Securing insurance for the ‘Internet of Things’
March 2016 | SPECIAL REPORT: INSURANCE COVERAGE
Financier Worldwide Magazine
Internet connected, data generating items are increasingly integrated into every aspect of daily life. It is commonly accepted that the amount of data we generate will increase tenfold every five years, and more and more consumer and commercial objects are relying on data to support their functionality.
While this data-driven landscape creates an enormous wealth of exciting new business opportunities, it also significantly expands enterprise risk, creating new and novel exposures. Given the expanding risk, businesses, including those taking advantage of the exploding platform of data-generating objects, are well advised to carefully evaluate the insurance protections that they have in place to address the risks associated with the changing data landscape. Will your insurance coverage adequately protect your business in this ever-increasingly connected world?
The facts underscore the emerging opportunity and risk. According to the Consumer Electronics Association, the number of things connected to the internet surpassed the number of people for the first time roughly six years ago. Some experts estimate that at the end of 2015, there were around 25 billion connected devices, and by the end of 2020, that number will swell to over 50 billion.
The phenomenon of everyday consumer objects (other than the now-usual devices such as personal computers, smartphones and tablets) connecting to the internet to send and receive data is commonly referenced as the Internet of Things (IoT). In fact, the emerging world of interconnected items goes far beyond consumer objects, although the term ‘IoT’ is still used to describe that broader universe.
No matter the name, the end result is an interconnected landscape where objects that are not ‘traditional’ data generators have a digital presence and the ability to communicate with other connected things (object-to-object such as through wireless connections to the internet) and people. Examples include items such as fitness trackers, smart meters sending energy data, smart tractors sending soil and planting data, smart homes and commercial buildings, smart cars and roads and traffic lights – the potential list is endless.
The IoT is pervasive, and the risks from both a data perspective and products prospective are substantial. The fact that the technology is new makes it exciting, but it also means that IoT risks have not received the years of careful attention that more ‘traditional’ things have enjoyed. To be sure, IoT products create new kinds of risk ranging from new ambiguities in contract and insurance law outcomes to more obvious issues such as data security, products liability, risk allocation in data chains, and so on.
An IoT device that is apparently functioning as designed, for example, but is generating data that is not properly secured or has been breached, can create very significant liability concerns. If a smart thermostat knows when to turn on the heat by ‘learning’ through data generation what time you get home on various days, what would result if that learning is deficient or there is a hardware or software failure somewhere in the connected chain that results in a fragile elder waking up with no heat on a freezing winter day or in a home intrusion?
Unfortunately, makers, users and contributors to IoT products may incorrectly assume that their traditional insurance policies adequately protect them against IoT-related liability. However, traditional policies may leave critical gaps in coverage.
For example, assuming that an IoT-related loss is within the scope of products liability coverage afforded under a standard-form traditional Commercial General Liability (CGL) insurance policy, which it often will be, an insurer might nonetheless argue that the standard-form CGL policy exclusion for ‘work that has not yet been completed or abandoned’ voids coverage for liability arising out of a product that communicates using an algorithm that can be accessed and modified by the manufacturer.
In addition, insurers may argue that electronic data-related exclusions bar coverage. Although the insured business ultimately may prevail in obtaining coverage in the wake of a coverage denial, fighting IoT-related coverage battles under CGL policies can be time-consuming and expensive – this is an arena where an ounce of prevention may be worth a pound of cure.
Likewise, companies are advised not to assume that their ‘cyber’ liability policies necessarily provide adequate protection for IoT-related product liability exposures. Cyber insurance can be extremely valuable. However, businesses should keep in mind that selecting and negotiating the right cyber insurance policy presents unique and significant challenges relating to, among other things, the nature of the connected object, its tangible and intangible aspects and its uses and impacts.
There is a vast array of insurance products on the marketplace, each with its own insurer-drafted terms and conditions, which vary dramatically from policy to policy. Cyber policies, even those that provide technology errors and omissions coverage for technology-related products and services, may not adequately respond to a company’s particular risk profile.
First-party IoT related risk should also be accounted for in any re-evaluation of insurance policies. Unlike third-party liability policies, which protect an insured in the event of claims brought by another against the insured, first-party coverage protects the insured against losses the insured itself suffers. For example, if a fire burns down a company’s office space, the company would look to first-party insurance to recover its property and income losses caused by the fire.
Much of the conversation around IoT risks has been focused on liability related losses, but first-party losses have the potential to be devastating and should not be overlooked (for example, will your coverage cover only your melted ‘thing’ or will it also cover restoration of the valuable data that was residing in that thing at the time of the fire?).
In short, businesses are advised to proactively evaluate their insurance coverage for potential IoT-related coverages and liability, to understand potential gaps in coverage, and to address those potential gaps before loss or liability crystallises in a claims context. Reviewing and obtaining appropriate insurance coverage on the front end may spare a business from coverage denials and protracted and expensive coverage battles down the road, while also allowing for innovation with greater peace of mind.
Roberta D. Anderson and Holly K. Towle are partners and Kendra Nickel-Nguy is an associate at K&L Gates LLP. Ms Anderson can be contacted on +1 (412) 355 6222 or by email: email@example.com. Ms Towle can be contacted on +1 (206) 370 8334 or by email: firstname.lastname@example.org. Ms Nickel-Nguy can be contacted on +1 (206) 370 8015 or by email: email@example.com.
© Financier Worldwide
Roberta D. Anderson, Holly K. Towle and Kendra Nickel-Nguy
K&L Gates LLP