Insurance Coverage for the Internet of Things Insurance Coverage for the Internet of Things

Insurance Coverage for the Internet of Things

As privacy liability and cybercrime has caught the attention of business owners and boardrooms, the insurance industry responded with gusto. Seemingly overnight, insurers realized that current policies were ill-prepared to respond to these risks and cyber-insurance grew from a niche product to a multi-billion dollar industry. Insurers and insurance brokers developed new expertise. Policyholders walked, then ran, into the cyber-insurance market.

The internet of things (“IoT”) appears to represent the next wave of new liabilities:  cars being remotely controlled by hackers, medical devices being used as access points for theft of medical records, baby monitors being used as spying devices, a software update pushing bad code that  disables a fire sprinkler system, and TVs being rendered useless by malware. Thus, some have wondered (often aloud) why the insurance industry has yet to respond with “IoT insurance.” The answer is simple:  most businesses and organizations already have some level of IoT insurance and gaps are being filled by language in endorsements, not new policy lines. But that does not mean insurance coverage for IoT-related losses is always clear.
 
Liability Insurance
 
As a general matter, standard Commercial General Liability (“CGL”) policies should respond to a defective IoT product in the same way that it responds to any other defective product. The primary questions will remain the same:  Was there an “occurrence”? Is the damage limited to “your product” or an “impaired product”? The nuances in analyzing these questions (whether in policy procurement or during the claims process) should mirror the analysis in the non-IoT world. 
 
Still, standard CGL exclusions for damage to “your property” and “impaired property” severely limit the availability of coverage when a product is used as a component in a larger product and that larger product is subsequently damaged. This scenario seems to be of particular concern in the IoT world, where your IoT component could potentially disable your customer’s larger product. However, this gap can often be filled through the use of a carefully overlapping Technology Errors & Omissions (“Tech E&O”) policy. Unlike CGL policies, language in Tech E&O policies can vary greatly. Thus, using a Tech E&O policy to provide coverage for an IoT component requires a nuanced review of covered conduct and contract exclusions. But, ultimately, the right Tech E&O policy can account for this gap.
 
Other gaps are less clearly resolvable. For instance, there is a standard post-2004 CGL exclusion precluding coverage for “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” The most current form of the standard CGL policy notes that “this exclusion does not apply to liability for damages because of ‘bodily injury.’” However, not all policies contain this coverage-restoring language. Moreover, coverage for “property damage” (as opposed to just “bodily injury”) arising from the same scenario is curiously unresolved. 
 
Moreover, since 2014, nearly all CGL policies have also excluded coverage for non-physical loss arising from data breaches (whether from an IoT device or not). That dynamic is not set to change anytime soon.  Of course, the new world of cyber-insurance is eager to fill that gap. 
 
First-party Insurance
 
Nearly all of the discussion of IoT risks has been focused on third-party liabilities and, thus, third-party (i.e., liability) insurance. However, in some ways, the first-party losses may present the more interesting insurance issues.
 
For instance, if you have temperature-controlled storage that depends on an IoT device, a malfunction could cause significant physical loss. Similarly, as IoT begins to play a larger role in inventory management, it is easy to see how an IoT malfunction could lead to a crippling business interruption. However, the insurance response to such events raises questions. For instance:
 
  • How will standard exclusions for losses arising from electronic “interference” with “device[s], appliance[s], system[s] or network[s]” be reconciled in an IoT world?
  • If data across thousands of IoT devices is corrupted, can the business cost of losing such data be insured? 
  • If you incorporate another organization’s IoT technology into your product, how will your business interruption insurance respond if that technology malfunctions?
Reading Policies and Understanding Risk
 
All of these issues may not yet be solved in the larger sense. However, many insurers are flexible with respect to technology-related coverage language (especially when first-party, third-party, and cyber coverage are placed together). Thus, there will often be opportunities to address IoT risks head on.  However, these issues need be considered: (1) at policy procurement (not at the time of a claim); (2) in connection with a larger risk assessment; and (3) in coordination with an experienced insurance broker or attorney that understands the scope and nuance of the available offerings.
 
For more information on insurance coverage and the Internet of Things, contact Nick Reuhs at nicholas.reuhs@icemiller.com or 317-236-2160, or a member of Ice Miller's Internet of Things Industry Group.
 
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances. 
View Full Site View Mobile Optimized