabilities Act; invasion of privacy for defamation; and, also under Health Information Portability and Accountability Act (HIPAA) for wrongful release of medical information.
“There are both statutory and regulatory factors companies must be aware of in the area of coverage for intellectual property,” said moderator David Weller, vice president, AmWINS Inc. of California.
A recent example involved a major retailer that was sued under the American Disabilities Act for not making the company’s Web site “user friendly” to visually impaired persons.
“That retailer needed to know that regulations exist that will dictate what changes need to be made to the Web site to comply with law,” Barkiewicz said.
Internet chat rooms have also been cited as emerging exposures under federal “invasion of privacy” laws — in spite of protections under state laws.
Another example: private information released without the proper screening or authority could open up specific liability exposures under HIPAA protections.
“The job of the broker is to explain all of these exposures carefully to his client so he or she understands the need for protection in a policy or, if in fact, the coverage does exist under the policy being sold,” Bartkiewicz said.
Hidden exposures
Not all technology errors and omissions policies are created equal, the panelists said.
The PLUS panelists where given the following hypothetical hidden exposure example
“MacroHard Corp. has a claim that copyrighted source code has been wrongfully used within a new program and the company spends thousands of dollars defending the claim. Which coverage would have responded best had the claim been timely submitted to the carrier?”
A) The advertising injury coverage of a CGL policy; B) A products liability policy; or C) technology E&O policy.
The correct answer was coverage under the technology E&O policy, but the panel cautioned that not all tech policies cover software copyright, though many do. The panelists urged that brokers need to educate their policyholders and be sure that copyright is covered in a technology policy. Even if the policy has E&O coverage, additional factors are important, according to the panelists.
“Filing an E&O claim late may affect whether it is actually covered,” said Gretchen Sayers, claims manager for Specialty Global Insurance Services of Kansas.
Sayers added that there is a risk not just with the company that created the software but also with a company that purchases the software and then decides to modify it. Does the purchaser have the right to modify? she asked. Brokers need to educate their clients in all areas and explain in detail what exclusions or endorsements are available, Sayers advised.
Breach of contract exclusion
One commonly seen, and sometimes misunderstood, exclusion in technology E&O policies is a breach of contract exclusion. The panelists were asked how they would explain the “breach of contract” exclusion in E&O policies to a prospective client?
The answer: It isn’t intended to exclude negligence claims or claims of failure to meet industry standards.
“The E&O exclusion on breach of contract seems to fall within the adage of whether it is the chicken or egg that came first,” said Sayers. “E&O insurers intend to cover negligent performances of services that are performed that are pursuant to the terms of a contract, but important to note is that they don’t cover the negotiating power or skill on a given contract the IT company has made with its client.”
An example another panelist offered is the scenario where a contract is signed agreeing that the technology company will complete a project for a client in four months, but the project is not completed for six months.
“The tech company executive will often believe that he has insurance to cover this departure from the contract, when in fact he does not have coverage,” Darwin’s Bartkiewicz said. “We certainly would recommend that you don’t encourage overly aggressive sales promises. The fact is that errors in performance, judgment and design are covered. There is no coverage for errors in sales terms, staffing and commitments.”
Time tables and staffing on a project seem to be the most misunderstood in terms of coverage by IT companies, the panel agreed. The contract process is a business decision — the insurer has no affect on in its terms of performance and the quality of the performance under a contract.
“The policies we are discussing are professional liability policies, not surety that would address business decisions,” Bartkiewicz said.
IT service providers that often allow their clients to dictate terms of the contracts are not practicing good risk management, panelists said, but nonetheless coverage is not likely affected.
“The coverage doesn’t ebb and flow with the contract between the IT company and its client; the coverage is what it is,” Sayers said. “The contract does not affect the policy; the coverage is what it is, unless you add other endorsements.”
Even so, some clients will argue that they don’t need Tech/Internet E&O coverage since they are careful in drafting and negotiating their client contracts. The panel said that brokers should tell clients that they can be held to a standard of reasonableness and their clients can sue them outside of the contract for negligence. Also companies can be sued by a third party not bound by the terms of the contract. Plus, relying on contract language can be tricky since most lawyers get around contracts terms.
Panelists also cautioned that even a baseless lawsuit costs money to defend.
“Remind your clients that even a frivolous lawsuits costs money to defend,” Weller said.
Invasion of privacy
Is it legal for Web site owners to collect site users’ information? It depends on the site’s “terms of use” and on relevant statutes, the panel concurred.
“Broadening awareness of the risk of collecting other people’s data is becoming a number one concern across the country,” one panelist commented.
Internet and Web sites have become a portal to access personal information about individuals as well as groups and often this information is used for marketing purposes but concerns are escalating. Lap tops stolen, Web sites invaded and destroyed by hackers, and identity theft are risks when private information is collected or provided on the Internet and on Web sites.
Is the collection of data covered under the law? In some cases yes, but the law is still evolving in this area, the panel said
“Your clients should know that they run the risk of having exposures beyond what is expected?” Bartkiewicz commented.
Should policies cover rogue employees that steal laptops with personal financial information? Some brokers say yes, others not so sure. Any organization aggregating data for business purposes where its employees have access to this private information present major risks in an underwriting world, the panel said.
“Just to notify people that you have had an incident where personal information has been taken could run as high $2 million for the company and that isn’t even covered under the liability portion of the policy,” Bartkiewicz said.
“As underwriters we will have to be very judicious in making difficult decisions in a world where technology has the ability to create a lot turbulence,” one panelist said.
Making the case
“Let’s be honest, ‘scare tactics’ can play a role in selling technology coverage to IT businesses,” said Weller, who cited that the average cost of litigating a copyright infringement case according to statistics in 2003 is $750,000.
The panel agreed that big dollar numbers in defense costs is a fact that gets attention.
“The role of the broker is to bring home the reality of these hefty risks and how it can impact a company in 2007,” Bartkiewicz said. “As I have said before, technology company owners are an optimistic group, innovators and creators. However, real dangers need to be presented. A hit of $750,000 — which is only the defense costs, not the liability expenses — could negatively impact a smaller or medium-sized company beyond repair.”
Mark Hutchins, vice president of Euclid Managers of Missouri, said a more recent study he reviewed validates the concerns.
“In 2005 this study said that the three most costly legal defenses were for intellectual property, personal injury and regulatory matters. Those three areas account for 29 percent of the legal budgets for responding technology and communications companies and that percentage correlates to approximately $25 million — not a small amount of change,” Hutchins said.
Looking at the situation from another perspective, the panelists said that for 2005 the most litigated cases fall in this order: copyright, trademark, patent and then trade secrets.
Updated figures presented by the moderator said that litigation costs had increased in 2005 and that now for copyright the average defense cost is $975,000, trademark has jumped $1 million, while litigation for patent defense is now $3 million.
“Trade secrets’ legal defense costs have remained steady at about $1 million,” Weller said. “Keep in mind that these figures are only the cost of defense, not indemnity figures.”