As the role technology plays in our personal and business lives evolves, so, too, does the liability risk to those individuals and companies that create, design, implement, and service the technology that we rely so heavily on. Insurers that underwrite the technology risk and the claims professionals who mitigate losses arising therefrom should work together to keep close track of numerous issues with technology-related errors and omissions (E&O). This article is meant to provide a framework for insurers to do so.
The liability risks for technology professionals are different than the risks for other professional services for numerous reasons. As an initial matter, technology products and services encompass such a wide array of areas. Technology policyholders can include software developers, engineers, managed services providers, data hosting platforms, SaaS products, telecommunication providers, security service providers, and many other products and services involving digital information.
One unique risk to technology professionals is the tremendous downstream risk associated with an insured’s third-party clients. IT firms service both big businesses as well as small- and mid-size enterprises (SME). Private IT contractors service local and state governments, universities, and non-profits. IT firms are responsible for ensuring that their clients’ networks and data are available, secure, and usable. IT firms administrate networks, configure systems, and implement programs. When there are failures that affect the IT firm’s clients, the risk becomes extraordinary and difficult to predict.
Additionally, when an IT firm is responsible for a client’s network, there is often an electronic connectivity between the IT firm and its client. This digital connection often links the security of the IT firm to the security of the client, profoundly impacting the contingent risk to third-party clients. In many cases, the client may have no idea how interconnected its fate may be with the security of its IT services providers.
IT firms could potentially service clients in any business sector. The IT firm’s client’s business sector is critical to understanding the potential risk at issue in any given cyber claim. The type of client an IT firm has will often dictate the risk related to data privacy. A patient’s protected health information (PHI) is far riskier than the scheduling calendar at the local barber shop. Some business verticals like health care and finance have complex regulatory frameworks governing data privacy. The average retail merchant will not be subject to such strict compliance issues. Knowing who your IT firm’s clients are is crucial for appropriate underwriting and claim handling.
Like other professional services, IT consultants owe a duty of care to use such skill, prudence, and diligence as other members of the same profession under similar circumstances. However, courts have generally held that IT professionals are not licensed professionals like doctors, architects, lawyers, and insurance producers. There is no professional standard of care and typically no affidavit-of-merit requirement.
Instead, IT-related standards of care are found in the service contract’s scope of work and established by industry standards and customs. In civil liability cases against IT firms, claimants must often support their allegations with expert testimony.
Service Contracts and Scopes of Work
In order to fully evaluate risks, it is critical that insurers understand the tech firm insureds’ approach to contracts because the standard of care for IT professionals is most often found directly in the contract documents between insureds and their clients. There are some best practices insurers can look to, though.
For instance, many technology services providers’ service agreements contain both a prime services agreement as well as an independent statement of work (SOW) document. The SOW is used to describe in direct language those services expected to be performed, and an estimate on how much it will cost. It is advisable for technology policyholders to include in the SOW an expressed list of what services are to be performed, and, additionally, specific (riskier) services that are excluded from the scope of services. For example, due to the inherently increased risk profile, many IT contractors that do not work in security will expressly exclude IT security services from their SOWs.
IT practitioners should consider other commercial contracting best practices, as well. Limitation-of-liability clauses and other risk-transfer clauses should be included. Limitation-of-liability clauses in contracts typically provide a cap on the amount of damages that one party will be responsible for in the case of the other party’s breach of the obligations set forth in the agreement. Because there is uncertainty and inherent risk in all technology-related contracts, limitation-of-liability clauses are commonplace and are often tied to the amount paid to the service provider or some liquidated amount.
Though courts do not often hold IT consultants to the “professional” standard of care, because the allegations against IT professionals are often highly technical and fact-specific in nature, expert testimony will still be required to either prove or defend against the claim, and the court and jury will still wrestle with esoteric concepts.
Ordinarily, expert testimony must be presented in cases involving technical matters outside the scope of the average juror’s knowledge and expertise. In these kinds of cases, expert testimony is considered so critical that it goes beyond what is deemed merely “helpful” and is considered necessary for a jury to properly evaluate the allegations.
Aside from their presumed education and field experience, technology experts will often look to accepted industry standards to support opinions about deviations from the standards of care. For example, both the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) publish standards for information technology products and services.
Theories of Liability
Claims against IT policyholders are most often couched in terms of either or both negligence and breach of contract. However, claimants also often allege fraud (usually in the inducement of the agreement itself), detrimental reliance, misrepresentation, and other common law tort claims.
The actual allegations set forth in the breach of contract or negligence counts vary as widely as the products and services IT firms can provide. However, we most often see claimants allege some kind of deficient performance of services on the part of the product or services provider. In many cases, the defendant IT firm was performing a project for a client (e.g., an implementation of a new IT product) and the client is dissatisfied with the process or the result. IT implementations are particularly risky for the service provider because issues with scheduling, sequencing, and timely completion can easily become claims.
Breach-of-contract claims against IT policyholders can also include allegations of failure to deliver, failure to test, failure to notify, failure to perform, and failure to preserve, and they often seek economic damages like hard costs and consequential damages like project-delay costs and business interruption.
IT policyholders should therefore also be very careful to avoid “scope creep,” or, when a client adopts incorrect expectations about the services within the scope of the services. In matters involving IT security, the allegations often involve a “failure to prevent” theory of liability against the IT policyholder.
Defenses and Damages
Though by far most tech-related E&O claims are settled before litigation ensues, it is crucial for the insurer to also understand the defenses to liability available to the tech consultant. We already included a healthy discussion about contract-based defenses (e.g., limitation of liability). Defenses available to the technologist also include common law defenses, as well. For example, the IT policyholder can argue concurrent causation, a common law tort doctrine that imposes joint liability on two or more parties if their negligence combines to produce the same loss.
Additionally, the economic loss doctrine is available to the IT defendant. This is the common law doctrine preventing a party who suffers only economic damages from recovering by prosecuting a tort theory of liability. The economic loss doctrine holds that contract law—not tort law—provides the appropriate avenue for recovery when there is no bodily injury or property damage.
Damages in technology cases are another important issue for the insurer to analyze. To begin, one must look again to the generally sophisticated nature of the technology contract. There are often provisions in the contract addressing the issue of damages. If these clauses do exist in the contract, then the insured and its client have already agreed in advance as to how to handle the issue of damages. For example, many IT firms will try and expressly waive and exclude the potential for “consequential” or “special” damages like lost profits or business opportunity (or any damages purportedly suffered because of the claimant’s unique circumstances).
For the insurers, it is important to analyze the risk associated with aggregated damages posed by the IT policyholders. To the extent that an IT firm suffers a first-party cyber occurrence, there is the strong potential that the event will impact numerous potential claimants at the exact same time. The attending potential numerosity of claimants is a challenging area for the insurer.
Tech E&O Insurance
Technology E&O insurance covers third party damages arising from a technology product’s failure to perform as intended or expected as well as from acts, errors, or omissions committed during the performance of technology services. This insurance should afford coverage for programming errors and omissions, integration/installation project disputes, hardware and software integration, “scope creep” (or where the client changes the scope of work), etc.
Though technology itself always changes, the claims actually made against IT professionals are predictable. Insurers should stay current on new technology, but also conscious of traditional insurance principles. Insurers must take great care when working with technology policyholders and evaluating their risks. It is crucial for the insurer to work closely with reputable technology counsel and knowledgeable insurance brokers to identify the appropriate risk-management strategies to mitigate technology risk.