Many E&O Policies Fall Short of Meeting Industry Needs

The professional liability exposure of many industries has changed significantly in the past decade or so, and it’s about time the insurance industry catches up.

Many, probably most, companies now have at least some internet/technology risk in association with their business; for some companies it is a substantial exposure. Even companies that aren’t transacting business online, and collecting names and credit card numbers of customers that may be subject to a data breach, can have multiple exposures posed by the internet and their use of technology in the course of providing business services to others.

But many E&O policies, even newer ones, fall down in one or more respects in addressing those risks. Policies that are class-specific are sometimes drafted to address some of the exposures, but the buyer that may be most at risk of not picking up some of these key coverages is the one purchasing a miscellaneous professional liability (MPL) form. Because the form is used to underwrite many different types of businesses, it typically is not tailored and may not offer key coverages, unless they are specifically requested and negotiated.

What are the risks, and where do policies (at least base forms) sometimes come up short?

Risks that may be insured today include liability arising in the areas of:

(1) Internet and network security-related exposures, including failure to prevent introduction of malicious code, unauthorized access and denial of service attacks.

(2) Intellectual property.

(3) Personal injury, including defamation, invasion of privacy and other torts.

(4) Other negligence-based errors and omissions claims not falling into one of the other three categories.

How do MPL base forms sometimes come up short?

· The form may not specifically say it covers the insured’s activities on its website, and it may not cover certain security-related computer exposures such as unauthorized access or use of computer systems, introduction of malicious code into systems or failure to prevent identity theft or credit/debit card fraud.

· The policy may not cover personal injury torts like defamation or invasion of privacy. When offered, the coverages may be narrowly described.

· The form may not offer coverage for infringement of copyright or for trademark violations.

All of those coverages are likely relevant for a company utilizing computer systems and the internet in its business, particularly if it has a website or transacts business online. Even a non-transactional website, called a presence-only site, can present risk because the site owner has made itself a publisher with world-wide reach. Exposures can come from many areas, including selection of the site’s URL (its name on the web), use of meta data in the site, its linking policies, its privacy policy terms, the source of text, graphics and design used on the site, and the security methods used to maintain the site’s availability and integrity.

Even the best policy will not cover every risk an insured has. Policies have limitations in their insuring agreements and they carry exclusions. But with the infusion of the internet and technology into modern business life, insureds need to consider a product that includes the kinds of coverages that are now available under some forms.