Document Directors and Officers Insurance (and other coverage)

[dims]

One of the items in the ask from k8s steering was about Directors and Officers Insurance.

During the Apr 12th meeting of CNCF GB, @mkdolan had some information about what's covered, who is covered et. al. We need to document this publicly for all sorts of leaders in our various projects to be aware of. It's currently in the confidential session section of the presentation and the thought was to make it available to everyone better here in this repository (or somewhere else that Mike prefers is ok too). Tracking this request here to ensure that we don't drop this off of our collective radar.

Very specifically we are looking for coverage of folks who are NOT covered by their company as they are participating in the community on their own time. but yes, we should enumerate who is covered, what is covered etc as well so leaders can be aware of their legal risk when participating in the foundation.

It would be good to point out to legal risks in specific projects documentation too so individuals can evaluate better. Right now we do not have any guidance in k8s for example.

[dims]

Here's a statement from CNCF that @pritianka requested me to share with you all. Also cc'ing @poconnor1. we will wait for @mkdolan to come back from vacation to help draft something better that we can add to some of our documentation at CNCF / k8s.

---

Existing coverage - D&O and EPLI

The Linux Foundation already maintains a comprehensive umbrella of policies to protect its communities’ interests including EPLI (Employee Practices Liability Insurance), and D&O (Directors & Officers) Insurance.

The LF policy has broader coverage and higher limits than other policies that we’ve been pointed to as examples. Further, we’re concerned after seeing some of those policies that people are not actually getting the coverage of what they’re being told. The LF policy covers its insured entities, including:

“Employee means any natural person, who is a past, present, or future full-time, part-time, seasonal or temporary worker, employees leased or loaned to, or volunteer or committee member of an insured entity.”

In any case, we do feel it’s unlikely the LF’s insurance policy would be relevant to company employees contributing as part of their work. In those cases, it’s more likely that the company and its legal teams would want to take control of defending their company/employee. We want to be clear that we would not get in the way of the company taking control of its defense. That just means some community members have multiple paths to being covered, but there is at least one source of coverage.

---

[tabbysable]

Oooh, i love to see this!

[justaugustus]

(Usual "I am not a lawyer" disclaimer)

“Employee means any natural person, who is a past, present, or future full-time, part-time, seasonal or temporary worker, employees leased or loaned to, or volunteer or committee member of an insured entity.”

The way I'm interpreting this is that directors/officers/committee members of LF directed funds, like CNCF, would be covered by this policy.

Example: @dims (CNCF TOC Chair) + @parispittman (CNCF GB Kubernetes Seat) would be covered because their roles exist on the CNCF-level

That said, is Kubernetes an "entity"? My understanding is it is not.

Does this suggest that project-level committees e.g., Kubernetes Steering, Security Response, Code of Conduct need to be established/blessed as CNCF-level governance groups to be included in the policy?

If yes:

1. How complete would these extensions of the policy be? Only Graduated projects? Graduated and Incubating? All CNCF projects, including Sandbox?
2. What process changes would have to happen to make sure this is properly reflected for existing committee members?

Finally, for existing CNCF bodies, could we have clarity on what:

volunteer or committee member

means?

Governing Board? Technical Oversight Committee? TAG Chairs/Technical Leads?

[tabbysable]

^^^ Thank you Stephen! +1 everything you said here -- I love to see this if it helps us and clarification around the definition of those terms is important.

[dims]

@tabbysable @justaugustus yep. folks are off on vacation. we asked the same exact questions :)

[pritianka]

Hello folx - I am not a lawyer and not providing legal advice here :-). But as I understand it, volunteers to committees are covered. The entity is the Linux Foundation and it houses the k8s project (via the CNCF-directed fund). As Dims said, the legal minds are on vacation so we can get more clarification when they return. But they have already looked at the matter with Kubernetes Steering, Security Response, Code of Conduct at the center of the conversation and said the committees are good to go for the standard coverage without additional action :-).

[justaugustus]

legal minds are on vacation so we can get more clarification when they return

SGTM! Thanks for pushing this along, everyone!

[justaugustus]

the legal minds are on vacation so we can get more clarification when they return

@pritianka @caniszczyk -- Heya, do we have clarification on this e.g., [updated] copy to reference?

[caniszczyk]

This is what our legal team has posted: https://github.com/cncf/foundation/blob/main/do-insurance.md

Hope that helps.