Insurance Coverage for the Internet of (Defective) Things Insurance Coverage for the Internet of (Defective) Things

Insurance Coverage for the Internet of (Defective) Things

This article is part of Ice Miller’s Smart Connections | Internet of Things Guide. This guide can serve as a shared resource for your peer group discussions to give everyone the background they need on the business and legal issues behind connected devices. Click here to learn more.

Over the past decade, a series of high-profile security events brought considerable attention to how our business and personal information is collected, stored, and protected. Companies and organizations have responded to public sentiment and government pressure by fundamentally changing the way that confidential information is handled. Attorneys, regulators, and lawmakers have responded by creating and crystalizing a whole new category of liabilities: data breach response and privacy liability.
 
At the same time, an increasingly interconnected world has led to a tidal wave of “cybercrime.” This new business risk runs the gamut from ransomware and cyber-extortion to funds transfer fraud and cyber-vandalism.
 
As privacy liability and cybercrime caught the attention of business owners and boardrooms, the insurance industry responded with gusto. Seemingly overnight, insurers realized that current policies were ill-prepared to respond to these risks and cyber-insurance grew from a niche product to a multi-billion dollar industry. Insurers and insurance brokers developed new expertise. Policyholders walked, then ran, into the cyber-insurance market.

The internet of things (“IoT”) appears to represent the next wave of new liabilities: car being remotely controlled by hackers, medical devices being used as access points for theft of medical records, baby monitors being used as spying devices, a software update pushing bad code that disables a fire sprinkler system, and TVs being rendered useless by trojanware. While manufacturers have been less concerned than other sectors with cyber-liability, many are very concerned with IoT liabilities. Thus, some have wondered (often aloud) why the insurance industry has yet to respond with “IoT insurance.” The answer is simple: most businesses and organizations already have some level of IoT insurance and gaps are being filled by language and endorsements, not new policy lines. However, CGL coverage is a far from clear answer to CGL liabilities.
 
As a general matter, standard Commercial General Liability (“CGL”) policies should respond to a defective IoT product in the same way that it responds to any other defective product. The primary questions will remain the same: Was there an “occurrence”? Is the damage limited to “your product” or an “impaired product”? The nuances in analyzing these questions (whether in policy procurement or during the claims process) should mirror the analysis in the non-IoT world. Still, exclusions for “your property” and “impaired property” severely limit the availability of coverage when a product is used as a component in a larger product and that larger product is subsequently damaged. This scenario seems to be of particular concern in the IoT world. However, this gap can often be filled through the use of a carefully overlapping Technology Errors & Omissions (“Tech E&O”) policy. Unlike CGL policies, language in Tech E&O policies can vary greatly. Thus, using a Tech E&O policy to provide coverage for an IoT component requires a nuanced review of covered conduct and contract exclusions. In other words, using a Tech E&O policy to provide coverage for an IoT component requires careful policy review. But, ultimately, Tech E&O policies may be able to provide coverage for your component potentially bricking or disabling your customer’s larger product.
 
Other gaps are less clearly resolvable. For instance, there is a standard post-2004 CGL exclusion precluding coverage for “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” One could see how “inability to manipulate electronic data” (say a malfunctioning IoT-connected GPS or a failure to deliver accurate IoT‑connected medical information) could cause serious physical injury. The most current form of the standard CGL policy notes that “this exclusion does not apply to liability for damages because of ‘bodily injury.’" However, the exception can be removed by endorsement. Moreover, coverage for “property damage” (as opposed to just “bodily injury”) arising from the same scenario is curiously unresolved.
 
Another potentially problematic provision is the standard CGL exclusion precluding coverage for “Products-Completed Operations Hazard” liabilities arising from “[w]ork that has not yet been completed or abandoned.” This has raised some concern about whether a product receiving required IoT updates is ever “completed.” While there is no guarantee that an insurer will not seize on this language, this exclusion does focus on the “completed operations” or “work” side of the “Products-Completed Operations Hazard” coverage rather than the “products liability” side. Moreover, the exclusion itself notes that “[w]ork that may need service, maintenance, correction, repair or replacement, but which is otherwise complete, will be treated as completed.”
 
Finally, since 2014, nearly all CGL policies have also excluded coverage for non-physical loss arising from data breaches (whether from an IoT device or not). That dynamic is not set to change anytime soon. Of course, however, the new world of cyber-insurance is eager to fill that gap. The lack of uniformity among cyber-insurance policies always dictates careful policy review. However, while older cyber-insurance policies were concerned about the nature of the breach and the location of the data, newer forms purport to provide coverage for nearly all data breach and privacy liabilities for which the insured is legally responsible (subject, of course, to varying contractual exclusions). Thus, careful policy procurement should allow cyber-insurance to seamlessly dovetail with IoT liabilities. Still, most policies will not answer for claims alleging the improper collection of confidential information.
 
Ultimately, coverage for defective IoT products is simply immature and uncertain. And policyholders should expect coverage disputes. Still, policyholders can reduce potential coverage problems by consulting specialized brokers, working with counsel to understand their specific risks, and perhaps most importantly, engaging in careful and nuanced policy review.

For more information on the Internet of Things and its liabilities, contact Nick Reuhs or a member of our Internet of Things practice.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances. 






View Full Site View Mobile Optimized