According to some estimates, by 2020, the internet of things (IoT) will encompass more than 50 billion devices. But as the technology becomes more common, headlines regarding the risks of IoT-enabled products are becoming more frequent, such as reports that Amazon’s digital assistant Alexa “misheard” a toddler’s inquiry and proceeded to teach him profanity or cases where autonomous cars have been involved in accidents. Manufacturers of consumer goods, such as wearable fitness devices, baby monitors and “smart” appliances, and businesses like power plants and hospitals should be concerned about the risks associated with the use of such technology as well.
In light of increasing liability concerns, policyholders need to examine their existing insurance policies and consider changes that expand or clarify coverage for possible IoT claims.
General Liability Coverage
For claims alleging harm from the use of a product, policyholders need to look to the products liability coverage in their general liability policies. Unless there is a specific exclusion, this coverage should respond to IoT-related claims in the same fashion as it has for non-IoT products. The standard form terms and exclusions may limit the coverage, such as restrictions on coverage for damage to “your product” or “impaired property” and exclusions for product recalls.
In addition to products liability coverage, most general liability insurance policies also cover “personal injury,” often defined to include emotional distress, and “advertising injury,” which may be defined to cover certain intellectual property claims like copyright infringement and violations of privacy rights. Thus, your general liability policy may also respond to IoT claims alleging emotional harm from a malfunction, or invasion of privacy.
Technology E&O Coverage
Companies with significant technology exposure may also have technology errors and omissions (E&O) insurance. This is a specialized type of liability coverage sold to companies that provide technology services or products, such as data-hosting companies or companies that provide software that is incorporated into a larger product. It is a form of professional liability insurance. There are many variations in coverage from one insurance company form to another, but these policies typically cover claims alleging negligence or some wrongful acts in connection with rendering professional services relating to technology or providing technology products. Technology E&O policies should respond to claims alleging that products do not function as intended, and may provide valuable coverage for defense costs when there are allegations that a delay in providing the product or service caused economic harm to others.
Cyber Liability Coverage
Because IoT claims necessarily involve the use of the internet, policyholders should pay particular attention to their cyber liability coverage. As more and more interconnected and unsecured devices are used, and businesses grow more dependent on IoT devices to streamline and optimize operations, the chances of a significant cyber event rise exponentially. There may be serious vulnerabilities in manufacturing processes, utilities and the health care industry.
Exclusions for claims relating to the use of computers or data may appear in a company’s general liability or other policies, and many companies have standalone cyber liability insurance as a result. Cyber coverage varies greatly as there is no standard form currently being used in the industry. Many policies provide both first- and third-party coverages, but some bar coverage for third-party claims. Others have restrictive requirements, such as excluding coverage where funds are misdirected if an employee authorized to transfer money was duped by hackers into wiring funds. Some policies bar coverage for bodily injury, which could be a significant issue for health care providers. Sub-limits of liability also are common for certain types of claims and for cyber forensics investigations. Many of these issues can be addressed during the policy underwriting—and policyholders should not be shy about asking for the removal of exclusions and for other coverage expansions.
Business Interruption Insurance
Business interruption insurance traditionally covers loss of profits and other expenses when a business is adversely affected by an event that took place on its own property, such as a fire or flood. Contingent business interruption insurance protects businesses when an event at a customer’s or supplier’s premises adversely affects the business, such as when a supplier cannot deliver a raw material to the business because of a hurricane.
Both of these types of insurance may play a role when damage is caused by interconnected devices. Denial-of-service attacks and ransomware incidents, which have the potential to spread rapidly through IoT devices, are rising. FedEx, Nissan and the Department of Homeland Security were reportedly affected by the WannaCry ransomware attack in May 2017, and the NotPetya attack compromised operations at pharmaceutical company Merck in June 2017. These types of interruptions can be costly.
Insurance limits of liability for business interruptions caused by issues with a cloud vendor or other internet service provider have generally been relatively low. Some experts believe this is because the risk of catastrophic loss to insurers is high, given how many policyholders would be affected in relation to how few cloud and other internet service providers operate in given industries. Again, if your business is dependent on such providers, you should address the limits of liability question when purchasing the insurance.
Directors and officers also face exposure to IoT claims. For example, shareholders may allege that the company was harmed by directors’ and officers’ negligence or breach of duty in failing to keep the company’s cybersecurity procedures and equipment up to date. Similarly, boards and directors, especially of technology-dependent companies, could face negligence and other claims in not having adequate contingency plans in the event of a technology failure or malfunction, or in not investigating and purchasing coverage like cyber insurance to protect the company. In such cases, D&O insurance may cover the costs of defense and a settlement or judgment in the matter.
Responding to Internet of Things Claims
In some respects, IoT claims are no different than other claims. Save all material and correspondence you receive during policy placement and keep them together with a complete copy of the policy. The representations made to you or the disclosures made by you when purchasing insurance may be vital to securing coverage.
When faced with a claim or circumstances that suggest a claim may be coming, give all potentially responsible insurance carriers notice as soon as possible, and follow the policy requirements to the letter in giving that notice. Policyholders do not need to determine which policies might respond. Instead, simply give notice under all policies that might be relevant. If you choose to give notice under only one policy and you are wrong about the policy selected, your notice under the proper policy may be late.
Finally, do not take “no” for an answer from the insurer. Policyholders must be persistent, especially when the claim is severe. Use all available resources to push back on improper denials of coverage, including using any claim advocate from your broker and outside coverage counsel. The factual circumstances surrounding IoT claims and some of the coverage terms are relatively new and there is not a great deal of precedent binding insurance companies, so policyholders may have to make a determined effort to be sure they receive the insurance coverage purchased.