Purchasing insurance for bodily injury and property damage claims seems straight forward enough - that's the intent of a commercial general liability policy. The problem however, is that many companies today provide some degree of professional services, and most liability policies exclude coverage for claims arising from “professional services”. A typical exclusion will read:
This insurance does not apply to any “bodily injury”, “property damage”, “personal and advertising injury” arising out of the rendering of, or failure to render professional services.
The intent behind this exclusion is to push professional exposures to appropriate professional liability policies. It seems straight forward enough until you realize however that almost all professional liability policies contain exclusions for bodily injury and property damage (BI/PD) claims, with the intent of pushing those exposures to more appropriate CGL policies. This exclusion generally reads:
The insurer shall not be liable to make any payment for loss in connection with any claim for bodily injury, sickness, death, emotional distress, mental anguish, or for damage to, destruction of, or loss of use of any tangible property……
This creates a significant gap where BI/PD claims arising from professional errors are left in limbo (and uncovered) by both policies. The same holds true for cyber policies that also contain hard BI/PD exclusions. When breaches affect; engineering or load bearing calculations, monitoring of infrastructure related software, interference with GPS coordinates (among others), and ultimately result in bodily injury or property damage claims, coverage may be declined entirely. Cyber liability exclusions contained within general liability policies serve as an additional hurdle to coverage. While they may contain limited carve backs for bodily injury, they are exactly that - limited. In order to navigate around this grey area of preclusive coverage, something must give. There are a few options:
- Obtain a general liability (commercial package) policy that does not contain a professional services exclusion, OR one that is narrow enough to be acceptable. It's also important to review any underlying cyber-exclusions (and carve backs) in order to understand how they may affect coverage.
- Purchase a separate E&O policy that contains 1) a broad definition of professional services and 2) contingent BI/PD coverage. The same holds true when purchasing cyber insurance.
- For specialized operations such as tour operators or allied healthcare companies, often special programs are available that combine GL and E&O on one policy.
To consider the problematic nature of this exclusion we’ll use a recent example. A hypothetical company by the name of “Medical Publishers Inc” is a non-profit medical foundation that publishes guidelines and consulting advice regarding medical care best practices – these publications are used as guidelines in hospitals across the country. Should an error in their printing result in incorrect dosage administration or improper care resulting in bodily injury to a patient, the company’s CGL policy would preclude coverage for any resulting claims based on the “professional services” exclusion, since such claims arose from their services as a publisher. Conversely, a standard publishers’ E&O policy would also preclude coverage based on the broad bodily injury exclusion. In this case we decided to pursue an E&O quote on a miscellaneous professional liability form with the main goal of obtaining 1) a broad definition of professional services, and 2) a broad bodily injury carve back. When approaching carriers for E&O insurance inclusive of contingent BI/PD coverage, some companies may have more success pursuing coverage through a miscellaneous professional liability form which often have more creative leeway.
Contingent BI/PD coverage is becoming increasingly important for a number of reasons. With tech becoming deeply embedded within corporate operations, many companies today provide some mix of products and services. This mix can create a grey area where it is difficult to determine if a lawsuit stems from a product or service failure. Additionally, hackers are expanding their reach into newer schemes and industries creating the potential for intrusions that result in bodily injury and/or property damage claims. Many companies may have a difficult time understanding how a cyber intrusion could lead to a bodily injury claim. To help explain that potential we will use some hypotheticals:
- A healthcare facility sustains a cyber intrusion that modifies patient records and/or intrudes medical equipment resulting in improper treatment or patient monitoring. In both cases, such intrusions can result in harm to patients.
- A mobile app that provides GPS tracking for hikers suffers a directed attack which disables the GPS stranding hikers in remote areas without navigation.
- A large refrigerated food manufacturer (or storage facility) sustains a cyber intrusion that de-regulates their refrigeration units decreasing the temperature by 15 degrees leading to food spoiling without their knowledge. This food is later consumed by customers who become extremely sick.
- A manufacturing plant sustains an intrusion that interrupts an assembly line causing it to speed up resulting in both property damage and employee injuries.
If that's not convincing enough, hackers have already demonstrated the ability to hack and disable vehicles - this will undoubtedly prove a significant challenge in securing autonomous vehicles. And as recently reported by Security Affairs, they have also demonstrated the ability to hack car washes, manually controlling the machinery with the ability to crush a car. If your company is providing anything that could be construed as a professional service, it’s important to ensure your insurance program has adequately aligned BI/PD coverage. And if those services have the ability to be affected by hackers, it’s equally important to place strong cyber insurance with contingent BI/PD coverage. For companies that are solely providing technology services, a Technology Errors & Omissions insurance policy will likely provide much of the coverage necessary to respond to cyber-related claims as well, however it is important to perform a careful coverage audit and understand the differences between Tech E&O and cyber risk insurance (within your context as a tech provider), as discussed here. While properly coordinating BI/PD coverage for service related claims can be challenging, E&O and cyber carriers are slowly beginning to understand the need for this insurance and are responding accordingly. As a last resort, some carriers appear to be developing cyber DIC (difference in condition) policies that sit on top of underlying cyber policies in order to fill any remaining coverage gaps.