Policy Guides

Search InfoCentral

Information Security Protection Policy (ISO)

Conditions
EC 00 10

1. Cancellation

a. The first "named insured" shown in the Declarations may cancel this Policy by mailing or delivering to us advance written notice of cancellation.

b. We may cancel this Policy by mailing or delivering to the first "named insured" written notice of cancellation at least:

(1) 10 days before the effective date of cancellation if we cancel for nonpayment of premium; or

(2) 30 days before the effective date of cancellation if we cancel for any other reason.

c. We will mail or deliver our notice to the first "named insured's" last mailing address known to us.

d. Notice of cancellation will state the effective date of cancellation. The "policy period" will end on that date.

e. If this Policy is canceled, we will send the first "named insured" any premium refund due. If we cancel, the refund will be prorated. If the first "named insured" cancels, the refund may be less than pro rata. The cancellation will be effective even if we have not made or offered a refund.

f. If notice is mailed, proof of mailing will be sufficient proof of notice.

1. Cancellation

Endorsement EC 02 39 (Texas Changes – Cancellation and Nonrenewal) amends the policy to comply with Texas laws and regulations regarding cancellation and nonrenewal. 

Policy Language

Explanation

2. Changes

This Policy contains all the agreements between you and us concerning the insurance afforded. The first "named insured" shown in the Declarations is authorized to make changes in the terms of this Policy with our consent. This Policy's terms can be amended or waived only by endorsement issued by us and made a part of this Policy.

2. Changes

This standard provision establishes that changes to the policy can be made only with the consent of the company. All requests for changes in the policy must be made by the first insured shown on the policy Declarations.

SECTION VI – CONDITIONS
Section VI - Conditions
3. Examination Of Your Books And Records

We may examine and audit your books and records as they relate to this Policy at any time during the "policy period" and up to three years afterward.

3. Examination of Your Books and Records

The company retains the right to audit the account for up to three years after the policy expires.

4. Inspections And Surveys

a. We have the right to:

(1) Make inspections and surveys at any time;

(2) Give you reports on the conditions we find; and

(3) Recommend changes.

b. We are not obligated to make any inspections, surveys, reports or recommendations, and any such actions we do undertake relate only to insurability and the premiums to be charged. We do not make safety inspections. We do not undertake to perform the duty of any person or organization to provide for the health or safety of workers or the public. And we do not warrant that conditions:

(1) Are safe or healthful; or

(2) Comply with laws, regulations, codes or standards.

c. Paragraphs 4.a. and 4.b. of this condition apply not only to us, but also to any rating, advisory, rate service or similar organization which makes insurance inspections, surveys, reports or recommendations.

4. Inspections and Surveys

This provision is a disclaimer by the company of any responsibility for health or safety violations by an insured, even if such violations are discovered during a routine loss control inspection of the insured's workplace.

5. Premiums

The first "named insured" shown in the Declarations:

a. Is responsible for the payment of all premiums; and

b. Will be the payee for any return premiums we pay.

5. Premiums

Only the first insured listed on the policy Declarations is responsible for payment of the premium. Return premium checks should be made out to the first named insured as well.

6. Transfer Of Your Rights And Duties Under This Policy

Your rights and duties under this Policy may not be transferred without our written consent, except in the case of death of an individual "named insured".

If you are a sole proprietor and you die, your rights and duties will be transferred to your legal representative but only while acting within the scope of duties as your legal representative. Until your legal representative is appointed, anyone having proper temporary custody of your property will have your rights and duties but only with respect to that property.

6. Transfer Of Your Rights And Duties Under This Policy

The policy cannot be transferred to another insured, such as a purchaser of the business, without the consent of the company. The only exception applies to individual named insureds on the policy (not additional insureds) who die. In that case, the deceased insured's legal representative has the same protection, and the same duties afforded to the named insured.

7. Subrogation

With respect to any payment made under this Policy on behalf of any "insured", we shall be subrogated to the "insured's" rights of recovery to the extent of such payment. The "insured" shall execute all papers required and shall do everything necessary to secure and preserve such rights, including the execution of such documents necessary to enable us to bring suit in the "insured's" name. Any recoveries, less the cost of obtaining them, will be distributed as follows:

a. To you, until you are reimbursed for any "loss" you sustain that exceeds the sum of the applicable Aggregate Limit of Insurance and the Deductible Amount, if any;

b. Then to us, until we are reimbursed for the payment made under this Policy; and

c. Then to you, until you are reimbursed for that part of the payment equal to the Deductible Amount, if any.

7. Subrogation

This condition guarantees the company's right to subrogation, although that right is well established in law even without the policy language. If the company pays damages under the policy on behalf of the insured, the company has the legal right to seek indemnification from a liable party. 

Under the condition as worded here, the insured does not necessarily have a right to waive the insurer's right of subrogation prior to a loss, as is found in many other types of policies. 

8. Bankruptcy 

Your bankruptcy, or the bankruptcy of your estate if you are a sole proprietor, will not relieve us of our obligations under this Policy.

8. Bankruptcy
9. Representations

You represent that all information and statements contained in the "application" are true, accurate and complete. All such information and statements are the basis for our issuing this Policy and shall be considered as incorporated into and shall constitute a part of this Policy. Misrepresentation of any material fact may be grounds for the rescission of this Policy.

9. Representations

The application is made part of the policy and any misrepresentations on the application may result in rescission of the policy.

10. Changes In Exposure

a. Acquisition Or Creation Of Another Organization

If before or during the "policy period":

(1) You acquire securities or voting rights in another organization or create another organization which, as a result of such acquisition or creation, becomes a "subsidiary"; or 

(2) You acquire any organization through merger or consolidation; 

then such organization will be covered under this Policy but only with respect to "wrongful acts" or "loss" which occurred after the effective date of such acquisition or creation provided, with regard to Paragraphs 10.a.(1) and 10.a.(2), you:

(a) Give us written notice of the acquisition or creation of such organization within 90 days after the effective date of such action;

(b) Obtain our written consent to extend the coverage provided by this Policy to such organization; and

(c) Upon obtaining our consent, pay us an additional premium.

b. Acquisition Of Named Insured

If during the "policy period":

(1) The "named insured" merges into or consolidates with another organization, such that the "named insured" is not the surviving organization; or 

(2) Another organization, or person or group of organizations and/or persons acting in concert, acquires securities or voting rights which result in ownership or voting control by the other organization(s) or person(s) of more than 50% of the outstanding securities or voting rights representing the present right to vote for the election of directors, trustees or managers (if a limited liability company) of the "named insured"; 

then the coverage afforded under this Policy will continue until the end of the "policy period", but only with respect to "claims" arising out of "wrongful acts" or "loss" which occurred prior to the effective date of such merger, consolidation or acquisition.

The full annual premium for the "policy period" will be deemed to be fully earned immediately upon the occurrence of such merger, consolidation or acquisition of the "named insured".
The "named insured" must give written notice of such merger, consolidation or acquisition to us as soon as practicable, together with such information as we may reasonably require.

c. Cessation Of Subsidiaries

If before or during the "policy period" an organization ceases to be a "subsidiary", the coverage afforded under this Policy with respect to such "subsidiary" will continue until the end of the "policy period" but only with respect to "claims" arising out of "wrongful acts" or "loss" which occurred prior to the date such organization ceased to be a "subsidiary".

10. Changes in Exposure

The policy provides up to 90 days of coverage for newly acquired entities. Written notice to and consent by the insurance company is required for coverage to continue after 90 days.

If a named insured is acquired by another organization, coverage continues until the end of the policy period but only for wrongful acts committed or loss occurring prior to the acquisition.

11. Other Insurance

a. If any covered "claim" or "loss" is insured by any other valid policy, then this Policy shall apply only in excess of the amount of any deductible, retention and limit of insurance under such other policy, whether such other policy is stated to be primary, contributory, excess, contingent or otherwise, unless such other policy is written specifically excess of this Policy by reference in such other policy to this Policy's policy number.

b. When this Policy is excess, we shall have no duty under Insuring Agreement 1. Web Site Publishing Liability, 2. Security Breach Liability or 3. Programming Errors And Omissions Liability to defend the "insured" against any "suit" if any other insurer has a duty to defend the "insured" against that "suit". If no other insurer defends, we will undertake to do so, but we will be entitled to the "insured's" rights against all those other insurers.

11. Other Insurance

This policy applies in excess of any other policy that provides coverage for the same loss. 

12. Legal Action Against Us

a. No person or organization has a right:

(1) To join us as a party or otherwise bring us into a "suit" asking for damages from an "insured"; or

(2) To sue us under this Policy unless all of its terms have been fully complied with.

A person or organization may sue us to recover on an agreed settlement or on a final judgment against an "insured", but we will not be liable for damages that are not payable under Insuring Agreement 1. Web Site Publishing Liability, 2. Security Breach Liability or 3. Programming Errors And Omissions Liability, or that are in excess of the applicable Aggregate Limit of Insurance. An agreed settlement means a settlement and release of liability signed by us, the first "named insured" and the claimant or the claimant's legal representative.

b. You may not bring any legal action against us involving "loss":

(1) Unless you have complied with all the terms of this Policy;

(2) Until 90 days after you have filed proof of loss with us; and

(3) Unless brought within two years from the date you reported the "loss" to us.

If any limitation in this condition is prohibited by law, such limitation is amended so as to equal the minimum period of limitation provided by such law.

12. Legal Action Against Us

Endorsement EC 01 20 (Texas Changes) amends paragraph "b" to remove paragraph "2" (90 day requirement) and to change the time period in paragraph "3" to two years and one day from the date the cause of action first accrues.

13. Separation Of Insureds

Except with respect to the applicable Aggregate Limit of Insurance, and any rights or duties specifically assigned in Insuring Agreement 1. Web Site Publishing Liability, 2. Security Breach Liability or 3. Programming Errors And Omissions Liability to the first "named insured", this Policy applies separately to each "insured" against whom "claim" is made.

13. Separation of Insureds

This condition states that policy coverage applies separately to each insured, and the policy will respond to a suit brought by one insured against another. 

This separation of insureds makes the use of the words "the insured" in the policy of great importance. An exclusion applicable to "the insured" would leave coverage in place for any other insured who is not subject to the exclusion. When the words "any insured" or "an insured" are used, the exclusion eliminates coverage for all insureds.

14. Duties In The Event Of Claim Or Loss

In the event of either an occurrence or offense that may result in a "claim" against an "insured" or a "loss" or situation that may result in a "loss" covered under this Policy, you must notify us in writing as soon as practicable, but not to exceed 30 days, and cooperate with us in the investigation and settlement of the "claim" or "loss". Additionally:

a. Under Insuring Agreements 1. Web Site Publishing Liability, 2. Security Breach Liability and 3. Programming Errors And Omissions Liability, you must:

(1) Immediately record the specifics of the "claim" and the date received;

(2) Immediately send us copies of any demands, notices, summonses or legal papers received in connection with the "claim"; 

(3) Authorize us to obtain records and other information; and

(4) Assist us, upon our request, in the enforcement of any right against any person or organization which may be liable to you because of an occurrence or offense to which this Policy may also apply. 

You will not, except at your own cost, voluntarily make a payment, assume any obligation or incur any expense without our consent.

A "claim" brought by a person or organization seeking damages will be deemed to have been made when the "claim" is received by an "insured".

b. Under Insuring Agreements 4. Replacement Or Restoration Of Electronic Data and 5. Extortion Threats, you must:

(1) Notify local law enforcement officials;

(2) Submit to examination under oath at our request and give us a signed statement of your answers; and

(3) Give us a detailed, sworn proof of loss within 120 days.

(4) In addition, under Insuring Agreement 5. Extortion Threats, you must:

(a) Determine that the "extortion threat" has actually occurred;

(b) Make every reasonable effort to immediately notify an associate and the security firm, if any, before making any "ransom payment" based upon the "extortion threat"; and

(c) Approve any "ransom payment" based upon the "extortion threat".

14. Duties in the Event of Claim or Loss

If the named insured knows of an occurrence or offense that may result in a claim or a loss covered by the policy during the policy period, the named insured must notify the company in writing as soon as practicable, but not to exceed 30 days. However, unless the reported occurrence or offense results in a claim (as defined) made against the insured during the policy period (or within 30 days of the end of the policy period under paragraph "a" of Condition #16 (Extended Reporting Periods), the resulting claim is not covered by this policy and may not be covered by any subsequent policy. 

Variations to watch for:
  • Some policies allow the insured to report within the policy period any circumstances or incidents which may give rise to a claim, and agree to cover any claim arising out such circumstances or incidents no matter when the claim is actually made. 

15. Valuation – Settlement
15. Valuation – Settlement
a. All premiums, Aggregate Limits of Insurance, Deductible Amounts, "loss" and any other monetary amounts under this Policy are expressed and payable in the currency of the United States of America. If judgment is rendered, settlement is agreed to or another component of "loss" under this Policy is expressed in any currency other than United States of America dollars, payment under this Policy shall be made in United States dollars at the rate of exchange published in The Wall Street Journal on the date the final judgment is entered, settlement amount is agreed upon or the other component of "loss" is due, respectively.
a. Valuation in U.S Dollars
b. With respect to "loss" covered under Insuring Agreement 6. Business Income And Extra Expense:

(1) The amount of "business income" will be determined based on consideration of:

(a) The net income generated from your "e-commerce activities" before the "interruption" occurred;

(b) The likely net income generated by your "e-commerce activities" if no "interruption" had occurred, but not including any net income that would likely have been earned as a result of an increase in the volume of business due to favorable business conditions caused by the impact of the "e-commerce incident" on customers or on other businesses;

(c) The operating expenses, including payroll, necessary to resume your "e-commerce activities" with the same quality of service that existed before the "interruption"; and 

(d) Other relevant sources of information, including your financial records and accounting procedures, bills, invoices and other vouchers, and debts, liens and contracts.

However, the amount of "business income" will be reduced to the extent that the reduction in the volume of business from the affected "e-commerce activities" is offset by an increase in the volume of business from other channels of commerce such as via telephone, mail or other sources.

(2) The amount of "extra expense" will be determined based on:

(a) Necessary expenses that exceed the normal operating expenses that would have been incurred in the course of your "e-commerce activities" during the period of coverage if no "interruption" had occurred. We will deduct from the total of such expenses the salvage value that remains of any property bought for temporary use during the period of coverage once your "e-commerce activities" are resumed; and

(b) Necessary expenses that reduce the "business income" "loss" that otherwise would have been incurred during the period of coverage.

b. Business Income Valuation

Insuring agreement #6 (Business Income and Extra Expense) covers the loss of business income and extra expenses related to e-commerce activities and resulting from introduction of a virus or malicious code into or a denial of service attack on or an extortion threat to the insured's computer system.

This condition limits recovery to income lost from e-commerce activities and extra expenses incurred to restore e-commerce activities, not income or extra expenses related to other activities that might be affected by a virus or denial of service attack. In addition, there may be an offset to the business income loss from e-commerce activities when there is an increase in the volume of business from other channels of commerce such as telephone, mail or other sources. 

"E-commerce" is defined in the dictionary as "business that is transacted by transferring data electronically, especially over the Internet."

Endorsement EC 20 05 (Agreed Value for Business Income) amends this condition to cover a specified amount per hour of interruption after an hourly waiting period deductible.

16. Extended Reporting Periods

The provisions contained within this condition apply only to Insuring Agreements 1. Web Site Publishing Liability, 2. Security Breach Liability and 3. Programming Errors And Omissions Liability. 

a. Basic Extended Reporting Period

(1) A Basic Extended Reporting Period is automatically provided without additional charge. This period starts with the end of the "policy period" and lasts for 30 days. A "claim" first made and reported by the "insured" during this 30-day period will be considered to have been received within the "policy period". However, the 30-day Basic Extended Reporting Period does not apply to "claims" that are covered under any subsequent insurance purchased by the "insured", or that would be covered but for exhaustion of the Aggregate Limit of Insurance applicable to such "claims".

(2) The Basic Extended Reporting Period does not extend the "policy period" or change the scope of coverage provided. It applies only to "claims" to which the following applies:

(a) The "claim" is first made and reported to us during the Basic Extended Reporting Period; and 

(b) The "claim" arose out of either a "wrongful act" or the first of a series of "interrelated wrongful acts" which occurred on or after the Retroactive Date, if any, shown in the Declarations and before the end of the "policy period".

b. Supplemental Extended Reporting Period

(1) A Supplemental Extended Reporting Period is available if this Policy is canceled or not renewed by either you or us, but only by endorsement and for an extra charge. The Supplemental Extended Reporting Period starts when the Basic Extended Reporting Period set forth in Paragraph 16.a. ends. The Supplemental Extended Reporting Period is available unless:

(a) We cancel this Policy for nonpayment of premium; or

(b) You fail to pay any amounts owed us. 

(2) In order to obtain a Supplemental Extended Reporting Period, you must give us a written request for the Supplemental Extended Reporting Period Endorsement together with the full payment of the additional premium for the endorsement within 30 days after the end of the "policy period". The Supplemental Extended Reporting Period will not go into effect unless you pay the additional premium promptly when due.

(3) The Supplemental Extended Reporting Period does not extend the "policy period" or change the scope of coverage provided. It applies only to "claims" to which the following applies:

(a) The "claim" is first made and reported to us during the Supplemental Extended Reporting Period; and 

(b)
The "claim" arose out of either a "wrongful act" or the first of a series of "interrelated wrongful acts" which occurred on or after the Retroactive Date, if any, shown in the Declarations and before the end of the "policy period".

(4) Once in effect, the Supplemental Extended Reporting Period may not be canceled. The premium for the Supplemental Extended Reporting Period Endorsement will be deemed to be fully earned as of the date it is purchased.

c. There is no separate or additional Aggregate Limit of Insurance for the Basic Extended Reporting Period or the Supplemental Extended Reporting Period. The limit of insurance available during the Basic Extended Reporting Period, and the Supplemental Extended Reporting Period if purchased, shall be the remaining amount, if any, of the Aggregate Limit of Insurance of the respective Insuring Agreement, subject to the remaining amount of the Policy Aggregate Limit of Insurance at the time this Policy was canceled or nonrenewed.

16. Extended Reporting Periods (Tail Coverage)

This condition applies only to the three third-party insuring agreements that are provided on a claims-made basis. See "Claims Made Policies" in the E&O Loss Control section of iiat.org for more information. 

Paragraph "a" is a basic extended reporting provision available to the insured without additional charge. It allows the insured to report a new claim up to 30 days after cancellation or expiration of the policy as long as the claim arises out of a wrongful act committed after the retroactive date and prior to the end of the policy period. Endorsement EC 01 20 (Texas Changes) amends this paragraph to state that the Basic Extended Reporting does not apply to claims that are covered under subsequent insurance purchased by the insured under this policy or a replacement policy purchased from the same insurer.

Paragraph "b" is a bi-lateral extended reporting provision, meaning the option can be triggered by the named insured upon cancellation or nonrenewal by either the named insured or the insurance company. For an additional premium (determined by the company's rating rules), the insured can purchase endorsement EC 20 01 ((Supplemental Extended Reporting Period) to document the election and display the number of years and premium. This provision extends the right to report a new claim for up to the number of years specified in the endorsement. The claim must arise out of a wrongful act committed after the retroactive date and prior to termination of the policy. 

17. Confidentiality

Under Insuring Agreement 5. Extortion Threats, "insureds" must make every reasonable effort not to divulge the existence of this coverage.

17. Confidentiality

The insured is required to keep confidential the existence of the extortion coverage provided by the policy.

18. Territory

This Policy covers "wrongful acts" which occurred anywhere in the world. However, "suits" must be brought in the United States of America (including its territories and possessions), Puerto Rico or Canada.

18. Territory

The policy covers wrongful acts occurring anywhere in the world, but it only covers suits brought in the coverage territory described here. 

Endorsement EC 20 03 (Amend Territory Condition for Wrongful Acts or Suits) amends this condition to exclude certain territories shown in the endorsement from the worldwide coverage for Insuring Agreements 1, 2 and 3, or to cover suits brought in certain additional territories shown in the endorsement.

Endorsement EC 20 04 (Amend Territory Condition – Suits Worldwide) amends this condition to cover suits brought anywhere in the world.