1. Forms
2. CL
3. CL-EP-03-10

What the form is

The CL EP 03 10 "Exclusion - Confidential Or Personal Information" is an endorsement typically attached to an Employment Practices Liability (EPL) insurance policy. Its primary purpose is to eliminate coverage for claims and losses stemming from the actual or alleged failure to protect, manage, or handle confidential or personal information. This includes, but is not limited to, data breaches, unauthorized access or disclosure of employee or third-party data, identity theft, and violations of privacy laws related to data security incidents. By adding this exclusion, the insurer clarifies that such risks fall outside the scope of the EPL policy.

Classes of business it applies to

This endorsement is relevant to nearly any business that purchases Employment Practices Liability insurance, as virtually all employers collect and store confidential employee information. However, it is particularly pertinent for businesses that handle significant amounts of sensitive data, such as:

• Healthcare providers (patient and employee records)
• Financial institutions (customer and employee financial data)
• Retail and e-commerce businesses (customer and employee data)
• Technology companies
• Educational institutions
• Professional service firms

Real-world example: A company experiences a data breach where hackers steal employees' Social Security numbers and direct deposit information from the HR database. If the company's EPL policy includes the CL EP 03 10 endorsement, any claims from employees for damages resulting from this data breach would likely be excluded from coverage under the EPL policy. The company would need a separate Cyber Liability policy to address such claims.

Special considerations

• Coverage Gap Creation: The most critical consideration is that this endorsement creates a significant coverage gap for data-related liabilities under the EPL policy. Businesses must recognize this and secure appropriate Cyber Liability insurance to cover these exposures.
• Interaction with Cyber Liability Insurance: This exclusion helps to delineate coverage boundaries between EPL and Cyber Liability policies, reducing ambiguity and potential disputes over which policy responds to a data breach incident involving employee information.
• Scope of "Confidential or Personal Information": The specific definitions of "confidential information" and "personal information" within the policy and endorsement are crucial. These definitions will determine the full extent of the exclusion. Generally, this includes Personally Identifiable Information (PII), Protected Health Information (PHI), financial account information, and other sensitive non-public data.
• Regulatory Environment: With increasing data privacy regulations (e.g., GDPR, CCPA), the financial and reputational risks associated with data breaches are high. This exclusion underscores the need for specialized cyber coverage.

Real-world example: An employee sues their employer alleging emotional distress and financial loss after their personal health information, stored by the company for benefits administration, was inadvertently emailed to an external party. With the CL EP 03 10 endorsement on the EPL policy, the insurer would likely deny coverage for this claim, pointing to the exclusion of liability arising from the disclosure of personal information.

Key information for agents and underwriters

• Agents:
  • Must clearly explain the impact of this exclusion to clients, emphasizing the need for separate Cyber Liability insurance.
  • Should conduct a needs assessment to determine the client's cyber risk exposure and recommend adequate Cyber Liability coverage limits and terms.
  • Failure to address this gap can lead to significant uninsured losses for the client and potential E&O claims against the agent.
• Underwriters:
  • For EPLI, this endorsement helps manage and limit the insurer's exposure to potentially catastrophic and systemic losses arising from data breaches, which are better underwritten under a dedicated Cyber Liability policy.
  • The presence of this exclusion may slightly reduce the perceived risk profile for the EPL coverage itself, but underwriters will still consider the overall management quality and internal controls of the insured, as poor controls could lead to other types of employment claims.
  • Underwriters will expect that risks involving significant data exposure have or will obtain separate Cyber Liability coverage.