Data-related Professional Liability Coverage – Still the Wild West

June 27, 2016

When we first spoke with underwriters about creating a professional liability policy to correct the problems with existing coverages, they freely admitted that covering data protection risks was the “wild west” of the insurance industry.
o us (and them too) that meant two things,

  1. There was a rush on to serve a new need in the marketplace, and,
  2. There was a lot of confusion about what was needed and how to word it. Another thing prevalent in any marketplace labeled the “Wild West” (as we well know), customers often have little understanding of the issues.

Just last week, a highly regarded insurance professional reminded me that as far as they are concerned, data-related professional liability continues to be the Wild West.

Now imagine yourself running a very large insurance underwriting company. You can pick any major insurance brand. You know them all. There’s a new opportunity to underwrite emerging data-related risk, which means there’s money to be made. Who is the customer? That’s easy. They are the credit unions, banks, hospitals and universities and all of the other thousands of categories of data controllers who are affected by this risk directly. They are the big fish and they pay very big premiums for coverage.

Oh, yeah, and if we sell a small policy here and there to a service provider, it’s all the better.

And, there’s the rub; they did not see service providers as a different animal but we are. They make products for data controllers and covered entities, and when we call to our broker, who knows even less about data protection regulations, up comes the latest greatest policy with a bow on it.

I can’t tell you how many policies I have reviewed where someone in our industry bought cybercoverage because they shred hard drives even though it is completely irrelevant. Or, they bought it because it was the only way to get breach coverage or extortion coverage, even though neither would be applicable to anything resulting from their destruction or storage services.

And, now we’re seeing policies where the data-related coverages require the use of some internal team that manages the breach. It is understandable why they would want such control but it is simply not applicable to service providers. The service provider has little or no control since their regulatory obligation is limited to informing the data controller that hired them. You can’t go to the hospital and say, we’re covered but our insurance company requires your hospital to let our breach management team to take over control.

The Wild West was eventually tamed and so we may see insurance companies come around. Already we have seen them remove sublimits on data breach coverage – something Downstream Data Coverage did 5 years ago.

We’re also starting to see policy language clearly stating that the acts of rogue employees are covered – though even that clarity is still quite rare, again something Downstream led the way on.

Downstream Data Coverage will eventually cut premiums significantly when it converts to a captive program. For now, all we have to offer are very competitive rates and coverage that actually does what is supposed to do.