Reinsurance
Product Family

Analyzing and Handling Technology Errors & Omissions Risk

Previously published in CLM Magazine.

As the role technology plays in both our personal and business lives evolves – perhaps to the point of dependence - so too does the liability risk to those individuals and companies that create, design, implement, and service the technology that we rely so heavily on. Insurers that underwrite the technology risk and the claims professionals that mitigate losses arising therefrom should work together to keep close track of numerous issues with “tech E&O”. This article is meant to provide a framework for insurers to do so.


Unique risks

The liability risks to technology professionals are different than the risk to that of other professional services for numerous reasons. As an initial matter, the technology products and services themselves encompass such a wide array of areas. Tech policyholders include software developers, engineers, managed services providers, data hosting platforms, SaaS products, telecom providers, security service providers and many other products and services involving digital information.

One unique risk to technology professionals is the tremendous “downstream” risk associated with your insured’s third-party clients. IT firms service both big business as well as small and mid-size enterprises (“SME”). Private IT contractors service local and state governments, universities, and non-profits. IT firms are responsible for ensuring that their clients’ networks and data are available, secure, and usable. IT firms administrate networks, configure systems, and implement programs. When there are failures that affect the IT firm’s clients, the risk becomes extraordinary and difficult to predict.

Next, when an IT firm is responsible for a client’s network, there is often an electronic connectivity between the IT firm and its client. This digital connection often links the security of the IT firm to the security of the client profoundly impacting the contingent risk to the third-party clients. In many cases, the client really has no idea how interconnected its fate may be with the security of its IT services providers.

IT firms could potentially service clients in any business sector. The IT firm’s client’s business sector is critical to understanding the potential risk at issue in any given cyber claim. Depending on the type of client an IT firm has will often dictate the risk related to data privacy. A patient’s protected health information (“PHI”) is far riskier than the scheduling calendar at the local barber shop. Some business verticals like healthcare and finance have complex regulatory frameworks governing data privacy. The average retail merchant will not be subject to such strict compliance issues. Knowing who your IT firm’s clients are is crucial for appropriate underwriting and claim handling.


Standard of care

Like other professional services, IT consultants owe a duty of care to use such skill, prudence, and diligence as other members of the same profession under similar circumstances. However, courts have generally held that IT professionals are not licensed professionals like doctors, architects, lawyers, and insurance producers. There is no “professional standard of care” and typically no “affidavit of merit” requirement.

Instead, IT-related standards of care are found in the service contract’s scope of work and established by industry standards and customs. In civil liability cases against IT firms, claimants must often support their allegations with expert testimony.


Service contracts and scopes of work

In order to fully evaluate the risk, understanding the tech firm insured’s approach to contracts is crucial for the insurer because the standard of care for an IT professional is most often found directly in the contract documents between the insured and its client.

There are some best practices insurers can look to. Many technology services providers’ service agreements contain both a prime services agreement as well as an independent statement of work (“SOW”) document. The SOW is used to describe in direct language those services expected to be performed and an estimate on how much it will cost. It is advisable for technology policyholders to include in the SOW an express list of what services are to be performed and additionally, specific (riskier) services that are excluded from the scope of services. For example, due to the inherently increased risk profile, many IT contractors that do not work in security will expressly exclude IT security services from their SOWs.

IT practitioners should consider other commercial contracting best practices as well. Limitations of liability clauses and other risk transfer clauses should be included. Limitation of liability clauses in contracts typically provide a cap on the amount of damages that one party will be responsible for in the case of the other party’s breach of the obligations set forth in the agreement. Because there is uncertainty and inherent risk in all technology-related contracts, limitation of liability clauses are commonplace and are often tied to the amount paid to the services provider or some liquidated amount.


Industry standards

Though courts do not often hold IT consultants to the “professional” standard of care, because the allegations against IT professionals are often highly technical and fact specific in nature, expert testimony will still be required to either prove or defend against the claim and the court and jury will still wrestle with esoteric concepts.

Ordinarily, expert testimony must be presented in cases involving technical matters outside the scope of the average juror’s knowledge and expertise. In these kinds of cases, expert testimony is considered so critical that it goes beyond what is deemed merely “helpful” and is rather considered necessary for a jury to properly evaluate the allegations.

Aside from the experts’ presumed education and field experience, technology experts will often look to accepted industry standards to support opinions about deviations from the standards of care. For example, both the National Institute of Standards & Technology (“NIST”) and the International Organization for Standardization (“ISO”) publish standards for information technology products and services.

IT-related standards of care are found in the service contract’s scope of work and established by industry standards and customs. In civil liability cases against IT firms, claimants must often support their allegations with expert testimony.

Theories of liability against technologists

Claims against IT policyholders are most often couched in terms of either or both negligence and breach of contract. However, claimants also often allege fraud (usually in the inducement of the agreement itself), detrimental reliance, misrepresentation, and other common law tort claims.

The actual allegations set forth in the breach of contract or negligence counts vary as widely as the products and services IT firms can provide. However, we most often see claimants allege some kind of deficient performance of services on the part of the product or services provider. In many cases, the defendant IT firm was performing a project for a client (e.g., an implementation of a new IT product) and the client is dissatisfied the process or the result. IT implementations are particularly risky for the service provider and issues with scheduling, sequencing and timely completion can easily become claims.

Breach of contract claims against IT policyholders can also include allegations such as failure to deliver, failure to test, failure to notify, failure to perform, failure to preserve and often seek economic damages like hard costs and consequential damages like project delay costs and business interruption.

IT policyholders should therefore also be very careful to avoid “scope creep” or when a client adopts incorrect expectations about the services within the scope of the services. In matters involving IT security, the allegations often involve a “failure to prevent” theory of liability against the IT policyholder.


Defenses available to technologists

Though by far most tech E&O claims are settled before litigation ensues, it is crucial for the insurer to also understand the defenses to liability available to the tech consultant. We already included a healthy discussion above about contract-based defenses (e.g., limitation of liability). Defenses available to the technologist also include common law defenses as well. For example, the IT policyholder can argue concurrent causation – a common law tort doctrine that imposes joint liability on two or more parties if their negligence combines to produce the same loss.

Additionally, the economic loss doctrine is available to the IT defendant. This is the common law doctrine preventing a party who suffers only economic damages from recovering by prosecuting a tort theory of liability. The economic loss doctrine holds that contract law—not tort law—provides the appropriate avenue for recovery when there is no bodily injury or property damage.


Losses and Damages issues

Damages in technology cases is another important issue for the insurer to analyze. To begin, one must look again to the generally sophisticated nature of the technology contract. There are often provisions in the contract addressing the issue of damages. If these clauses do exist in the contract, the insured and its client have already agreed in advance as to how to handle the issue of damages. For example, many IT firms will try and expressly waive and exclude the potential for “consequential” or “special” damages like lost profits or business opportunity (or any damages purportedly suffered because of the claimant’s unique circumstances).

For the insurers, it is important to analyze the risk associated with aggregated damages posed by the IT policyholders. To the extent that an IT firm suffers a first party cyber occurrence, there is the strong potential that the event will impact numerous potential claimants at the exact same time. The attending potential numerosity of claimants is a challenging area for the insurer.


Tech E&O Insurance

Technology E&O insurance covers third party damages arising from a technology product’s failure to perform as intended or expected as well as from acts, errors, or omissions committed during the performance of technology services. This insurance should afford coverage for programming errors and omissions, integration/installation project disputes, hardware, and software integration, “scope creep” (or where the client changes the scope of work), etc.

Though technology itself always changes, the claims actually made against IT professionals are predictable. Insurers should stay both current on new technology, but also conscious of traditional insurance principles. Insurers must take great care when working with technology policyholders and evaluating their risk. It is crucial for the insurer to work closely with reputable technology counsel and knowledgeable insurance brokers to identify the appropriate risk management strategies to mitigate technology risk.

  • About The Author
Invalid First Name
Invalid Last Name
Country is required
Invalid email
Invalid Captcha
 
Subscribe

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. AXA XL Risk. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any publication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with this publication, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.