Data Centers: Emerging Risks and Insurance Coverage Considerations

Amid explosive growth in artificial intelligence (AI) applications and cloud computing, data centers have become critical infrastructure for companies seeking to develop or expand data-intensive capabilities. Data centers are physical facilities that house computer servers and associated components to process and store large amounts of data. The role of data centers in modern business operations is rapidly growing, with no end in sight. Major players in the AI sphere have invested in their own data centers, and many more companies rely on third-party data centers for their computing power. In addition to companies utilizing data center processing and storage, a range of businesses support data centers, including HVAC and building control companies, physical and cyber security service providers, utility suppliers, real estate and construction companies, materials suppliers, and a wide range of technological support services such as highly-specialized server designers.

With new business opportunity also comes new types―and levels―of risk for all players in the data center space. These risks include:

• Physical damage to the data center or its components or contents due to natural or man-made disasters, or failed systems within or outside the data center
• Cyber attacks
• Business disruption or loss of revenue due to a partial or total shutdown of the data center, or a delay in start-up
• Third-party claims by one data center participant against another for allegedly causing any of the above losses
• Third-party claims by customers or neighbors alleging harm due to operational failures at the data center

Fortunately, insurance is available to cover all of these types of losses, and data center players should take steps to assess whether their insurance coverage is sufficient to cover these risks.

Recent Developments

In order to power the AI boom, data center investment has increased exponentially. In the last four months alone, all levels of government and the private sector have taken significant action to expand data center capacity in the United States:

• On July 23, 2025, the White House issued the Accelerating Federal Permitting of Data Center Infrastructure executive order, directing the departments of Commerce, Energy, Defense, and the Interior, and the Office of Science and Technology Policy to take action to facilitate faster development of data center projects, including on federal land.
• Coming out of a July 2025 AI summit hosted by Pennsylvania Gov. Josh Shapiro, tech companies have announced eleven-figure investments to build “behind-the-meter” data centers in Pennsylvania, pairing power sources such as nuclear power plants with the energy-intensive data centers.
• In Northern Virginia, which has become known as “Data Center Alley” due to its outsize data center incentives and investment, CleanArc Data Centers announced plans this month to expand its hyperscale data center to reach nearly 1 GW capacity (1 billion watts).

Hypothetical Data Center Events Triggering Insurance Coverage

Data center risks implicate a wide range of insurance coverages. For example, data centers rely heavily on reliable power and water resources, heightening potential for service outages and risks from either drought or flooding. Wastewater discharge from the data center’s cooling system brings potential environmental risk. A trend toward clustering data centers to take advantage of favorable locations for power and water resources further aggregates a data center’s exposure to natural disasters and to local regulatory challenges such as permitting delays. Further, storing vast amounts of sensitive data also exposes companies to cyber and physical security risks and can implicate regulatory regimes protecting personally identifiable information.

A few hypothetical scenarios demonstrate ways in which these risks may implicate different coverage considerations:

The Fire: Failure of one of the data center’s operational systems is alleged to cause data center batteries to overheat, leading to a thermal runaway explosion. The fire destroys many racks of computer servers and causes an outage. During this outage, the data center operator’s customers lack sufficient processing capacity to run their operations. Depending on who is facing liability or loss, the relevant data center vendors (e.g., security, HVAC, plumbing/electric), the data center operator, and the data center’s customers could each seek to recover under different types of insurance policies:   

• The HVAC or other building subcontractor’s/vendor’s general liability and/or professional liability policies may respond, providing coverage for defense and/or settlement of third-party claims. General liability coverage should respond to claims based on bodily injury or property damage. Professional liability or errors & omissions (E&O) policies should respond to claims based on faulty design/economic harm.
• The data center operator’s or owner’s property and business interruption coverage could cover the costs for repairing the facility and their own lost income from the resulting outage. The operator or owner could also seek coverage under their professional liability or E&O policies for defending and/or settling third-party claims related to the outage, or under their general liability policies for third-party claims of bodily injury or property damage.
• The data center customers’ property policies may include contingent business interruption coverage that would respond by covering their lost income from the impact of the data center’s service interruption.

The Cyber Lockdown: An attempted cyber-attack triggers an automatic system lockdown that prevents any loss of data or other damage. However, the data center operator still experiences a service outage due to the shutdown and resulting investigation, and its customers file multi-million dollar claims for failure to fulfill service contracts and alleged breach of cybersecurity measures required by these contracts.

• Similar to the HVAC vendor, the cybersecurity vendor’s general liability and/or professional liability or E&O policies could respond to claims based on any alleged flaws in the data center’s system response.
• The data center operator’s property or cyber insurance policies may respond with lost business income coverage. Similar to the first example, the operator’s professional liability or E&O policies should respond as to third-party claims by customers.
• The data center’s customers could seek to recover their lost income under contingent business interruption coverage in their property or cyber policies.

The Start-Up Delay: A data center developer plans to expand a data center cluster, but local residents raise concerns about noise and water pollution. Local permitting challenges cause a six-month delay in opening the new facilities and the data center developer fails to fulfill several contracts during the delay. Soon thereafter, a state environmental agency opens a regulatory investigation into the alleged water pollution.

• If the construction contractor is blamed for the permitting delays, its general liability and/or professional liability or E&O coverage should respond in the same manner as the HVAC and cybersecurity vendors’ coverage (the former for claims of bodily injury/property damage and the latter for claims of economic harm).
• The data center developer’s builders risk coverage may provide coverage extensions for costs incurred due to the delay. The developer’s professional liability or E&O coverage should respond to customer claims and may respond to the regulatory investigation, subject to potential policy carveouts such as pollution exclusions. Environmental liability policies may also respond to the costs of the regulatory investigation.

These hypothetical scenarios cover only a small subset of the risks that data center operators and vendors must navigate. In preparing for each of these hypothetical scenarios, it is important for a business to understand how their insurance policies will respond, and what variations in policy language could result in valuable coverage or critical coverage gaps.

Key Insurance Issues That May Arise with Data Center Claims

While the types of risks that could arise from rapid data center development are not necessarily new, the rapid expansion, newly developed technology and unprecedented scale will heighten such risks. As with any significant covered risk, there are likely to be coverage disputes which will require a close read of the policy and a review of relevant court rulings. As one relevant example, an issue is likely to arise as to whether damage to data or data systems constitutes “physical loss or damage” sufficient to trigger a traditional property policy.  

• In American Guarantee & Liability Insurance Company v. Ingram Micro, Inc., 2000 WL 726789 (D. Ariz. Apr. 18, 2000), a power outage at the policyholder’s data center caused a half-hour interruption in service and several days’ worth of work reprogramming lost data configurations to restore communications with the rest of the system. The insurer argued there was no physical loss to trigger property insurance coverage.
• In Ashland Hospital Corporation v. Affiliated FM Insurance Company, 2013 WL 3213051 (E.D. Ky. June 24, 2013), an air conditioning failure in a hospital’s data center caused overheating that rendered physician orders, patient schedules, and historical medical records unavailable for several hours. The hospital replaced its damaged computer data storage system and sought coverage from its property insurer, which denied the claim for lack of direct physical damage and challenged whether the replacement system was “of like kind and quality” due to storage capacity and software improvements.
• In Computer Programming Unlimited, Inc. v. Hartford Casualty Insurance Company, 2022 WL 18135188 (N.D. Ohio Oct. 26, 2022), an information technology services provider relied on server space from third-party data center vendors, but one of its vendors went bankrupt. The IT provider sought coverage under a Technology and Software Service Providers special property form for the cost of leasing replacement servers to migrate its customer data. The insurer denied coverage for lack of direct physical loss.

The courts addressing these disputes reached varying results, finding that the loss of programming information in Ingram and the microscopic heat damage in Ashland Hospital Corporation did constitute physical damage to which the property insurance policies responded, but ruling against the policyholder in Computer Programming Unlimited (“CPU”) by finding that loss of use of the servers did not constitute direct physical loss. (However, this was a unique case, and may not apply broadly to data center coverage claims, because CPU was able to transfer client data to a new vendor without any disruption in service; it sought coverage only for the cost of the transition as its loss.) Other coverage issues should be more straightforward: for example if a subcontractor’s failed building system leads to physical damage to computer servers or other building components, and a claim is filed against the subcontractor, this should be covered by that subcontractor’s general liability policy.

The rise in data centers is likely to introduce new coverage issues, or new takes on old ones. Covington has the nation’s preeminent policyholder-side practice and stands ready to help with these issues.

If you have any questions concerning the material discussed in this client alert, please contact the members of our Insurance Recovery practice.