By Nick Reuhs
As privacy liability and cybercrime caught the attention of business owners and boardrooms, the insurance industry responded with gusto. Seemingly overnight, insurers realized that current policies were ill-prepared to respond to these risks and cyber insurance grew from a niche product to a multibillion-dollar industry. Insurers and insurance brokers developed new expertise. Policyholders walked, then ran, into the cyber insurance market.
The “internet of things” appears to represent the next wave of new liabilities: cars being remotely controlled by hackers; medical devices being used as access points for theft of medical records; baby monitors being used as spying devices; a software update pushing bad code that disables a fire sprinkler system; and TVs being rendered useless by malware. Thus, some have wondered (often aloud) why the insurance industry has yet to respond with “IoT insurance.” The answer is simple: Most businesses and organizations already have some level of IoT insurance and gaps are being filled by language in endorsements, not new policy lines. But that does not mean insurance coverage for IoT-related losses is always clear.
As a general matter, standard Commercial General Liability policies should respond to a defective IoT product in the same way that they respond to any other defective product. The primary questions will remain the same: Was there an “occurrence?” Is the damage limited to “your product” or an “impaired product?” The nuances in analyzing these questions (whether in policy procurement or during the claims process) should mirror the analysis in the non-IoT world.
Still, standard CGL exclusions for damage to “your property” and “impaired property” severely limit the availability of coverage when a product is used as a component in a larger product and that larger product is subsequently damaged. This scenario seems to be of particular concern in the IoT world, where your IoT component could potentially disable your customer’s larger product. However, this gap can often be filled through the use of a carefully overlapping Technology Errors & Omissions policy. Unlike CGL policies, language in Tech E&O policies can vary greatly. Thus, using a Tech E&O policy to provide coverage for an IoT component requires a nuanced review of covered conduct and contract exclusions. But, ultimately, the right Tech E&O policy can account for this gap.
Other gaps are less clearly resolvable. For instance, there is a standard post-2004 CGL exclusion precluding coverage for “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” The most current form of the standard CGL policy notes that “this exclusion does not apply to liability for damages because of ‘bodily injury.’” However, not all policies contain this coverage-restoring language. Moreover, coverage for “property damage” (as opposed to just “bodily injury”) arising from the same scenario is curiously unresolved.
Moreover, since 2014, nearly all CGL policies have also excluded coverage for non-physical loss arising from data breaches (whether from an IoT device or not). That dynamic is not set to change anytime soon. Of course, the new world of cyber insurance is eager to fill that gap.
Nearly all of the discussion of IoT risks has been focused on third-party liabilities and, thus, third-party (i.e., liability) insurance. However, in some ways, the first-party losses may present the more interesting insurance issues.
For instance, if you have temperature-controlled storage that depends on an IoT device, a malfunction could cause significant physical loss. Similarly, as IoT begins to play a larger role in inventory management, it is easy to see how an IoT malfunction could lead to a crippling business interruption. However, the insurance response to such events raises questions. For instance:
How will standard exclusions for losses arising from electronic “interference” with “device[s], appliance[s], system[s] or network[s]” be reconciled in an IoT world?
If data across thousands of IoT devices is corrupted, can the business cost of losing such data be insured?
If you incorporate another organization’s IoT technology into your product, how will your business interruption insurance respond if that technology malfunctions?
Reading policies and understanding risk
All of these issues may not yet be solved in the larger sense. However, many insurers are flexible with respect to technology-related coverage language (especially when first-party, third-party, and cyber coverage are placed together). Thus, there will often be opportunities to address IoT risks head on. However, these issues need be considered (1) at policy procurement (not at the time of a claim); (2) in connection with a larger risk assessment; and (3) in coordination with an experienced insurance broker or attorney who understands the scope and nuance of the available offerings.•
• Nick Reuhs is a partner in Ice Miller’s litigation group and member of the firm’s Internet of Things industry group. Reuhs concentrates his practice on insurance coverage disputes, risk management and general business litigation. He can be contacted at 317-236-2160 or Nicholas.Reuhs@icemiller.com. The opinions expressed are those of the author.