SCL Meeting Report: ‘Have you got IT covered?

March 5, 2013

On Wednesday 29 January 2013, I joined over 40 other delegates for a rare and fascinating insight into the interaction between IT and insurance. The event was chaired and organised by David Sharp (Partner – Charteris plc) of the SCL North London and Home Counties Committee, and generously hosted by Clyde & Co. Speakers were Andrew Horrocks (Partner – Clyde & Co) and Phil Mayes (Senior Vice President – Global Technology and Privacy Practice, Lockton).

At the outset our attention was focussed with a call around the room for delegates to identify themselves and explain what aspects of insurance and IT drew them to the seminar. Subjects of interest ranged over assessment of risk, the relationship of insurance with technology and outsourcing, insurance in the field of cyber data, limitation of liability clauses, insurance against project failures, data protection, cloud storage and business interruption.

Andrew and Phil presented their expert knowledge in the context of a typical scenario: a pharmacy using IT to receive and transmit orders, with an automated system for stock replenishment and distribution. This scenario gave a ‘real world’ structure to an examination of key issues. The chains of risk were analysed and situations postulated where insurance may play a part.

The key issues considered were:

–        Insurance for the supply of IT and IT consultancy

–        Effect of insurance on limitation clauses

–        Insurance for customers’ live systems

–        Insurance coverage for mitigation costs

–        Trends: what’s new in IT and insurance? BYOD, Cloud, First Party Cover

Phil described the different insurance markets as between the large supplier and the small supplier of IT services, while opportunities for the customer to insure are more limited and less commercially realistic. The large supplier market provides opportunities for aggregation to spread risk, while terms on limitation of liability and transfer of risk are likely to be in a standardised form. The small supplier will need to control risk by giving more attention to the drafting of contractual terms and careful management of the project. The customer is unlikely to be able to offer the economies of scale which enable the insurer to provide cover at a commercial rate.

Andrew illustrated the way in which insurance, or more precisely, the availability of insurance, is a key factor to limiting liability in both statute (UCTA 1977) and case law. The variety in judicial decisions reflects differing judicial sensitivity to the actual or potential influence of insurance in balancing risk between the parties – the recent construction case of Ampleforth v Turner & Townsend [2012] EWHC 2137 (TCC) being an example of how the mere presence of insurance can be pivotal in judicial decisions.

Phil highlighted the way in which the market to insure risk in live systems is developing as insurers push into traditionally uninsurable areas to find new business. Non-tangible risks such as reputational damage are a major new area, for example in the data protection context. Performance levels in outsourcing are also attracting attention from the insurance market and additional services are being developed such as benchmarking. An awareness of such developments is highly relevant for the lawyer negotiating service level agreements.

Andrew pointed out the limitations which English law puts on the scope of insurance. Fines for data protection breaches are becoming increasingly significant but public policy imposes limitations on recoverability. There is as yet no direct judicial decision but Andrew used competition law (eg Safeway v Trigger) as a comparator on which to base the view that this would not be insurable.

Mitigation is another area which is changing with increasing focus on data protection. Phil gave some US examples where settlements were made by payment into a collective fund rather than by endeavouring to settle with individual data subjects. 

As to trends, coverage is widening beyond traditional areas, for example IPR risks may now be covered. There is also pressure in some quarters for unlimited liability. In contrast, the huge expansion of cloud services is deficient in insurance cover. This is an area of concern in light of the lack of effective controls on providers but the insurance and risk solution has not yet developed. Cybercrime and growing concern over data breach is creating a demand for the development of risk solutions in these areas.

This was a fascinating seminar with an expert panel who were able to combine their different expertise to disseminate the information and stimulate thought.  Any delegates who came along just out of curiosity to discover what, if any, relationship existed between these two areas of law and insurance were certainly put in the picture. David Sharp is to be congratulated on producing this enlightening seminar on a neglected topic which warrants more attention in future seminar programmes.

Sharon Mitchell is a freelance consultant solicitor specialising in IP, IT, Commercial and Corporate Law: