When you enter into a contract with a vendor, you generally impose insurance requirements on the vendor and an indemnification obligation. But consider whether your current contracts have insurance requirements that would cover the following:

  • When a computer repair technician damages your inventory data records, does the technician have insurance to pay for the cost of reconstructing those electronic records and your loss of business income?
  • When you are sued for copyright or trademark infringement because your advertising firm plagiarized another company's ideas in its marketing for you, does the advertising firm have insurance to defend and indemnify your company from the suits?
  • When a service provider accidently discloses confidential information and you have to comply with the privacy laws, will the service provider pay for the significant notification and compliance costs?

Unfortunately if your purchasing contracts contain the standard insurance boilerplate that merely requires the vendor to maintain Commercial General Liability insurance (CGL), there will probably be no insurance coverage to pay for any of these claims. The standard CGL policy expressly excludes coverage for electronic data, including information and programs stored on a computer.

The absence of coverage stems from the historical fact that the CGL was created in a bricks and mortar world where most of the damages a vendor could cause involved tangible property or bodily injury. In today's cyber world, however, the damages a service provider can cause are more likely to be intangible property, electronic data or economic damage, and therefore not covered by the CGL. The vendor must have an Errors and Omissions policy and cyber risk products to adequately protect your business.

We recommend that you review your contracts with vendors to make a modern day assessment of the risks posed to your business. We suspect that too many of those contracts only require a Commercial General Liability policy.

If a provider has access to your computer system, we recommend that the contract require both Technology Errors and Omissions insurance and coverage for Cyber Risks including Privacy Event coverage. Here is a sample provision that we added to the insurance requirements in a contract with a software consultant:

  • A. Required Insurance Coverages and Minimum Amounts

    8. Technology errors and omissions insurance covering liability for programming errors, software performance, failure to perform as promised under the Agreement, and cyber risks including Privacy Event coverage with a combined single limit not less than $5,000,000 per claim and combined annual aggregate liability limit of not less than $10,000,000. The Mitigation Costs limit of liability will be not less than $3,000,000.

We all need to start thinking about electronic and intangible risks posed by vendors in the same way we traditionally have thought about damages that could be caused by contractors to tangible property. Consider this:

  • If you had a contractor rebuilding a part of your plant for $1 M – would you require the contractor to provide insurance for the physical damages he could cause to your property and bodily injury to your employees during construction?
  • "Of course I would require a CGL as part of the contract."
  • When a vendor has access to your computer data system, he can damage assets that are more valuable than any building owned by the company. If the vendor can damage your data or his employee reveals identifiable information triggering the privacy laws, shouldn't you require the vendor to have the right type of insurance coverage to pay those damages?

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.