Read time: 5 minutes
Insurance companies have been slow to introduce insurance products specifically tailored to the risks faced by data center operators. Until that occurs on a broader scale, operators will have to rely on more traditional insurance policies covering these risks. Some such policies are written on standardized insurance industry forms, but some are not. The terms of policies written on non-standard forms tend to vary from policy to policy and may be more negotiable than policies written on standardized forms.
Managing risk and resilience
But even standard policies – such as property and general liability – can be, and often are, modified meaningfully by endorsement. Thus, the extent of coverage available for key data center losses may turn on the operator’s attention to detail when purchasing and renewing its insurance policies. We review below the types of insurance coverages data center operators can purchase to protect against these risks and steps they can take to ensure maximum protection.
Property coverage
Property policies typically provide coverage for physical damage to the insured’s tangible assets, including its facilities and equipment. Some policies also provide “business interruption” coverage, which protects the insured’s income flow during the period that its normal business activities are interrupted by physical loss or damage covered by the policy. While property policies often are written on standardized forms, numerous forms exist in the marketplace that may vary in the scope of coverage provided.
A common example is water damage, which may result from both natural events and failures of a data center’s key infrastructure. Although water damage may be excluded generally under standard-form property policies, most policies can be endorsed to provide at least some protection – for example, for groundwater intrusion or malfunctioning pipes or sprinkler systems. Likewise, coverage for damage to computer equipment can vary substantially from policy to policy, and even policies that cover computer hardware may exclude coverage for the costs of replacing lost data.
In addition, policies vary in the scope of coverage provided for damage resulting from public utility incidents, including interruptions of power supply. For example, a policy may provide coverage for damage caused by a utility power surge, but not for damage caused by a utility power failure. Given that computer equipment and data are often a data center’s most valuable assets, data center operators should scrutinize their policy language to ensure they are receiving the broadest possible coverage with adequate limits.
Technology E&O coverage
Errors and omissions (E&O) policies generally protect against liability to third parties for losses arising from the insured’s errors or omissions in performing “professional services.” Thus, to the extent a data center hosts the data processing operations of its customers, these policies may provide coverage for claims arising from losses caused by acts or omissions of the host.
Some insurers offer specialized “Technology E&O” policies tailored to the unique needs of technology companies. Technology E&O policies often are combined with cyber policies (discussed in the next section) and sold as part of the same policy. Because these policies are not written on standard industry forms, their specific terms often vary. For example, Technology E&O policies generally cover claims arising from unanticipated service interruptions affecting the data center’s customers, but exclude coverage for such claims caused by failure of power, utility or telecommunications systems – as opposed to failure of systems in the data center’s direct control, such as its cooling or backup power generation systems.
Data center operators should be especially mindful of these variations and seek to negotiate key coverage limitations when purchasing or renewing their E&O policies.
Cyber coverage
Cyber coverage typically protects against a broad range of first-party losses and liability claims arising from data breaches and other disclosures of non-public information. A data center that processes information owned by third parties may be liable for unauthorized disclosure of their non-public information.
Data center operators should review their cyber policies carefully for exclusions or limitations that may apply to their liability coverage under circumstances particular to their operations and purchase cyber liability limits commensurate with the amount and sensitivity of non-public data in their possession.
General liability coverage
Data centers increasingly have become the subject of claims from surrounding residents alleging harms and nuisances, including noise, vibrations and discharges of harmful substances. General liability (GL) coverage generally protects the insured against claims of bodily injury and property damage, but is subject to limitations. For example, GL policies typically are subject to exclusions for pollution-related claims. However, a data center operator may be able to negotiate specific exceptions for claims arising from accidental discharges of pollutants unique to its operations – such as diesel emissions from power equipment or PFAs from two-phase cooling systems.
Similarly, some insurers may assert that noise and vibration are pollutants for purposes of GL pollution exclusions – and therefore may deny coverage for resulting bodily injury or property damage claims. Data center operators should consider seeking endorsements to their policies expressly carving out discharges unique to their operations from the scope of otherwise excluded pollution. If such coverage is not available from its GL insurer, an operator may be able to secure specialized pollution liability insurance to cover such claims.
In light of these often unique and substantial risks, data center operators should carefully assess the specific coverage provided (or not provided) by their current policies. Where appropriate, they should consult with their insurance brokers and experienced policyholder-side insurance coverage counsel to identify and address any latent coverage gaps.