Artificial Intelligence (AI) has rapidly permeated nearly every facet of modern life, transforming how we live, work, and interact with technology. While AI promises to revolutionize industries, it also introduces a new realm of risks that may not be fully addressed by the commercial insurance industry’s current policy language.
As AI capabilities advance at an unprecedented pace, a critical question arises for insurers and program administrators: “Are the provisions and language in insurance policies adequate to address the emerging risks posed by AI?” The insurance industry, long rooted in meticulously crafted language, now faces a daunting challenge – how to keep up with AI’s rapid evolution and maintain a sustainable balance sheet. The financial impact of AI-related claims, if not properly managed, could strain insurers’ capacity for its policyholders.
As a first step in evaluating potential gaps, we evaluated commonly used exclusions used in many commercial general liability and excess policies.
Navigating Current Exclusions for AI-Related Claims
Although the terms “artificial intelligence” or similar phrasing are not found in the standard General Liability or Excess Liability forms, the question arises whether some existing exclusionary clauses could apply to certain situations involving AI-related claims. Here are some relevant exclusions and their potential applicability or limitations:
Access or Disclosure of Confidential or Personal Material Information Exclusions
These exclusions broadly address any access or disclosure of confidential or personal material information, and are generally applicable to bodily injury, property damage and personal and advertising injury coverages. Also commonly referred to as “data breach” exclusions, the exclusions are not explicitly limited to any form of data breach scenarios and have recently been found to be applicable to non-breach privacy scenarios in the context of biometric privacy. What remains to be tested is whether the material or relevant information is in fact found to be “confidential or personal information”. Nevertheless, absent an AI event resulting in the disclosure of such information, it will likely be difficult to apply these exclusions to an AI based cause of action.
Cyber Incident Liability Exclusions
Cyber incident liability exclusions apply to bodily injury, property damage and personal and advertising injury coverages arising from cyber related events such as unauthorized access to or use of a computer system, malicious code, or denial-of-service attacks. Their applicability to AI could be explored in scenarios where cyber incident corrupts or distorts a business’ AI-based technology, subsequently leading to injury or damage.
Data Privacy Exclusions
These exclusions, which apply to bodily injury, property damage and personal and advertising injury coverages, address violations of federal, state, or local laws pertaining to the management of confidential or personal information.
Although these exclusions do not explicitly mention AI, it is important to note that many state statutes do address, either generally or explicitly, the handling of confidential or personal material or information in the context of AI. However, many of these statutes do not provide a private right of action. In situations where confidential or personal information is involved, the question arises as to whether the reference to “other law” in newer data privacy policy exclusions encompass AI-related allegations stemming from non-statutory invasion of privacy claims. While standard data privacy exclusions may not adequately address AI specific risk, our research indicates that many proprietary data privacy exclusions currently in use explicitly address these types of situations, providing a higher level of protection against AI related claims involving the mishandling of confidential or personal information.
Violation of Law Exclusions
Predating data privacy exclusions, violation of law exclusions address statutes like CAN-SPAM and similar laws related to invasions of privacy like printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information. Recent court decisions have expanded the application of these exclusions to a broader range of privacy related statutory claims, including biometric privacy laws.
However, the explicit limitation of these exclusions to violations of statutes, ordinances, or regulations, coupled with the lack of specific language addressing AI, significantly narrows their scope when it comes to common law invasion of privacy claims and potentially even statutory invasion of privacy allegations related to AI.
While existing general liability and excess liability policy exclusions may provide some protection against certain AI-related claims, their applicability is often circumstantial and subject to judicial interpretation. As the adoption of AI accelerates across industries, the risks posed by this transformation technology do and will extend beyond the scope of traditional policy language. Therefore, it is critical for insurers and program administrators underwriting commercial insurance policies to stay vigilant in monitoring the legal and regulatory developments surrounding AI to proactively identify potential coverage gaps.
We recommend insurance providers utilize proactive approaches in managing risk exposures in their portfolios.
Proactive AI Risk Management Strategies
Whether managing AI risks in delegated or directly managed insurance programs, the following steps can help you proactively address exposures and minimize potential losses.
Evaluate your portfolio: Identify the business segments and industries where AI is likely to be utilized and assess whether the associated risks are acceptable or require mitigation.
Explore language updates: Evaluate the introduction of explicit references to AI for use in exclusions, sub-limit endorsements or affirmative coverage options to provide greater certainty regarding AI-related exposures.
Revise underwriting frameworks: Incorporate a clear position to your underwriting processes that articulates which AI-related risks are deemed acceptable and unacceptable for your business’ risk tolerance.
Implement risk transfer strategies: Encourage insureds to obtain indemnification agreements from vendors utilizing AI, in-turn transferring potential liability to the technology providers.
Exposures can be managed when they are understood. These strategies will mobilize a risk management discipline within your program business, as well as provide an opportunity to position thought leadership around this evolving and complex topic.
About Sproutr:
Sproutr is redefining the standards of insurance program design for its clients, simplifying the process of bringing regulated products to market. Learn more about how Sproutr delivers best-in-class insurance strategies by visiting our Services page or contact us by emailing info@sproutr.com.
About the author:
Mitch Tarter - Sr. Product Development Manager at Sproutr
Mitch is a senior technical product expert developing strategy and commercial insurance policy language for Sproutr’s clients. His expertise across casualty lines allows him to apply sophisticated solutions across complex exposures. He is passionate about the potential AI has in reshaping the insurance industry.
Sources:
GL Coverage for BIPA Lawsuits: A Litigation Update (Part 2), April 2023, Woodruff Sawyer
US State-by-State AI Legislation Snapshot, February 2024, BCLP
Illinois Federal Court Holds No Duty to Defend Lawsuit Alleging BIPA Violations, March 2024, JD Supra