During the question and answer period at virtually every cyber conference I’ve ever gone to, I stand up and say, “I’ve got a question for you. I have a guy that hosts data. Does he need cyber coverage or does he need professional liability coverage?” Every time I get this crummy answer saying, “You know, I think he needs both.” Well, the reason I ask that question is this tricky fact: nobody entrusted him with the stuff that’s on that server.
This is all hypothetical because a case like this has never made it to the inside of a courtroom to my knowledge. If it ever did, I don’t know how they would see the situation. My thoughts on the subject could be different than how the court would actually judge.
The way I see it, when your data is hosted on a server, the data is actually entrusted to someone else other than the host; it’s only accessed through that server. I’ve said to those cyber conference sessions that I’d feel much better standing next to my hosting guy in a courtroom with a big professional liability limit than I would a cyber limit. Because I’m sure the allegation would be that he didn’t put in the proper safeguards to protect the information. In other words, he failed in some kind of duty or what people expected him to provide in the services that he offers.
To explain it in a different way, there was a guy I knew who was a jeweler who was out in his car in San Francisco because he sells to jewelry stores. He couldn’t find any self-parking, so he went to a garage with valet parking. He went to see the jewelry store, came back, and then found out his car had been stolen along with all the jewelry in the back. He sued the parking garage for the loss, which was somewhere around a million dollars.
The court said, no, there’s no way for the parking garage to know what you had in the trunk. They are responsible for the car but not what you had inside of it because there’s no way for them to know.
If a data host ever had a problem with a breach, would it be a cyber problem or a professional liability problem? Think about it this way, there is no way for them to know what you had on the server. All they’re responsible for is valet parking your data. That’s the way I see it.