AEC firms should carefully assess confidentiality clauses in contracts to avoid uninsured risks, especially amid growing cyber threats.
AEC firms should be careful not to overlook the growing number of longer and more complicated confidentiality agreements currently finding their way into proposed design contracts. In some cases, these clauses have the potential to create exposures which may not be covered under professional liability or other insurance policies typically carried by design firms. Furthermore, the rapidly changing environment, including an increase in sophisticated cyber-attacks and the widened use of artificial intelligence, can make these clauses more problematic.
That’s more reason for design firms to become educated on the potential exposure and take steps to avoid it.
Nondisclosure agreements are becoming a more routine part of doing business – and it’s completely understandable for owners to want their proprietary information protected. Nonetheless, you should read and understand these agreements and the confidentiality clauses in your contracts and be aware of the potentially uninsured exposures they can create.
Your professional liability insurance coverage responds to confidentiality clauses the same way it applies to other contractual clauses. There will be coverage afforded unless you exceed obligations that would be owed in the absence of the contract. In other words, you are covered for your negligence, but not for warranties, guarantees, or obligations that exceed the professional responsibility of your peers.
Certainly, you have coverage under your professional liability insurance for your normal obligation to keep client information confidential while the firm is providing professional services. Yet, there likely may be no coverage if the disclosure occurs outside of the scope of providing professional services.
It’s hard to imagine a situation where a design professional would intentionally disclose confidential information, but there are situations where unintentional disclosure can occur. Indeed, there are the “old-fashioned” ways, such as if untrained junior members of the firm disclose information they shouldn’t, or when what should be a discrete discussion about a current project is overheard in a public place. That’s why it’s critical to make sure your entire staff is fully aware – and constantly reminded – of the confidential nature of client-related matters and properly trained to avoid any inadvertent disclosure.
Furthermore, during your review of any design contracts, be sure to carefully check the clauses to determine what is classified as confidential, and that the language is not overly broad. You should also be very careful about damage spelled out in the contract that might be associated with these breaches. For instance, does the owner have to prove the breach to recover the damages? Can they be construed as “liquidated damages,” which are not covered by your professional liability insurance policy? Do the amounts stipulated exceed the actual damages incurred?
Whether your professional liability insurance policy will respond to a claim related to a breach of the confidentiality clause will be based on the allegations. Most importantly, make sure that the requirements in the contract are what you would owe in the absence of the contract; in other words, that they are consistent with a negligent breach of the standard of care. If the allegations in a claim are based on negligence related to providing professional services, a defense to the claim should be provided.
Firms that historically handle government contracts typically have strict office protocols with respect to all individuals entering and leaving the premises – including sign-ins with identifying information – to avoid the risk of any materials inadvertently getting into the wrong hands. Depending on the terms of your contract, consider implementing similar procedures on specific projects that are deemed as “highly secure.”
In the current environment with growing numbers of sophisticated cyber breaches that have targeted businesses in all sectors the risk potential has mushroomed. Design firms, like all types of businesses, have vulnerabilities to this type of breach. Unfortunately, should a client make a claim, it is unlikely to be covered by professional liability insurance as the incident involves business practices rather than professional practices.
Although most design firms now carry standalone cyber-insurance coverage, which helps them restore their system – and includes protection for other related risks, including damage to clients as a result of the breach – the limits are generally aggregate, relatively low, and not necessarily meant to respond to confidentiality clauses.
Given the proliferation and scope of these attacks, it’s not difficult to envision a situation where multiple clients could be impacted. In this case, coverage limits might not be sufficient to address the heightened exposure. In order to present a strong defense in the event of this type of breach be sure you have been appropriately educating your staff with established, documented, and constantly reinforced protocols to avoid breaches and safeguard your system.
As part of your standard contractual review process, when you see a lengthy, onerous confidentiality clause in your contract ask yourself several key questions:
- What portion of this clause is covered by my various insurance policies?
- What are my peers doing in relation to accepting this type of clause?
- Is the provision complex enough that I should have my lawyer review it so that I understand the uninsured risk?
In the past, AEC claims involving breaches of confidentiality components have been relatively rare. However, design contracts are changing, as are theories of litigation. So, being thoughtful and proactive in your contractual review process and risk management practices can help you keep from having to deal with such claims, particularly in the face of elevated client expectations, rapidly evolving risks, and a changing legal climate.
Lauren Martin is a risk manager and claims specialist at Ames & Gough. She can be reached at lmartin@amesgough.com.
