10.14 Employment discrimination by contractor prohibited

10.14.3 Insurance

Contractors are required to have current workers' compensation, employer's liability, commercial general liability and automobile liability insurance policies when work is to be performed on state owned or leased property or facilities. In certain types of IT service contracts and to mitigate certain risks, professional liability/errors and omissions insurance and/or cyber liability insurance coverage is also required. The Commonwealth of Virginia must be named as an additional insured when requiring a contractor to obtain commercial general liability coverage.

In some specific cases, workers' compensation insurance and employer's liability insurance may not be required. Workers' compensation insurance is required when the contractor has three (3) or more employees. If work is performed by a sole proprietor, the person does not need workers' compensation insurance, as they do not have employees.

Employer's Liability Insurance is required if an employer has employees who are paid a wage or salary. Employer's liability insurance is not required for persons in business together, e.g., husband and wife, siblings or parents and children, as these persons would be considered owners not employees.

All agreed upon and statutorily mandated insurance must be obtained by the supplier prior to commencing work and must be maintained during the entire term of the contract. Documentation confirming the contractor's insurance shall be included in the procurement file.

In IT contracts Errors and Omissions Insurance should always be required by Suppliers, except for simple computer-off-the-shelf (COTS) software products. This insurance covers a Supplier's performance errors and intentional or accidental omissions in their performance obligated by the contract's technical/functional requirements. The coverage amount is based on the complexity of your procurement. For instance, if a Supplier is developing a custom solution for the agency, or if the procurement is providing a critical business continuity service to citizens, or if the Supplier is providing a cloud service (i.e., Software as a Service), then a higher amount of coverage should be required. Typical language to include in a contract is: "Supplier shall carry Errors and omissions insurance coverage in the amount of $2,000,000 per occurrence."

For cloud service procurements, it is recommended to require Supplier to also provide coverage for Cyber Security Liability Insurance to assist in data loss or security breach, which can result in losses valued in excess of millions of dollars. This is a relatively new type of insurance that some Suppliers will not have. Often they will say it is included in their Errors and Omissions insurance. If that is the case, you should require a higher coverage in the Errors and Omissions requirement and ask them to confirm how their insurance provider will cover incidents of data loss and security breach. Get the facts in writing and include applicable language in your contract. The typical language to include in your contract requirement for this is: Supplier shall carry Cyber Security Liability insurance coverage in the amount of $5,000,000 per occurrence. Once again, the coverage amount can be decreased or increased based on your risk factor and project complexity and data/security sensitivity.