Exclusively from Foa & Son
Here’s the scenario: A large (100+ employees), long established and well respected mechanical contractor has an agreement with a major national retail chain for maintaining cooling and refrigeration equipment in a number of the chain’s stores in their territory. As part of their service contract the contractor installed automatic sensing equipment on the each unit and set up the monitors to remotely report status back to the contractor, over the internet, of all monitored equipment. In the event of a failure or breakdown the contractor would then be able to respond immediately and dispatch service personnel to deal with the problem. To effect this automatic communication the contractor obtained permission from the chain to access the chain’s IT system and internet connection, and set up their equipment monitors to report back to the contractor through that connection.
Hackers break into the contractor’s computer system. It’s later determined that the only security software used by the contractor was a free version downloaded from the internet. Using the access granted to the contractor by the retailer, the hackers then penetrated the retailer’s IT system. Having gained access through this unprotected back door, the bad guys remotely installed a bit of malicious code at each point of sale terminal in the retailer’s stores, both those within the contractor’s territory and elsewhere. This particular bit of code recorded credit and debit card numbers as they were swiped, stored them temporarily, then periodically transmitted them, through the contractor’s access point and system, to the black hats. Over a couple of weeks hundreds of millions of records were thus stolen, at huge cost to the chain.
The story is true. The retail chain was Target, and by now almost everyone has heard of this massive breach in early 2014. Details of the hack and how it was done are widely available with a simple Google search.
This was obviously a ruinous breach of security that has resulted in hundreds of millions of dollars of loss to Target. Liability for the loss was easily traced back to the contractor. The contractor reportedly had a standard commercial general liability insurance policy that insured for property damage liability. Here’s the problem with that, though: the property damage coverage in the standard CGL policy covers damage to tangible property. Computer records and credit card numbers are not tangible property, so any liability falling to the contractor for this loss, as described, would not be covered by a standard CGL policy. In fact, there has been no report in the insurance press of any insurance company paying any property damage claims related to this incident.
This is an extreme example, not so much because of the circumstances of the loss, but because of it’s size and the publicity it got. Examples abound of similar occurrences and claims, not covered by standard CGL policies, that contractors are incurring all the time. They can be ruinous; the contractor in this case was visited by the FBI and Secret Service, among others, and would have had no insurance coverage for any of the massive amounts of litigation spawned by the breach. Smaller claims can be equally damaging, but with the rise of technology and the digital information age, many contractors are not aware of the limitations in their CGL policies and the risks they face from the possibility of claims of loss or damage to the types on non-tangible property involved here.
Contractors (and others) can find insurance to cover losses like these; coverage is available. Unfortunately, there are a couple of practical problems with this new type of insurance. First, most contractors resist the idea of buying another insurance policy; second, project owners and construction managers have not yet caught up to the fact that this exposure exists and that the contractors they deal with have no insurance for these increasingly frequent types of claims. For the most part they have not yet begun to require it, and for those few who might try, go back and read the first point; contractors push back because “no one else asks for this”.
Stay tuned. This is an issue that will be evolving over the next few years.