Policy Guides

Search InfoCentral

Information Security Protection Policy (ISO)

Insuring Agreements 

EC 00 10

While it is unknown how many insurers (if any) might be using the ISO Information Security Protection Policy form in Texas, this InfoCentral policy guide analyzes the ISO form and endorsements and uses this analysis as the basis for comparing to forms used by other insurance companies. The policy wording is displayed in the left-hand column and comments on the policy wording are displayed in the right-hand column. Where appropriate, the comments are followed by "Variations to Watch For," based on provisions found in forms offered by seven different insurers writing in Texas and analyzed for this purpose.

The ISO Information Security Protection Policy contains first- and third-party coverage by way of eight separate insuring agreements. Insuring Agreements 1, 2 and 3 provide third-party liability coverage. Insuring Agreements 4, 5, 6, 7 and 8 provide first-party coverage.

Policy Language

Explanation

INSURING AGREEMENTS 1., 2. AND 3. OF THIS POLICY PROVIDE CLAIMS-MADE COVERAGE. DEFENSE EXPENSES ARE PAYABLE WITHIN, AND NOT IN ADDITION TO, THE LIMIT OF INSURANCE. PAYMENT OF DEFENSE EXPENSES UNDER THIS POLICY WILL REDUCE THE LIMIT OF INSURANCE.

PLEASE READ THE ENTIRE POLICY CAREFULLY.

Various provisions in this Policy restrict coverage. Read the entire Policy carefully to determine rights, duties and what is and is not covered.

Throughout this Policy the words "you" and "your" refer to the "named insured" shown in the Declarations. The words "we", "us" and "our" refer to the company providing this insurance.

Other words and phrases that appear in quotation marks have special meaning. Refer to Section VII – Definitions.

Notice of Claims-Made Policy

This notice in all-caps bold print puts the insured on notice that the first three insuring agreements are provided on a claims-made basis and that defense costs paid by the insurance company will reduce the limit of liability. See Third-Party Liability Insuring Agreements below. 

SECTION I – INSURING AGREEMENTS

Coverage is provided under the following Insuring Agreements for which an Aggregate Limit Of Insurance is shown in the Declarations:

Insuring Agreements

There are a total of eight insuring agreements. The insured can choose one or more of the agreements and the selection is documented in the Declarations by showing an aggregate limit of insurance and deductible amount for each insuring agreement. 

Third-Party Liability Insuring Agreements on a Claims-Made Basis

The first three insuring agreements (1, 2 and 3) provide third-party liability coverage on a claims-made basis with defense costs paid inside the limit. See technical report "Claims Made Policy Forms" for more information.

Claims are covered only if the insured receives a written demand from a third party or is served with a complaint in a civil or regulatory proceeding during the policy period or an extended reporting period. See Definition #3 (Claim).

The claim must involve a "wrongful act" as defined for each of the insuring agreements.

The wrongful act must have been committed after the retroactive date shown in the Declarations. (See Declarations Commentary.)

The named insured must report a claim made during the policy period to the company as soon as practicable, but not to exceed 30 days. See Condition #14 (Duties in the Event of Claim or Loss).

If the named insured knows of an occurrence or offense that may result in a claim or a loss covered by the policy during the policy period, the named insured must notify the company in writing as soon as practicable, but not to exceed 30 days. See Condition #14 (Duties in the Event of Claim or Loss). However, unless the reported occurrence or offense results in a claim (as defined) made against the insured during the policy period (or within 30 days of the end of the policy period under paragraph "a" of Condition #16 (Extended Reporting Periods), the resulting claim is not covered by this policy and may not be covered by any subsequent policy. 

Defense costs incurred by the insurance company to defend the insured reduce the limit of liability available to pay settlements or judgments. (See Section II -- Limits of Insurance.)

Variations to watch for:

Most claims-made policy forms allow the insured to report an occurrence or offense that may result in a claim and cover any subsequent claim (as defined in the policy) as if the claim had been made against the insured during the policy period.
1. Web Site Publishing Liability

We will pay for both "loss" that the "insured" becomes legally obligated to pay and "defense expenses" as a result of a "claim" first made against the "insured" during the "policy period" or during the applicable Extended Reporting Period, for a "wrongful act" or a series of "interrelated wrongful acts" taking place on or after the Retroactive Date, if any, shown in the Declarations and before the end of the "policy period".

[From Definitions section]

35. "Wrongful act" means:

a. With respect to Insuring Agreement 1. Web Site Publishing Liability:

Any actual or alleged error, misstatement or misleading statement posted or published by an "insured" on its web site that results in:

(1) Any type of infringement of another's copyright, title, slogan, trademark, trade name, trade dress, service mark or service name;

(2) Any form of defamation against a person or organization; or

(3) A violation of a person's right of privacy.
1. Web Site Publishing Liability

This insuring agreement provides coverage for loss that the insured becomes legally obligated to pay as a result of its wrongful acts associated with the content posted to its web site. Wrongful act, as it pertains to this insuring agreement, is defined to include any actual or alleged error, misstatement or misleading statement posted or published by an insured on its web site that results in an infringement of another's copyright, trademark, trade dress, service mark, defamation, or violation of a person’s right of privacy.

Although limited to material published on the insured's web site, this insuring agreement in some respects duplicates coverage provided by the Personal and Advertising Injury coverage in the commercial general liability policy. 

In the CGL, Personal Injury coverage includes (1) oral or written publication of material that slanders or libels a person or organization or disparages a person's or organization's goods, products or services; (2) disparaging a person's or organization's goods, products or services; and, (3) violating a person's right of privacy. Libel and slander are forms of defamation. These offenses are also included here in this policy, but only when the defaming or disparaging material is published on the insured's web site.

The Advertising Injury coverage on the CGL provides coverage for infringing upon another's copyright, trade dress or slogan, if they occur in the course of the insured's advertising, including only that part of a web site that is considered an advertisement. The coverage here goes further than that in the CGL because a covered offense can arise out of any part of the insured's web site, not just the part that is considered an advertisement. 

Endorsement EC 20 16 (Exclusion – Social Media) excludes claims or arising out of a wrongful act that occurs through the authorized or unauthorized use of a social media web site or blog by an employee.

Endorsement EC 20 17 (Exclusion – Software Infringement) excludes claims or loss arising out of any infringement of copyrighted software, software code or software license.

Variations to watch for:
  • Not all policies cover all the causes of action shown here and some policies cover more causes of action.

  • Some policies cover claims alleging damages caused by third-party reliance on the textual content displayed in the insured's web site. (Example: an insurance agent's web site contains technical information on policy coverages and recommendations for handling risk exposures.)

  • Some policies cover material published in any form (not just the web site), including social media, printed advertising and other types of publications.

2. Security Breach Liability 

a. We will pay for both "loss" that the "insured" becomes legally obligated to pay and "defense expenses" as a result of a "claim" first made against the "insured" during the "policy period" or during the applicable Extended Reporting Period, for a "wrongful act" or a series of "interrelated wrongful acts" taking place on or after the Retroactive Date, if any, shown in the Declarations and before the end of the "policy period".

b. We will pay for both "loss" and "defense expenses" as a result of a "claim" in the form of a "regulatory proceeding" first made against the "insured" during the "policy period" or during the applicable Extended Reporting Period, in response to a "wrongful act" or a series of "interrelated wrongful acts" covered under Paragraph 2.a.

[From the Definitions section]

35. "Wrongful act" means:

b. With respect to Insuring Agreement 2. Security Breach Liability:

Any actual or alleged neglect, breach of duty or omission by an "insured" that results in:

(1) A "security breach"; or

(2) A "computer system" transmitting, by e-mail or other means, a "virus" to another person or organization.

[From the Definitions section]

29. "Security breach" means the acquisition of "personal information" held within the "computer system" or in nonelectronic format while in the care, custody or control of the "insured" or authorized "third party" by a person:

a. Who is not authorized to have access to such information; or

b. Who is authorized to have access to such information but whose access results in the unauthorized disclosure of such information.


[From the Definitions section]

34. "Virus" means any kind of malicious code designed to damage or destroy any part of the "computer system" (including "electronic data") or disrupt its normal functioning.
2. Security Breach Liability

This insuring agreement provides coverage for loss that the insured becomes legally obligated to pay as a result of its wrongful acts. Wrongful act, as it pertains to this insuring agreement, is defined to include any actual or alleged neglect, breach of duty or omission by an insured that results in a security breach or transmission of a computer virus to a third party. Security breach is defined to mean:

a. The acquisition of personal information held within the computer system or otherwise by a person who is not authorized to have access to such information; or

b. The acquisition of personal information held within the computer system or otherwise by a person authorized to have access to such information but which results in the unauthorized disclosure of such information.

Paragraph "a" covers third-party liability claims alleging a breach in the security of personal information contained in a computer system or in non-electronic format (such as paper files) or transmission of a virus or denial-of-service attack via email or other means, when such information is acquired and disclosed by a person who is not authorized to do so. 

Paragraph "b" covers the expenses related to an investigation, demand or proceeding brought by a governmental agency that results from an actual or alleged disclosure of private information (such as actions brought by the Federal Trade Commission, Federal Communications Commission or other federal, state or local governmental entity), including any resulting fines and penalties. 

See Insuring Agreement 7 (Public Relations Expense) for coverage of expenses incurred to hire a public relations firm following a security breach. 

See Insuring Agreement 8 (Security Breach Response) for coverage of expenses related to a security breach, including investigation, notification and credit monitoring. 

Variations to watch for:
  • Some policies include liability coverage for disclosure of "third party corporate information," as well as personal information on individuals.

  • Most policies cover liability arising out of security breach involving an employee's private information, but some policies cover this exposure as a separate insuring agreement available for an additional premium.

  • Some policies only cover disclosure of private information contained in electronic format and do not cover disclosure of information in non-electronic format, such as paper files.

  • Some policies do not cover the costs incurred to respond to a regulatory proceeding.

  • Some policies do not cover fines and penalties assessed by governmental entities as a result of disclosure of private information.

  • Some policies also cover liability coverage for failure to comply with the insured's written privacy policies for security of personal information.

  • Some policies also cover fines and penalties owed by the insured under the terms of a Merchant Services Agreement (MSA) with a payment card company.

3. Programming Errors And Omissions Liability

We will pay for both "loss" that the "insured" becomes legally obligated to pay and "defense expenses" as a result of a "claim" first made against the "insured" during the "policy period" or during the applicable Extended Reporting Period, for a "wrongful act" or a series of "interrelated wrongful acts" taking place on or after the Retroactive Date, if any, shown in the Declarations and before the end of the "policy period".

[From the Definitions section]

35. Wrongful Act

c. With respect to Insuring Agreement 3. Programming Errors And Omissions Liability:

Any actual or alleged programming error or omission that results in the disclosure of your client's "personal information" held within the "computer system".

3. Programming Errors And Omissions Liability

This insuring agreement provides coverage for loss the insured becomes legally obligated to pay as a result of its wrongful acts. Wrongful act, as it pertains to this insuring agreement, is defined to include any actual or alleged programming error or omission that results in the disclosure of a client's personal information held within the computer system.

This insuring agreement is needed because the Security Breach insuring agreement only applies to intentional acts by third parties in acquiring personal information held in the insured's computer system, while this one applies to disclosure of personal information caused by a programming error.

In addition, the Security Breach insuring agreement covers expenses incurred to respond to regulatory proceedings and this insuring agreement does not.

Variations to watch for:

  • Some policies do not cover liability for disclosure of personal information caused by a programming error.
First-Party Insuring Agreements

The next five insuring agreements cover losses incurred by the insured that result from computer-related incidents. 

The loss must occur during the policy period (or as otherwise provided in the insuring agreement). 

4. Replacement Or Restoration Of Electronic Data

We will pay for "loss" of "electronic data" or "computer programs" stored within the "computer system" resulting directly from an "e-commerce incident" sustained during the "policy period".

[From the Definitions section]

8. "E-commerce incident" means a:

a. "Virus";

b. Malicious code; or

c. Denial of service attack;

introduced into or enacted upon the "computer system" (including "electronic data") or a network to which it is connected, that is designed to damage, destroy, delete, corrupt or prevent the use of or access to any part of the "computer system" or otherwise disrupt its normal operation.

Recurrence of the same "virus" after the "computer system" has been restored shall constitute a separate "e-commerce incident".


[From the Definitions section]

18. "Loss" means:

b. With respect to Insuring Agreement 4. Replacement Or Restoration Of Electronic Data:

The cost to replace or restore "electronic data" or "computer programs" as well as the cost of data entry, reprogramming and computer consultation services.

"Loss" does not include the cost to duplicate research that led to the development of your "electronic data" or "computer programs". To the extent that any "electronic data" cannot be replaced or restored, we will pay the cost to replace the media on which the "electronic data" was stored with blank media of substantially identical type.

4. Replacement or Restoration of Electronic Data

This insuring agreement provides coverage for the costs to replace or restore electronic data or computer programs that are damaged or destroyed as a direct result of an e-commerce incident. E‑commerce incident is defined as a computer virus, malicious code or denial of service attack introduced or enacted upon the computer system (including electronic data) that is designed to damage, destroy, delete or corrupt or prevent the use of or access to the computer system or otherwise disrupt its normal operation.

This agreement covers the costs incurred by the insured to replace or restore data or programs following introduction of a virus or malicious code into or a denial of service attack on the insured's computer system. It does not include the cost to duplicate research that led to the development of data or programs.

These exposures are generally excluded by commercial property and electronic equipment policies. 

See Insuring Agreement 7 (Public Relations Expense) for coverage of expenses incurred to hire a public relations firm following an incident.

Variations to watch for:
  • Some policies do not cover this exposure.

5. Extortion Threats

We will pay for "loss" resulting directly from an "extortion threat" communicated to you during the "policy period".

However, we will not pay for "extortion expenses" or "ransom payments" which are part of a series of related threats that began prior to the "policy period".

[From the Definitions section]

12. "Extortion threat" means a threat or series of related threats:

a. To perpetrate an "e-commerce incident";

b. To disseminate, divulge or utilize:

(1) Your proprietary information; or

(2) Weaknesses in the source code;

within the "computer system" by gaining unauthorized access to the "computer system";

c. To destroy, corrupt or prevent normal access to the "computer system" by gaining unauthorized access to the "computer system";

d. To inflict "ransomware" on the "computer system" or a network to which it is connected; or

e. To publish your client's "personal information".

[From the Definitions section]

18. "Loss" means:

c. With respect to Insuring Agreement 5. Extortion Threats:

"Extortion expenses" and "ransom payments".


[From the Definitions section]

11. "Extortion expenses" means:

a. Fees and costs of:

(1) A security firm; or

(2) A person or organization;

hired with our consent to determine the validity and severity of an "extortion threat" made against you;

b. Interest costs paid by you for any loan from a financial institution taken by you to pay a ransom demand;

c. Reward money paid by you to an "informant" which leads to the arrest and conviction of parties responsible for "loss"; and

d. Any other reasonable expenses incurred by you with our written consent, including:

(1) Fees and costs of independent negotiators; and

(2) Fees and costs of a company hired by you, upon the recommendation of the security firm, to protect your "electronic data" from further threats.


[From the Definitions section]

26. "Ransom payment" means a payment made in the form of cash.

5. Extortion Threats

This insuring agreement provides coverage for the reimbursement of extortion expenses and ransom payments incurred as a direct result of an extortion threat. Extortion threats include threats to introduce a virus, malicious code or denial of service attack, disseminate or divulge the insured's proprietary information, inflict ransomware or publish a client's personal information.
 
This agreement covers various expenses incurred by the insured plus ransom payments related to threats of extortion against the insured's computer system. 

Under Condition #17 (Confidentiality), the insured is required to keep confidential the existence of the extortion coverage provided by the policy.

Variations to watch for:
  • Some policies do not cover this exposure.

6. Business Income And Extra Expense

We will pay for "loss" due to an "interruption" resulting directly from an "e-commerce incident" sustained during the "policy period" or an "extortion threat" communicated to you during the "policy period".

[From the Definitions section]

18. "Loss" means:

d. With respect to Insuring Agreement 6. Business Income And Extra Expense:

The actual loss of "business income" you sustain and/or "extra expense" you incur.


[From the Definitions section]

2. "Business income" means the:

a. Net income (net profit or loss before income taxes) that would have been earned or incurred; and

b. Continuing normal operating expenses incurred, including payroll.


[From the Definitions section]

13. "Extra expense" means necessary expenses you incur:

a. During an "interruption" that you would not have incurred if there had been no "interruption"; or

b. To avoid or minimize the suspension of your "e-commerce activities".
"Extra expense" does not include any costs or expenses associated with upgrading, maintaining, improving, repairing or remediating any "computer system".


[From the Definitions section]

17. "Interruption" means:

a. With respect to an "e-commerce incident":

(1) An unanticipated cessation or slowdown of your "e-commerce activities"; or

(2) Your suspension of your "e-commerce activities" for the purpose of avoiding or mitigating the possibility of transmitting a "virus" or malicious code to another person or organization;
and, with regard to Paragraphs 17.a.(1) and 17.a.(2), shall be deemed to begin when your "e-commerce activities" are interrupted and ends at the earliest of:

(a) 90 days after the "interruption" begins;

(b) The time when your "e-commerce activities" are resumed; or

(c) The time when service is restored to you.

b. With respect to an "extortion threat", your voluntary suspension of your "e-commerce activities":

(1) Based upon clear evidence of a credible threat; or

(2) Based upon the recommendation of a security firm, if any;

and, with regard to Paragraphs 17.b.(1) and 17.b.(2), shall be deemed to begin when your "e-commerce activities" are interrupted and ends at the earliest of:

(a) 14 days after the "interruption" begins;

(b) The time when your "e-commerce activities" are resumed; or

(c) The time when service is restored to you.

6. Business Income and Extra Expense

This insuring agreement provides coverage for the actual loss of business income and/or extra expense incurred by the insured as a direct result of an e-commerce incident or extortion threat.

This agreement covers the loss of business income and extra expenses related to e-commerce activities and resulting from introduction of a virus or malicious code into or a denial of service attack on or an extortion threat to the insured's computer system.

Based on Condition #15 (Valuation – Settlement), recovery is limited to income lost from e-commerce activities and extra expenses incurred to restore e-commerce activities, not income or extra expenses related to other activities that might be affected by a virus or denial of service attack. In addition, there may be an offset to the business income loss from e-commerce activities when there is an increase in the volume of business from other channels of commerce such as telephone, mail or other sources. 

These exposures are generally excluded in commercial property and electronic equipment policies.

The deductible for this insuring agreement is the higher of the dollar amount shown in the Declarations or the amount of loss incurred during the waiting period shown in the Declarations (expressed in hours). 

Variations to watch for:
  • Some policies do not offer this coverage.
7. Public Relations Expense

We will pay for "loss" due to "negative publicity" resulting directly from an "e-commerce incident" or a "security breach" sustained during the "policy period".

[From the Definitions section]

18.       "Loss" means:

e. With respect to Insuring Agreement 7. Public Relations Expense:

"Public relations expenses".


[From the Definitions section]

25. "Public relations expenses" means:

a. Fees and costs of a public relations firm; and

b. Any other reasonable expenses incurred by you with our written consent;

to protect or restore your reputation solely in response to "negative publicity".


[From the Definitions section]

20. "Negative publicity" means information which has been made public that has caused, or is reasonably likely to cause, a decline or deterioration in the reputation of the "named insured" or of one or more of its products or services.

7. Public Relations Expense

This insuring agreement provides coverage for fees and costs of a public relations firm and other reasonable expenses incurred by the insured to protect or restore its reputation in response to negative publicity resulting from an e-commerce incident or security breach.

This agreement covers expenses incurred by the insured to hire a public relations firm to respond to negative publicity after a breach of security regarding personal information or resulting from introduction of a virus or malicious code into or a denial of service attack on the insured's computer system.

Variations to watch for:
  • Some policies cover expenses resulting from any claim covered by the policy, while others apply only to certain claims covered by the policy.

  • Since some policies cover more types of incidents, this coverage in those policies applies to some incidents that are not covered by other policies.

  • Some policies cover expenses incurred when negative publicity is imminent, while others cover expenses only after negative publicity has occurred.

8. Security Breach Expense

We will pay for "loss" resulting directly from a "security breach" sustained during the "policy period".

[From the Definitions section]

18. "Loss" means:

f. With respect to Insuring Agreement 8. Security Breach Expense:

"Security breach expenses".


[From the Definitions section]

30. "Security breach expenses" means:

a. Costs to establish whether a "security breach" has occurred or is occurring;

b. Costs to investigate the cause, scope and extent of a "security breach" and to identify any affected parties;

c. Costs to determine any action necessary to correct or remediate the conditions that led to or resulted from a "security breach";

d. Costs to notify all parties affected by a "security breach";

e. Overtime salaries paid to "employees" assigned to handle inquiries from the parties affected by a "security breach";

f. Fees and costs of a company hired by you for the purpose of operating a call center to handle inquiries from the parties affected by a "security breach";

g. Post-event credit monitoring costs for the parties affected by a "security breach" for up to one year from the date of notification to those affected parties of such "security breach"; and

h. Any other reasonable expenses incurred by you with our written consent.

"Security breach expenses" do not include any costs or expenses associated with upgrading, maintaining, improving, repairing or remediating any "computer system" as a result of a "security breach".

8. Security Breach Expense

This insuring agreement provides coverage for expenses incurred by the insured, including costs to notify all parties affected by the security breach, overtime salaries paid to employees assigned to handle inquiries from parties affected by the security breach, fees and costs of a company hired to operate a call center, post-event credit monitoring services and other reasonable expenses.

Variations to watch for:
  • The list of covered expenses and services differ from one policy to another.

The following endorsements provide additional insuring agreements.

Endorsement EC 20 13 (Computer and Funds Transfer Fraud) provides exactly the same coverage as Insuring Agreement #6 (Computer and Funds Transfer Fraud) in the ISO Commercial Crime program. Coverage under this insuring agreement is triggered by (1) fraudulent entry or change of electronic data or program within the insured's computer to transfer property and cause the insured to lose that property, or (2) fraudulent instruction to the insured’s financial institution to transfer money or securities to an unauthorized party. For more information, see the Commercial Crime technical report "Computer and Funds Transfer Fraud." 

Endorsement EC 20 15 (Telephone Toll Fraud) adds an insuring agreement for Telephone Toll Fraud, providing coverage for loss arising out of long distance telephone call charges resulting from fraudulent use or manipulation of a voice computer system.