LPL Gap Analysis

Loss ScenariosFrequency
H / M/ L
Severity
H / M / L
CoverageComments
Civil suits arising out of your negligent or intentional transmission of a computer attack such as virus, hacker attack or DDOS to others.LMArguably Not Covered - The majority of LPL policies do not have exclusions for computer attacks. However, most policies specifically exclude coverage for property damage, which in some cases extend to damage to intangible property such as software, data or other information in electronic forms. In addition, most LPL policies require that claims arise in the performance of professional services, which further limits any potential coverage because many insurers only view services performed for others as “professional services” and don’t consider the mere operation of a computer network as a professional legal service. Therefore, many LPL policy holders will not have coverage for these types of claims.
Regulatory actions arising out of the arising out of your negligent or intentional transmission of a computer attack such as virus, hacker attack or DDOS to others.LMArguably Not Covered – Many LPL policies cover disciplinary proceedings, but most insurers exclude coverage for all regulatory actions or provide limited regulatory coverage for professional misconduct only. Furthermore, most LPL insurers don’t provide coverage for damages associated with disciplinary or regulatory actions. Overall, it is unlikely an LPL insurer would cover this type of claim.
Civil suits arising out of a computer attack on your system by a third party or an employee that damages, corrupts or destroys firm or client data.MMPossibly Covered – Most LPL polices do not have exclusionary language for damage or destruction of client data or a computer attack exclusion. However, some LPL policies specifically exclude coverage for property damage, which in some cases extends to damage to electronic data. Also, when employees are culpable, insurers may attempt to apply the fraud exclusion or argue that employees intentionally destroying client files are acting outside the scope of their employments. However, most policies do not have exclusions to address this loss scenario.
Regulatory actions arising out of a computer attack on your system by a third party or an employee that damages, corrupts or destroys firm client data.MLPossibly Covered - Depending on the facts of the claim, some coverage may exist. Loss of client data are a common cause of covered LPL related losses, but destruction of such information may well fall under the property damage liability exclusion depending on the exact wording. Also, many LPL policies provide small sub limits of coverage for disciplinary proceedings and may also include narrow regulatory defense coverage for professional misconduct. However, available coverage is usually for defense costs only and are frequently sub limited to nominal amounts. In addition, where employees are involved insurers may argue that conduct exclusions apply or that employees are acting outside the scope of their employment.
Civil suits arising out of a computer attack on your computer system by a third party or an employee that causes computer system downtime and prevents clients from accessing your services.MLArguably Covered – a delay in the delivery of services to clients is frequently in the scope of coverage provided by LPL policies. In a case where the delay is caused by a computer attack carriers could argue that impaired access to I.T. related services isn’t covered because such services are not included in the definition professional services. However, in many cases the services provided by Law Firms that are just enabled by computers would be included in the definition of professional services and therefore impaired access to such services would arguably be covered.
Regulatory actions arising out of a computer attack on your computer system by a third party or an employee that causes computer system downtime and prevents clients from accessing your services.MLPossibly Covered – As noted above, claims for a delay in the delivery of services to clients is frequently covered by LPL policies. Many LPL policies include small sub limits of coverage for disciplinary proceedings and some even have narrow regulatory defense coverage for professional misconduct. However, available coverage is usually for defense costs only and frequently sub limited. In addition, where employees are involved insurers may argue that conduct exclusions apply or that employees are acting outside the scope of their employment.
Civil suits arising out of a computer attack on your computer system by a third party or employee resulting in disclosure of client or employee personally identifiable information (“PII”) or non public information of a client (“NPI”).MHPossibly Covered - Data breaches are not specifically excluded by most LPL policies, so depending on the facts of the claim there may be coverage. Some scenarios such as a breach of employee data are probably not covered due to exclusions such as insured versus insured. Coverage for other scenarios are not so clear. Insurers have a history of declining claims for data breaches in E&O policies. The recent increase in data breaches at law firms is resulting in an influx of claims tendered to LPL insurers. Policyholders argue that disclosure of client data is a breach of duty or breach of privilege. Most often, carriers argue that coverage is limited to claims arising in the performance of professional services and the collection and storage of consumer, client or employee data is not a professional service, so coverage is not triggered by data breaches. This argument has been successful in other industries and it may be successful in the legal industry depending on the type of data disclosed. For example, safeguarding the payment information of clients is not necessarily a professional legal service, but keeping confidential client information relating to a merger, law suit or other legal matter may well be a professional service. In either case, insurers may not willingly pay claims they didn’t underwrite for and large claims will likely result in coverage disputes. Also, the damages associated with many privacy claims include a large consumer redress fund, which wouldn’t be covered by most LPL policies, so actual coverage for a claim involving PII is very limited. Furthermore, when employees are culpable in the theft of data, insurers may turn to conduct exclusions or argue that employees were acting outside the scope of employment.
Regulatory actions arising out of a computer attack on your computer system by a third party or employee resulting in disclosure of client or employee personally identifiable information (“PII”) or non public information of a client (“NPI”).
HMArguably Not Covered – As discussed in the row above, coverage for data breaches is not specifically excluded by most LPL policies, so depending on the specific facts of a claim some coverage may exist for civil suits. Substantive coverage for regulatory actions is less likely. Many LPL policies do include small sub limits of defense only coverage for disciplinary proceedings and some even have narrow regulatory defense only coverage for professional misconduct. However, no coverage is available for damages, fines or penalties and the defense cost coverage is typically limited to $25,000 or less per claim. In addition, where employees are involved insurers may argue that conduct exclusions apply or that employees are acting outside the scope of their employment. The LPL insurers are likely to exclude any data breach resulting in regulatory actions.
Civil suits arising out of a computer attack by a third party or employee on the computer system of a vendor maintaining your data that results in the disclosure of client or employee personally identifiable information (“PII”) or non public information of a client (“NPI”).
HHArguably Not Covered – As discussed in other parts of this overview, data breaches are not specifically excluded by most LPL policies and there may or may not be coverage depending on the facts of the claim. Some scenarios such as a breach of employee data are probably not covered due to exclusions such as insured versus insured. Other scenarios are more difficult to predict. Professional liability Insurers may argue that coverage is limited to claims arising in the performance of professional services and the collection and storage of data is not a professional service, so coverage is not triggered by data breaches. This argument has been successful in other industries and it may be successful in the legal industry depending on the type of data disclosed. When considering coverage for data breaches at a vendor, LPL insurers may have more ammunition to decline claims. Many LPL policies do not provide substantive coverage for vicarious liability and some LPL policies specifically exclude it. Also, consumer redress damages are not usually covered by LPL policies. Furthermore, when employees are culpable in the theft of data, insurers may turn to conduct exclusions or argue that employees were acting outside the scope of employment. Ultimately, the lack of vicarious liability coverage in LPL polices provides insurers with a strong argument not to cover data breaches at vendor locations.
Regulatory actions arising out of a computer attack on the computer system of a vendor maintaining your data that results in the disclosure of client or employee personally identifiable information (“PII”) or non public information of a client (“NPI”).
HHArguably Not Covered – As discussed in the row above, coverage in LPL policies for data breaches at vendor locations is restricted in many ways. Substantive coverage for regulatory actions is even less likely. In addition to the reasons why civil suits are not covered, many LPL insurers don’t cover regulatory actions at all. Many policies do include small sub limits of defense only coverage for disciplinary proceedings and some even have narrow regulatory defense only coverage for professional misconduct. However, no coverage is available for damages, fines or penalties and the defense cost coverage is typically limited to $25,000 or less per claim. Also, when employees are involved insurers may argue that conduct exclusions apply or that employees are acting outside the scope of their employment. The LPL insurers are likely to exclude any data breach at a vendor location resulting in regulatory actions.
A legal duty to notify consumers is triggered by a computer attack on your computer system or the system of a vendor maintaining your data that results in the disclosure of client or employee personally identifiable information (“PII”).
HMArguably Not Covered – LPL policies do not contain 1st party coverage modules for crisis management or breach notification. In the unlikely event of a covered claim for disclosure of client PII, LPL policy holders could request coverage for breach notification costs as part of claim expenses to mitigate the potential severity of the loss. However, the insurers are not required to consent to such costs and its unlikely they would willingly pay notification expenses.
You incur loss mitigation expenses such as credit monitoring or ID theft education for victims to mitigate potential loss from a computer attack on your computer system or the system of vendor maintaining your data that results in the disclosure of client or employee personally identifiable information (“PII”).
ML Arguably Not Covered – LPL policies do not contain 1st party coverage modules for crisis management or breach notification expenses of any kind. In the unlikely event of a covered claim for disclosure of client PII, LPL policy holders could request coverage for credit monitoring, ID theft education, etc. as part of claim expenses to mitigate the potential severity of the loss. However, the insurers are not required to consent to such costs and based on their historical response to such requests; it’s unlikely they would willingly pay loss mitigation expense.
You incur crisis management or public relations expenses to mitigate damage to your brand following a computer attack by a third party or employee on your computer system or the computer system of a vendor.
HLArguably Not Covered - LPL policies do not contain 1st party coverage modules for crisis management or public relations expenses. In the event a computer attack results in a covered claim under an LPL policy, the policy holders could attempt to convince insurers that public relations expenses or crisis management expenses would reduce possible liability losses. Its unlikely insures would pay any crisis management or public relations expenses because LPL policies were not underwritten such expenses.
Civil suits arising out of an error by a third party or an employee that damages, corrupts or destroys firm or client data.
MMPossibly Covered – Although administrative errors causing destruction or loss of client data is a very common source of LPL claims, coverage is unusually grey. It does not appear that loss of client data, such as evidence, is excluded. However, several LPL insurers specifically exclude coverage for property damage liability, which in some cases extends to damage to electronic data. Therefore, any such coverage for loss occurring electronically is very much fact specific. This may be a coverage clients wish to clarify with LPL insurers at renewal.
Regulatory actions arising out of an error by a third party or an employee that damages, corrupts or destroys firm client data.
MLPossibly Covered - Depending on the facts of the claim some coverage may exist, but it’s a very gray area. Loss or destruction of client data are a common cause of covered LPL related losses and insurers frequently cover accidental loss of evidence, but property damage liability exclusions can severely limit any available coverage. Furthermore, many LPL policies provide small sub limits of coverage for disciplinary proceedings and may also include narrow regulatory defense coverage for professional misconduct. However, available coverage is usually for defense costs only and frequently sub limited to small amounts.
Civil suits arising out of an error by third party or an employee that results in impairment of the firm’s computer system preventing clients from accessing legal services.
MLArguably Covered – a delay in the delivery of services to clients is frequently in the scope of coverage provided by LPL policies. In a case where the delay is caused by an administrative error the LPL insurer could argue that impaired access to I.T. related services isn’t covered because such services are not included in the definition professional services. However, in many cases the services provided by law firms that are just enabled by computers would be included in the definition of professional services and therefore impaired access to such services would arguably be covered.
Civil suits arising out of an error by third party or an employee that results in impairment of the firm’s computer system preventing clients from accessing legal services.
MLArguably Covered – As noted above, claims for a delay in the delivery of services to clients is frequently covered by LPL policies. Many LPL policies include small sub limits of coverage for disciplinary proceedings and some even have narrow regulatory defense coverage for professional misconduct. However, available coverage is usually for defense costs only and frequently sub limited to nominal amounts. Therefore, even where the firm is “covered” it may be for an amount far less than the policy limit and the firm may end up self-insuring most of the loss.
Civil suits arising out of an error by a third party or employee resulting in disclosure of client or employee personally identifiable information (“PII”) or non public information of a client (“NPI”).
HHPossibly Covered – Unauthorized disclosure of private or confidential information is not often specifically excluded in LPL policies, so depending on the facts of the claim there may be coverage. Some scenarios such as disclosure of employee data are probably not covered due to exclusions such as insured versus insured or employment practices liability. Coverage for other scenarios where private or confidential data is disclosed in an unauthorized manner are unclear. Depending on the facts of the claim, policyholders may argue that disclosure of client data is a breach of duty or privilege. Insurers frequently disagree with such an argument and take the position that coverage is restricted to errors and omissions occurring in the performance of professional services and that collection and storage of consumer, client or employee data is not a professional service. Ultimately, coverage for unauthorized disclosure of private information is still gray and likely depend on several factors. For example, it’s unlikely that LPL insurers will willingly pay claims where credit card information of clients is accidentally released. However, confidential client information relating to a merger, law suit or other legal matter that is accidentally disclosed may well be covered in an LPL policy. In addition, the damages associated with data breach claims frequently includes a consumer redress fund, which are not usually covered damages in most LPL policies . This coverage issue will continue to be problematic until it is either specifically excluded or covered.
Regulatory actions arising out of an error by a third party or employee resulting in disclosure of client or employee personally identifiable information (“PII”) or non public information of a client (“NPI”).
HMArguably Not Covered – As discussed in the row above, coverage for unauthorized disclosure of private or confidential information is not specifically excluded by most LPL policies, so depending on the specific facts of a claim some coverage may exist for civil suits. Substantive coverage for regulatory actions is less likely. LPL policies often include coverage for disciplinary proceedings and some even have narrow regulatory coverage for professional misconduct, but in the majority of LPL policies such disciplinary or regulatory coverage is restricted to defense costs only and the amount of coverage is typically sub limited to a small amount.
Civil suit from a communication error (email, text, fax, letter, etc.) that results in disclosure of client or employee PII or NPI.
HLPossibly Covered - Depending on the facts of the claim, some coverage may exist. Administrative errors are a very common cause of covered LPL related losses. The main argument insurers would make is that collection and maintenance of client information is not a professional service by itself, but this argument would probably only apply to PII in this scenario. If a communication error caused the disclosure of NPI such as details of a merger or case information the LPL policy would likely respond.
Regulatory action from a communication error (email, text, fax, letter, etc.) that results in disclosure of client or employee PII or NPI.
HMPossibly Covered - Depending on the facts of the claim, some coverage may exist. Administrative errors are a very common cause of covered LPL related losses. The main argument insurers would make is that collection and maintenance of client information is not a professional service by itself, but this argument would probably only apply to PII in this scenario. If a communication error caused the disclosure of NPI such as details of a merger or case information the LPL policy would likely respond. Unfortunately, most LPL insurers provide very little, if any, coverage for regulatory actions. In most cases any coverage for regulatory actions is limited to $25,000 or less per claim.
The content of your advertisements or publication(s) are alleged to harm others that rely on or fail to rely on your content to make decisions.
LLArguably Covered - Coverage for content based E&O is not specifically addressed in the personal and advertising injury section of most LPL policies, but the definition of professional services does frequently include publication. Content based E&O is a common source of covered LPL claims.
The content of your advertisement(s) or publication(s) infringe on the intellectual property rights of others.
MMPossibly Covered –Some LPL policies specifically cover infringement of copyright, trademark, trade dress, trade name or service mark (not patent or trade secret) in the content of advertisements. However, most LPL polices do not extend the same intellectual property coverage to other publications. Although it’s not nearly as broad as traditional media liability coverage it is adequate for companies with limited publishing exposure. Law firms with a large publishing risk need to look at this coverage more closely.
The content of your advertisement(s) or publication(s) defame others.
LMArguably Covered –Many LPL policies specifically cover defamation in the performance of professional services. Defamation not arising out of professional services is usually included as a coverage in a CGL policy.
The content of your advertisement(s) or publication(s) violate others right to privacy or publicity.
LMArguably Covered –Many LPL policies specifically cover violation of rights of privacy in the performance of professional services, but do not specifically cover violation of an individuals right of publicity. Invasion of privacy not arising out of professional services is usually included as a coverage in a CGL policy. Law firms with significant exposure to violation of rights of publicity may want to consider better dovetailing the CGL and LPL together in this area.
The collection of information in your advertising or publishing activities violates others rights to privacy or publicity.
MHArguably Not Covered - Depending on the facts of the claim, some coverage may exist, but in many cases finding such coverage is unlikely. The collection of through website forms, cookies with tracking, or bulk emails with tracking are a very common activities at modern companies. Unfortunately it’s very easy to violate laws governing privacy or even your own privacy policy. Insurers may argue that claims for unauthorized collection, violations of your own privacy policy or regulatory violations that occur during the collection of data are not covered argument insurers would make is that collection and maintenance of client information is not a professional service by itself and that regulatory violations like COPAA that occur during data collection or violations of your own privacy policy intentionally by reselling data or even unintentionally due to errors with opt-in/opt-out agreements is far outside of the intention scope of coverage. If your firm faced a claim for unauthorized collection it’s unlikely the LPL carrier would respond and most LPL insurers provide very little, if any, coverage for regulatory actions. In most cases any coverage for regulatory actions is limited to $25,000 or less per claim.
The content of your advertisement(s) or publication(s) cause other personal injury to others.
LMPossibly Covered –Many LPL policies have broad coverage grants for other personal injury including false arrest, detention, imprisonment, malicious prosecution, wrongful entry, eviction or other invasion of private occupancy. These coverage grants are not limited to specified types of publishing, but in some cases they are restricted to professional services only. This is an area where there is a significant difference in coverage between insurers. Some carriers provide a broad enough grant of coverage to address the traditional offline publishing as well as emerging online publishing including websites, blogging, social media and bulk email. In other cases LPL insurers restrict coverage to a narrowly defined set of professional services that don’t appear to include broader publishing activities.
Civil suits arising out of mechanical breakdown of your computer system that results in the damage, destruction or disclosure of client data.
LMPossibly Covered - Most LPL polices do not have a computer attack exclusion. However, some LPL policies to specifically exclude coverage for property damage, which in some cases extends to damage to electronic data. Also, when employees are culpable, insurers may attempt to apply the fraud exclusion or argue that employees intentionally destroying client files are acting outside the scope of their employments. However, most policies do not have exclusions to address this loss scenario. Going forward coverage for this type of claim could be specifically restricted. Some LPL insurers are introducing “mechanical failure” exclusions common to other types of E&O policies. It’s not widespread at this point, but policyholders need to be wary of the inclusion of such language at renewals.
Mechanical breakdown of your computer system prevents clients from accessing your services.
LLPossibly Covered – a delay in the delivery of services to clients is frequently in the scope of coverage provided by LPL policies. In a case where the delay is caused by a mechanical breakdown the insurer may argue that impaired access to I.T. related services isn’t covered because such services are not included in the definition professional services. However, in many cases the services provided by Law Firms that are just enabled by computers would be included in the definition of professional services and therefore impaired access to such services would arguably be covered for now. That said, some LPL insurers are beginning to attach the standard “mechanical failure” language to the policies and its possible such wording will be adopted widely in the near future.
Loss ScenariosFrequency
H / M/ L
Severity
H / M / L
CoverageComments
Civil suits arising out of your negligent or intentional transmission of a computer attack such as virus, hacker attack or DDOS to others.LMArguably Not Covered - The majority of LPL policies do not have exclusions for computer attacks. However, most policies specifically exclude coverage for property damage, which in some cases extend to damage to intangible property such as software, data or other information in electronic forms. In addition, most LPL policies require that claims arise in the performance of professional services, which further limits any potential coverage because many insurers only view services performed for others as “professional services” and don’t consider the mere operation of a computer network as a professional legal service. Therefore, many LPL policy holders will not have coverage for these types of claims.
Regulatory actions arising out of the arising out of your negligent or intentional transmission of a computer attack such as virus, hacker attack or DDOS to others.LMArguably Not Covered – Many LPL policies cover disciplinary proceedings, but most insurers exclude coverage for all regulatory actions or provide limited regulatory coverage for professional misconduct only. Furthermore, most LPL insurers don’t provide coverage for damages associated with disciplinary or regulatory actions. Overall, it is unlikely an LPL insurer would cover this type of claim.
Civil suits arising out of a computer attack on your system by a third party or an employee that damages, corrupts or destroys firm or client data.MMPossibly Covered – Most LPL polices do not have exclusionary language for damage or destruction of client data or a computer attack exclusion. However, some LPL policies specifically exclude coverage for property damage, which in some cases extends to damage to electronic data. Also, when employees are culpable, insurers may attempt to apply the fraud exclusion or argue that employees intentionally destroying client files are acting outside the scope of their employments. However, most policies do not have exclusions to address this loss scenario.
Regulatory actions arising out of a computer attack on your system by a third party or an employee that damages, corrupts or destroys firm client data.MLPossibly Covered - Depending on the facts of the claim, some coverage may exist. Loss of client data are a common cause of covered LPL related losses, but destruction of such information may well fall under the property damage liability exclusion depending on the exact wording. Also, many LPL policies provide small sub limits of coverage for disciplinary proceedings and may also include narrow regulatory defense coverage for professional misconduct. However, available coverage is usually for defense costs only and are frequently sub limited to nominal amounts. In addition, where employees are involved insurers may argue that conduct exclusions apply or that employees are acting outside the scope of their employment.
Civil suits arising out of a computer attack on your computer system by a third party or an employee that causes computer system downtime and prevents clients from accessing your services.MLArguably Covered – a delay in the delivery of services to clients is frequently in the scope of coverage provided by LPL policies. In a case where the delay is caused by a computer attack carriers could argue that impaired access to I.T. related services isn’t covered because such services are not included in the definition professional services. However, in many cases the services provided by Law Firms that are just enabled by computers would be included in the definition of professional services and therefore impaired access to such services would arguably be covered.
Regulatory actions arising out of a computer attack on your computer system by a third party or an employee that causes computer system downtime and prevents clients from accessing your services.MLPossibly Covered – As noted above, claims for a delay in the delivery of services to clients is frequently covered by LPL policies. Many LPL policies include small sub limits of coverage for disciplinary proceedings and some even have narrow regulatory defense coverage for professional misconduct. However, available coverage is usually for defense costs only and frequently sub limited. In addition, where employees are involved insurers may argue that conduct exclusions apply or that employees are acting outside the scope of their employment.
Civil suits arising out of a computer attack on your computer system by a third party or employee resulting in disclosure of client or employee personally identifiable information (“PII”) or non public information of a client (“NPI”).MHPossibly Covered - Data breaches are not specifically excluded by most LPL policies, so depending on the facts of the claim there may be coverage. Some scenarios such as a breach of employee data are probably not covered due to exclusions such as insured versus insured. Coverage for other scenarios are not so clear. Insurers have a history of declining claims for data breaches in E&O policies. The recent increase in data breaches at law firms is resulting in an influx of claims tendered to LPL insurers. Policyholders argue that disclosure of client data is a breach of duty or breach of privilege. Most often, carriers argue that coverage is limited to claims arising in the performance of professional services and the collection and storage of consumer, client or employee data is not a professional service, so coverage is not triggered by data breaches. This argument has been successful in other industries and it may be successful in the legal industry depending on the type of data disclosed. For example, safeguarding the payment information of clients is not necessarily a professional legal service, but keeping confidential client information relating to a merger, law suit or other legal matter may well be a professional service. In either case, insurers may not willingly pay claims they didn’t underwrite for and large claims will likely result in coverage disputes. Also, the damages associated with many privacy claims include a large consumer redress fund, which wouldn’t be covered by most LPL policies, so actual coverage for a claim involving PII is very limited. Furthermore, when employees are culpable in the theft of data, insurers may turn to conduct exclusions or argue that employees were acting outside the scope of employment.
Regulatory actions arising out of a computer attack on your computer system by a third party or employee resulting in disclosure of client or employee personally identifiable information (“PII”) or non public information of a client (“NPI”).
HMArguably Not Covered – As discussed in the row above, coverage for data breaches is not specifically excluded by most LPL policies, so depending on the specific facts of a claim some coverage may exist for civil suits. Substantive coverage for regulatory actions is less likely. Many LPL policies do include small sub limits of defense only coverage for disciplinary proceedings and some even have narrow regulatory defense only coverage for professional misconduct. However, no coverage is available for damages, fines or penalties and the defense cost coverage is typically limited to $25,000 or less per claim. In addition, where employees are involved insurers may argue that conduct exclusions apply or that employees are acting outside the scope of their employment. The LPL insurers are likely to exclude any data breach resulting in regulatory actions.
Civil suits arising out of a computer attack by a third party or employee on the computer system of a vendor maintaining your data that results in the disclosure of client or employee personally identifiable information (“PII”) or non public information of a client (“NPI”).
HHArguably Not Covered – As discussed in other parts of this overview, data breaches are not specifically excluded by most LPL policies and there may or may not be coverage depending on the facts of the claim. Some scenarios such as a breach of employee data are probably not covered due to exclusions such as insured versus insured. Other scenarios are more difficult to predict. Professional liability Insurers may argue that coverage is limited to claims arising in the performance of professional services and the collection and storage of data is not a professional service, so coverage is not triggered by data breaches. This argument has been successful in other industries and it may be successful in the legal industry depending on the type of data disclosed. When considering coverage for data breaches at a vendor, LPL insurers may have more ammunition to decline claims. Many LPL policies do not provide substantive coverage for vicarious liability and some LPL policies specifically exclude it. Also, consumer redress damages are not usually covered by LPL policies. Furthermore, when employees are culpable in the theft of data, insurers may turn to conduct exclusions or argue that employees were acting outside the scope of employment. Ultimately, the lack of vicarious liability coverage in LPL polices provides insurers with a strong argument not to cover data breaches at vendor locations.
Regulatory actions arising out of a computer attack on the computer system of a vendor maintaining your data that results in the disclosure of client or employee personally identifiable information (“PII”) or non public information of a client (“NPI”).
HHArguably Not Covered – As discussed in the row above, coverage in LPL policies for data breaches at vendor locations is restricted in many ways. Substantive coverage for regulatory actions is even less likely. In addition to the reasons why civil suits are not covered, many LPL insurers don’t cover regulatory actions at all. Many policies do include small sub limits of defense only coverage for disciplinary proceedings and some even have narrow regulatory defense only coverage for professional misconduct. However, no coverage is available for damages, fines or penalties and the defense cost coverage is typically limited to $25,000 or less per claim. Also, when employees are involved insurers may argue that conduct exclusions apply or that employees are acting outside the scope of their employment. The LPL insurers are likely to exclude any data breach at a vendor location resulting in regulatory actions.
A legal duty to notify consumers is triggered by a computer attack on your computer system or the system of a vendor maintaining your data that results in the disclosure of client or employee personally identifiable information (“PII”).
HMArguably Not Covered – LPL policies do not contain 1st party coverage modules for crisis management or breach notification. In the unlikely event of a covered claim for disclosure of client PII, LPL policy holders could request coverage for breach notification costs as part of claim expenses to mitigate the potential severity of the loss. However, the insurers are not required to consent to such costs and its unlikely they would willingly pay notification expenses.
You incur loss mitigation expenses such as credit monitoring or ID theft education for victims to mitigate potential loss from a computer attack on your computer system or the system of vendor maintaining your data that results in the disclosure of client or employee personally identifiable information (“PII”).
ML Arguably Not Covered – LPL policies do not contain 1st party coverage modules for crisis management or breach notification expenses of any kind. In the unlikely event of a covered claim for disclosure of client PII, LPL policy holders could request coverage for credit monitoring, ID theft education, etc. as part of claim expenses to mitigate the potential severity of the loss. However, the insurers are not required to consent to such costs and based on their historical response to such requests; it’s unlikely they would willingly pay loss mitigation expense.
You incur crisis management or public relations expenses to mitigate damage to your brand following a computer attack by a third party or employee on your computer system or the computer system of a vendor.
HLArguably Not Covered - LPL policies do not contain 1st party coverage modules for crisis management or public relations expenses. In the event a computer attack results in a covered claim under an LPL policy, the policy holders could attempt to convince insurers that public relations expenses or crisis management expenses would reduce possible liability losses. Its unlikely insures would pay any crisis management or public relations expenses because LPL policies were not underwritten such expenses.
Civil suits arising out of an error by a third party or an employee that damages, corrupts or destroys firm or client data.
MMPossibly Covered – Although administrative errors causing destruction or loss of client data is a very common source of LPL claims, coverage is unusually grey. It does not appear that loss of client data, such as evidence, is excluded. However, several LPL insurers specifically exclude coverage for property damage liability, which in some cases extends to damage to electronic data. Therefore, any such coverage for loss occurring electronically is very much fact specific. This may be a coverage clients wish to clarify with LPL insurers at renewal.
Regulatory actions arising out of an error by a third party or an employee that damages, corrupts or destroys firm client data.
MLPossibly Covered - Depending on the facts of the claim some coverage may exist, but it’s a very gray area. Loss or destruction of client data are a common cause of covered LPL related losses and insurers frequently cover accidental loss of evidence, but property damage liability exclusions can severely limit any available coverage. Furthermore, many LPL policies provide small sub limits of coverage for disciplinary proceedings and may also include narrow regulatory defense coverage for professional misconduct. However, available coverage is usually for defense costs only and frequently sub limited to small amounts.
Civil suits arising out of an error by third party or an employee that results in impairment of the firm’s computer system preventing clients from accessing legal services.
MLArguably Covered – a delay in the delivery of services to clients is frequently in the scope of coverage provided by LPL policies. In a case where the delay is caused by an administrative error the LPL insurer could argue that impaired access to I.T. related services isn’t covered because such services are not included in the definition professional services. However, in many cases the services provided by law firms that are just enabled by computers would be included in the definition of professional services and therefore impaired access to such services would arguably be covered.
Civil suits arising out of an error by third party or an employee that results in impairment of the firm’s computer system preventing clients from accessing legal services.
MLArguably Covered – As noted above, claims for a delay in the delivery of services to clients is frequently covered by LPL policies. Many LPL policies include small sub limits of coverage for disciplinary proceedings and some even have narrow regulatory defense coverage for professional misconduct. However, available coverage is usually for defense costs only and frequently sub limited to nominal amounts. Therefore, even where the firm is “covered” it may be for an amount far less than the policy limit and the firm may end up self-insuring most of the loss.
Civil suits arising out of an error by a third party or employee resulting in disclosure of client or employee personally identifiable information (“PII”) or non public information of a client (“NPI”).
HHPossibly Covered – Unauthorized disclosure of private or confidential information is not often specifically excluded in LPL policies, so depending on the facts of the claim there may be coverage. Some scenarios such as disclosure of employee data are probably not covered due to exclusions such as insured versus insured or employment practices liability. Coverage for other scenarios where private or confidential data is disclosed in an unauthorized manner are unclear. Depending on the facts of the claim, policyholders may argue that disclosure of client data is a breach of duty or privilege. Insurers frequently disagree with such an argument and take the position that coverage is restricted to errors and omissions occurring in the performance of professional services and that collection and storage of consumer, client or employee data is not a professional service. Ultimately, coverage for unauthorized disclosure of private information is still gray and likely depend on several factors. For example, it’s unlikely that LPL insurers will willingly pay claims where credit card information of clients is accidentally released. However, confidential client information relating to a merger, law suit or other legal matter that is accidentally disclosed may well be covered in an LPL policy. In addition, the damages associated with data breach claims frequently includes a consumer redress fund, which are not usually covered damages in most LPL policies . This coverage issue will continue to be problematic until it is either specifically excluded or covered.
Regulatory actions arising out of an error by a third party or employee resulting in disclosure of client or employee personally identifiable information (“PII”) or non public information of a client (“NPI”).
HMArguably Not Covered – As discussed in the row above, coverage for unauthorized disclosure of private or confidential information is not specifically excluded by most LPL policies, so depending on the specific facts of a claim some coverage may exist for civil suits. Substantive coverage for regulatory actions is less likely. LPL policies often include coverage for disciplinary proceedings and some even have narrow regulatory coverage for professional misconduct, but in the majority of LPL policies such disciplinary or regulatory coverage is restricted to defense costs only and the amount of coverage is typically sub limited to a small amount.
Civil suit from a communication error (email, text, fax, letter, etc.) that results in disclosure of client or employee PII or NPI.
HLPossibly Covered - Depending on the facts of the claim, some coverage may exist. Administrative errors are a very common cause of covered LPL related losses. The main argument insurers would make is that collection and maintenance of client information is not a professional service by itself, but this argument would probably only apply to PII in this scenario. If a communication error caused the disclosure of NPI such as details of a merger or case information the LPL policy would likely respond.
Regulatory action from a communication error (email, text, fax, letter, etc.) that results in disclosure of client or employee PII or NPI.
HMPossibly Covered - Depending on the facts of the claim, some coverage may exist. Administrative errors are a very common cause of covered LPL related losses. The main argument insurers would make is that collection and maintenance of client information is not a professional service by itself, but this argument would probably only apply to PII in this scenario. If a communication error caused the disclosure of NPI such as details of a merger or case information the LPL policy would likely respond. Unfortunately, most LPL insurers provide very little, if any, coverage for regulatory actions. In most cases any coverage for regulatory actions is limited to $25,000 or less per claim.
The content of your advertisements or publication(s) are alleged to harm others that rely on or fail to rely on your content to make decisions.
LLArguably Covered - Coverage for content based E&O is not specifically addressed in the personal and advertising injury section of most LPL policies, but the definition of professional services does frequently include publication. Content based E&O is a common source of covered LPL claims.
The content of your advertisement(s) or publication(s) infringe on the intellectual property rights of others.
MMPossibly Covered –Some LPL policies specifically cover infringement of copyright, trademark, trade dress, trade name or service mark (not patent or trade secret) in the content of advertisements. However, most LPL polices do not extend the same intellectual property coverage to other publications. Although it’s not nearly as broad as traditional media liability coverage it is adequate for companies with limited publishing exposure. Law firms with a large publishing risk need to look at this coverage more closely.
The content of your advertisement(s) or publication(s) defame others.
LMArguably Covered –Many LPL policies specifically cover defamation in the performance of professional services. Defamation not arising out of professional services is usually included as a coverage in a CGL policy.
The content of your advertisement(s) or publication(s) violate others right to privacy or publicity.
LMArguably Covered –Many LPL policies specifically cover violation of rights of privacy in the performance of professional services, but do not specifically cover violation of an individuals right of publicity. Invasion of privacy not arising out of professional services is usually included as a coverage in a CGL policy. Law firms with significant exposure to violation of rights of publicity may want to consider better dovetailing the CGL and LPL together in this area.
The collection of information in your advertising or publishing activities violates others rights to privacy or publicity.
MHArguably Not Covered - Depending on the facts of the claim, some coverage may exist, but in many cases finding such coverage is unlikely. The collection of through website forms, cookies with tracking, or bulk emails with tracking are a very common activities at modern companies. Unfortunately it’s very easy to violate laws governing privacy or even your own privacy policy. Insurers may argue that claims for unauthorized collection, violations of your own privacy policy or regulatory violations that occur during the collection of data are not covered argument insurers would make is that collection and maintenance of client information is not a professional service by itself and that regulatory violations like COPAA that occur during data collection or violations of your own privacy policy intentionally by reselling data or even unintentionally due to errors with opt-in/opt-out agreements is far outside of the intention scope of coverage. If your firm faced a claim for unauthorized collection it’s unlikely the LPL carrier would respond and most LPL insurers provide very little, if any, coverage for regulatory actions. In most cases any coverage for regulatory actions is limited to $25,000 or less per claim.
The content of your advertisement(s) or publication(s) cause other personal injury to others.
LMPossibly Covered –Many LPL policies have broad coverage grants for other personal injury including false arrest, detention, imprisonment, malicious prosecution, wrongful entry, eviction or other invasion of private occupancy. These coverage grants are not limited to specified types of publishing, but in some cases they are restricted to professional services only. This is an area where there is a significant difference in coverage between insurers. Some carriers provide a broad enough grant of coverage to address the traditional offline publishing as well as emerging online publishing including websites, blogging, social media and bulk email. In other cases LPL insurers restrict coverage to a narrowly defined set of professional services that don’t appear to include broader publishing activities.
Civil suits arising out of mechanical breakdown of your computer system that results in the damage, destruction or disclosure of client data.
LMPossibly Covered - Most LPL polices do not have a computer attack exclusion. However, some LPL policies to specifically exclude coverage for property damage, which in some cases extends to damage to electronic data. Also, when employees are culpable, insurers may attempt to apply the fraud exclusion or argue that employees intentionally destroying client files are acting outside the scope of their employments. However, most policies do not have exclusions to address this loss scenario. Going forward coverage for this type of claim could be specifically restricted. Some LPL insurers are introducing “mechanical failure” exclusions common to other types of E&O policies. It’s not widespread at this point, but policyholders need to be wary of the inclusion of such language at renewals.
Mechanical breakdown of your computer system prevents clients from accessing your services.
LLPossibly Covered – a delay in the delivery of services to clients is frequently in the scope of coverage provided by LPL policies. In a case where the delay is caused by a mechanical breakdown the insurer may argue that impaired access to I.T. related services isn’t covered because such services are not included in the definition professional services. However, in many cases the services provided by Law Firms that are just enabled by computers would be included in the definition of professional services and therefore impaired access to such services would arguably be covered for now. That said, some LPL insurers are beginning to attach the standard “mechanical failure” language to the policies and its possible such wording will be adopted widely in the near future.