Directors & Officers liability insurance—commonly known simply as D&O insurance—is meant to protect corporate directors and officers from, among other things, claims alleging breaches of duty and management failings that adversely affect the value of the company’s stock. And any event in which directors or officers are deemed to have had an oversight function could ultimately result in a claim that floats up to the director- or officer-level if the company’s stock suffers. 

Like all types of insurance, D&O policies begin with fairly broad grants of coverage that are then whittled away by various exclusions. While D&O insurance policies are complex contracts, with numerous exclusions, there are two particular exclusions that might facially appear to not have much relevance to a tech company, but which insurers could assert as a bar to coverage for key parts of the company’s operations.

The “Invasion of Privacy” Exclusion.

The first of these is the exclusion of claims for “invasion of privacy.” That term is found in an exclusion for claims arising from bodily injury which, to a casual reader, might make sense because directors and officers are not typically accused of physically harming anyone, and coverage for those types of claims can typically be found in a general liability insurance policy. But among the items enumerated as forms of bodily injury is “invasion of privacy,” a term that could have significant implications to any company exposed to a high risk of a data breach. Indeed, it could be alleged that a data breach that results in the release of an individual’s confidential information—such as medical or financial information, among other things—invades that individual’s privacy rights.

The question of what “privacy” means under a liability insurance policy is not, however, entirely clear. Specifically, does it mean a right to secrecy or a right to seclusion? This question is presently under consideration by the California Supreme Court in Yahoo Inc. v. National Union Fire Insurance Co of Pittsburgh, PA, in which the policyholder, Yahoo, is seeking coverage under its general liability policy for alleged violations of the Telephone Consumer Protection Act (“TCPA”), a law that is meant to protect consumers from, among other things, unwanted telephone solicitations. Yahoo was alleged to have violated the TCPA by sending unsolicited text messages containing advertisements. Yahoo’s insurer denied coverage for this alleged liability on the premise that an unsolicited text message may violate a person’s right to seclusion (or to be left alone), but that the term “invasion of privacy” in the policy’s coverage grant is meant to refer only to a right to secrecy.

The California Supreme Court is considering this issue because there appeared to be some tension among California appellate court decisions. In reality, as an undefined policy term, a right to privacy should probably be deemed to refer to both a right to secrecy and a right to seclusion. Regardless, many commentators expect the California Supreme Court to rule in the insurer’s favor and hold that the right to privacy in the context of the coverage provided by the policy at issue is meant to refer solely to the right to secrecy.

While the Yahoo case provides an interesting view into that debate, the reality is that, if the California Supreme Court rules in the insurer’s favor, D&O insurers may be emboldened to rely on the “invasion of privacy” exclusion with respect to any data breach that releases personal or confidential information and that gives rise to securities and shareholder claims.

Any policyholder that is concerned about the potential for a large-scale data breach that could affect a company’s stock should be aware of this exclusion and attempt to minimize or remove it through negotiation during the insurance underwriting process.

The “Professional Services” Exclusion.

The second exclusion which might be overlooked at first blush is the so-called “professional services” exclusion. This exclusion typically attempts to bar coverage for claims “based upon, arising from, in consequence of, or in any way directly or indirectly relating to the rendering or failure to render professional services.” Insurers include these exclusions in their D&O policies because they believe that such claims are more appropriately covered under professional liability or errors and omissions (“E&O”) insurance policies, which are meant to protect companies against claims alleging negligence or malpractice in the rendering of “professional services” (a term that typically varies in definition depending on the policyholder’s industry).

The flaw in this theory is, again, the reality that any type of claim that causes a drop in a company’s stock also could become a D&O claim. The professional services exclusion should, therefore, be of concern to any company that provides a service as part of its core business. For example, a software company that provides installation, troubleshooting, or maintenance services along with the sale of its product is providing a service. If anything goes terribly wrong with that type of service, such as the widespread introduction of a virus or malware, that could result in a professional negligence claim. And, if the problem is big enough to affect the company’s stock, it could become a D&O problem. This is even more acute with respect to companies in which the provision of service is their core business, such as companies that provide computer networking or architecture services or that set up blockchains, etc. If anything goes wrong in the provision of such services, and an alleged liability bubbles up to the directors and officers, insurers might raise the professional services exclusion and deny coverage.

Policyholders in the tech industry should be aware of the professional services exclusion and seek to remove it or limit its scope when procuring or renewing their D&O policies. This should be a matter of negotiation. One suggestion is to seek more favorable wording, so that the exclusion bars coverage only “for” professional services claims, as opposed to one that bars coverage for claims “arising out of” professional services. The term “arising out of” is usually construed very broadly under the laws of most states as meaning “but for” causation: for example, but for the negligent rendering of professional services, there would not have been a stock drop. That language could prompt an insurer to assert the exclusion with respect to any claim that has any causal link to a professional service. But if the exclusion relates only to claims “for” the rendering of professional services, then it is possible to argue that any D&O claim is “for” the alleged failure to properly manage the company, not “for” any negligence in the rendering of professional services.

All tech companies should be aware of both of the above exclusions when procuring or renewing their D&O policies. While market factors drive what any given policyholder can accomplish through negotiation, there are reasonable limitations to these exclusions that accomplish their core goals without eviscerating the D&O coverage that the policyholder needs to properly protect its directors and officers.