Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – With Limited Bodily Injury Exception (BP 15 04)
What the form is:
The BP 15 04 is an endorsement to the Businessowners Coverage Form that significantly modifies liability coverage related to data breaches and electronic data. Its primary function is to exclude coverage for damages (other than "personal and advertising injury" as specifically defined and limited by this endorsement) that arise from the access to or disclosure of confidential or personal information. This includes a wide range of nonpublic information such as patents, trade secrets, customer lists, financial details, credit card numbers, and health information. The exclusion also applies to damages stemming from the loss of, loss of use of, damage to, corruption of, or inability to access or manipulate electronic data. Importantly, this exclusion encompasses associated costs like notification expenses, credit monitoring, forensic investigations, and public relations efforts.
A key feature of this endorsement is the limited bodily injury exception. This means that while most data-related liabilities are excluded, there might still be coverage if "bodily injury" occurs, unless the primary exclusion for access or disclosure of confidential or personal information applies. The endorsement also amends the definition of "personal and advertising injury" to specifically exclude injury arising from the access to or disclosure of confidential or personal information.
It's important to note that a revised version of BP 15 04 (edition 12 23) has removed the limited bodily injury exception, applying the exclusion more broadly to bodily injury, property damage, and personal and advertising injury liability. This was done in response to evolving legislation and court activity around privacy rights. The older 05 14 edition, which is the focus of the provided summary, still contains this limited exception.
Classes of business it applies to:
This endorsement is broadly applicable to most businesses that purchase a Businessowners Policy (BOP), as virtually all businesses today handle some form of confidential or personal information, whether it's customer data, employee records, or proprietary business information. BOPs are generally designed for small to medium-sized "Main Street" businesses. Examples include:
- Retail Stores: Businesses that collect customer payment information (credit cards) or manage customer loyalty programs. A breach exposing this data would fall under this exclusion.
- Professional Services (e.g., accountants, consultants): Firms that handle sensitive client financial or business data. If this information is compromised, the BP 15 04 would likely apply.
- Healthcare-related businesses (not typically covered by a standard BOP for professional liability but may have a BOP for other exposures): While professional liability is separate, a BOP might cover other aspects. If patient PII is breached through a non-professional liability event, this exclusion would be relevant.
- Contractors: Businesses that may have employee data or client project details stored electronically.
- Restaurants: Establishments processing credit card payments and potentially holding employee information.
- Any business that stores customer lists, financial information, or any other type of nonpublic information electronically.
Essentially, any business that could suffer a data breach or experience loss/corruption of electronic data is impacted by this endorsement. Given the prevalence of cyber threats, this form has wide-ranging applicability.
Special considerations:
- Mandatory Nature: The BP 15 04 (or a similar, potentially more restrictive version like the former BP 15 05 which did not include the bodily injury exception) is often a mandatory or conditionally mandatory endorsement, meaning it's automatically included in the BOP unless a different, specific cyber liability endorsement is chosen. This underscores the insurer's intent to limit broad, unintended cyber coverage under a standard BOP.
- Limited Bodily Injury Exception: The "limited bodily injury exception" is a critical nuance. It means that if a data breach or loss of electronic data directly leads to bodily injury (e.g., a malfunctioning medical device due to corrupted data causes harm), there might be coverage, unless the incident also falls under the primary exclusion for accessing or disclosing confidential or personal information. The practical application of this exception can be complex and may depend on the specific circumstances of the claim. As mentioned, newer versions of this endorsement may remove this exception entirely.
- Coverage Gaps: This endorsement creates a significant gap in coverage for most data breach and cyber liability exposures. Businesses relying solely on an unendorsed BOP or a BOP with this exclusion will likely have no coverage for the financial impacts of a data breach, such as forensic investigation costs, notification expenses, credit monitoring, and regulatory fines. This highlights the need for separate, dedicated Cyber Liability insurance.
- "Personal and Advertising Injury": The endorsement specifically amends the "Personal and Advertising Injury" coverage part to exclude injuries arising from the access to or disclosure of confidential or personal information. This closes a potential avenue of coverage that might have existed under older policy forms for certain types of privacy-related claims.
- Evolving Landscape: The cyber risk landscape and related insurance coverages are constantly evolving. New regulations (like GDPR, CCPA, BIPA) and emerging threats mean that endorsements like BP 15 04 are periodically reviewed and updated by ISO. It's crucial to refer to the specific edition date of the endorsement on a policy.
Real-world example: A small retail business has its point-of-sale system hacked, and thousands of customer credit card numbers are stolen. The business incurs costs for forensic investigation, notifying affected customers, and providing credit monitoring services. The BP 15 04 endorsement on their Businessowners Policy would likely exclude coverage for these costs. If, hypothetically and unusually, the data breach also directly caused a physical injury to someone (and the primary confidential information disclosure exclusion didn't apply), the limited bodily injury exception might be triggered, but this is a narrow and less common scenario.
Key information for agents and underwriters:
- Risk Assessment: Underwriters need to assess the insured's data security practices and the sensitivity of the information they handle. Even with this exclusion in place, understanding the potential for data-related losses helps in recommending appropriate standalone cyber coverage.
- Pricing: While this endorsement is exclusionary, the overall premium for the BOP will reflect the general risk profile of the business. The presence of this exclusion reinforces that the BOP is not priced to cover significant cyber risks.
- Coverage Gaps & Client Education: Agents have a critical role in explaining the limitations imposed by BP 15 04 to their clients. It should be made clear that this endorsement significantly curtails coverage for data breaches and that a separate Cyber Liability policy is essential for businesses concerned about these exposures. Failure to do so can lead to E&O exposures for the agent.
- Interaction with Cyber Policies: It's important to understand how a BOP with this exclusion interacts with any standalone Cyber Liability policies the insured may have. Cyber policies are specifically designed to cover the risks excluded by endorsements like BP 15 04. However, cyber policies also have their own exclusions, such as for bodily injury or property damage, which the BOP (even with BP 15 04) might still address in limited circumstances.
- Edition Dates: Always verify the edition date of the BP 15 04 endorsement. As noted, the 12 23 edition removes the limited bodily injury exception found in the 05 14 edition, making it more restrictive. This can significantly impact the scope of coverage.
- "Silent Cyber": This endorsement is part of the industry's effort to address "silent cyber" – the potential for cyber-related losses to be covered by traditional policies not specifically designed or priced for such risks.
- Definition of Electronic Data: The endorsement provides a specific definition of "electronic data." This definition is crucial in determining the scope of the exclusion related to loss or damage to data.
Real-world example for agents/underwriters: An underwriter reviewing an application for a small medical clinic's BOP (knowing professional liability is separate) would note the presence of BP 15 04. While the BOP provides general liability and property coverage, the underwriter would recognize that the clinic's significant exposure to patient data breaches (PHI) is largely unaddressed by the BOP due to this exclusion. The agent should strongly recommend a standalone Cyber Liability policy that covers regulatory fines (e.g., HIPAA), notification costs, and other data breach response expenses. The limited bodily injury exception in BP 15 04 (05 14 edition) might offer a sliver of coverage if, for instance, corrupted data in a medical device directly caused physical harm to a patient, but this would not cover the primary costs of the data breach itself.