August 15, 2022

Volume XII, Number 227


August 15, 2022

Subscribe to Latest Legal News and Analysis

Digital Health Checkup (Bonus): Product Liability and Insurance Coverage

In this bonus edition of our checkup series, Covington’s global cross-practice Digital Health team considers some additional key questions about product liability and insurance coverage that companies across the life sciences and technology sectors should be asking as they seek to fit together the regulatory and commercial pieces of the complex digital health puzzle.

1. What are the key questions when crafting warnings and disclosures?

If your product is regulated, your warnings and disclosures will need to comply with any relevant regulations. In the case of a product not regulated by the FDA or equivalent regulatory body, first consider how your warnings and disclosures will be incorporated into the use of the product.

Some disclosures, like an explanation of the data source used by software, may fit best in terms and conditions that a user sees before using the product. Key warnings, however, may be more appropriately placed as part of the user experience.

Example: A warning that patients should consult their doctors if necessary may need to be placed in proximity to specific medical content.

Best Practice: Consider your intended audience: are you writing warnings for doctors, patients, or institutions? The appropriate types of disclosures will vary across populations. Patient-directed warnings may also need to be written in simplified language.

Best Practice: Consider whether it is appropriate for your product to have users to accept or otherwise be required to agree to the warnings and disclosures.

2. How should you craft contracts with vendors or service providers to control your risks?

When drafting or reviewing a proposed indemnification clause, consider whether the proposed language:

  • will benefit or bind the intended parties, including successors-in-interest;
  • encompasses the intended subsets of costs or expenses from which indemnification will be provided, including attorneys’ fees, internal forensic and other response costs, government investigation costs, and settlements with third parties;
  • the circumstances in which the indemnification obligation will arise, such as upon a suspected network security event or only upon a third-party asserting a claim;
  • the nexus required between the indemnity-triggering event and the indemnity obligation, with common nexus phrases being “directly caused by” and “arising out of” or “in connection with;” and
  • the point when the indemnification will be owed for an indemnity-triggering event such as a network security breach: for example, when a reasonable suspicion of the event arises, or only after proof that the event did in fact take place.

Best Practice: In addition to the indemnification clause, you should consider whether the contract counter-party has sufficient financial resources to fulfill its indemnity obligations. An insurance procurement clause, specifying the types and amounts of insurance coverage the counter-party must carry, is often the best way to back up your indemnification protection. An insurance clause requires careful attention, however, with an eye to the principal risks involved in the particular contract.

It is not enough merely to specify “cyber insurance” in an insurance procurement clause: cyber policies vary as to the categories of risks they cover, and their non-standardized wordings vary in scope and clarity of coverage for those risks. The contract’s insurance procurement clause should specify which cyber-related risks must be insured, and with what minimum limits; and it should permit you to review the actual policies procured, to confirm their suitability.

 The contract should also address whether the counter-party is required to make you an additional insured under its policies. Again, a right to review the actual policies—not merely certificates of insurance—is important to ensure that the policies properly implement the additional-insured requirement.

3. What traps should you look for in your own insurance policies?

Digital health solutions can give rise to a broad range of risks, including alleged data breaches, privacy violations, faulty technology, theft, bodily injury, property damage, business interruption or extra expense, government demands, and shareholder suits. These risks could involve an equally broad range of insurance policies, including cyber, technology errors and omissions, professional liability, commercial crime, media liability, commercial general liability, products liability, property, and directors and officers liability.

Best Practice: In assessing whether and how your insurance coverage aligns with the risks that your particular digital health solution presents, pay close attention to potential gaps between the various insurance policies that are intended to cover those risks, including policies under which your company qualifies as an “additional insured.”

Professional services are often excluded from general and products liability policies on the theory that the policyholder can purchase separate professional liability insurance to cover that risk. But if the definition of “professional services” used in the exclusion to your general or products liability policy is broader than the definition of “professional services” used in the insuring agreement for your professional liability policy, a protection gap may arise between two policies that were meant to provide seamless coverage. Particularly if your company provides post-sale support for a digital health solution, you should carefully review the “professional services” language in all potentially applicable policies to be sure that they are consistent.

Many cyber policies exclude bodily injury, while cyber-related exclusions have recently appeared on many commercial general liability policies, which have traditionally covered bodily injury arising from products. If, for example, a cyber hacker could injure a patient by remotely manipulating the digital settings on your medical device, you should be alert both for injury-related exclusions in your cyber policies and for cyber-related exclusions in your general liability or professional liability policies. If you find an insurance gap, you may need to explore specialty insurance products designed for so-called “cyber-physical” risks.

Best Practice: Make sure you have insurance policy limits that are large enough to match your likely liabilities and that your excess policies are as broad as your primary policy.

Marty Myers, Emily Ullman and David Goodwin, attorneys from the Covington Digital Health Team, also contributed to this post. 

© 2022 Covington & Burling LLPNational Law Review, Volume VII, Number 349

About this Author

John G. Buchanan III, Covington, Insurance litigation attorney
Senior Counsel

John Buchanan, senior counsel in Covington's Washington office and the firm's first Insurance Practice Group Coordinator, has represented policyholders in insurance coverage advocacy, dispute resolution and counseling for over three decades. His career has ranged from the early DES and asbestos coverage litigation to claims for some of the largest cyber losses in history. Mr. Buchanan has litigated, arbitrated or negotiated a wide variety of complex property and casualty insurance claims, from railroad derailment claims to satellite-in-orbit claims, and from silver-theft...

202 662 5366
Marialuisa Gallozzi, Covington, Insurance litigation attorney

Marialuisa (ML) Gallozzi has helped for-profit and nonprofit policyholders develop and execute efficient and practical insurance recovery strategies that have secured over half a billion dollars for complex, high-value claims. She also helps clients to place and renew insurance coverage, transfer risk in contracts and transactions, and prepare for and manage crises.

Chambers USA described her as “incredibly good at complex settlement structures” and Business Insurance named her as one of its "Women to Watch" in 2014. In 2016, Washington DC Super Lawyers ...

Elizabeth H. Canter, Data Security Attorney, Covington Law Firm

Libbie Canter has experience representing a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, with special expertise in advising those in highly-regulated sectors, including financial services companies and pharmaceutical and medical device manufacturers.

She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations. As part of her practice, she regularly...

Jeffrey Kiburtz, Litigation attorney, Covington
Special Counsel

Working with clients in the life sciences, technology, financial services, manufacturing and construction industries, Jeff Kiburtz has handled a wide variety of litigated and non-litigated matters involving commercial insurance of nearly all types, including commercial general liability, products, directors & officers liability, professional liability, cyber/privacy/network security, property, CCIP, OCIP, builders risk and fidelity.

Scott Levitt, litigation attorney, Covington
Special Counsel

Scott Levitt has twenty years of experience representing policyholders in numerous types of insurance coverage claims. These matters include cyber-risk, mass tort, asbestos, silica, mixed dust, environmental, product liability, employment discrimination, errors and omissions, first-party losses, crime and employee dishonesty. Mr. Levitt has successfully represented policyholders in insurance recovery proceedings in federal and state trial and appellate courts around the U.S., as well as in mediation and international and domestic arbitrations. Mr. Levitt's practice often...

202 662 5661