Check your insurance policy! Is loss of important source code covered?

The Claimant, Tektrol, was in the business of designing, developing and manufacturing energy saving control devices for industrial motors. Its main product was called a 'PowerMiser' which relied on certain software. The source code for the software, which was required to customise each PowerMiser to the requirements of a particular customer, was used and modified by the Claimant. The Claimant stored the source code in five different places: on two development computers at its premises, on a laptop belonging to the Managing Director, on a computer at a remote site operated by a company known as 'Compwise Systems' and on a paper printout kept at the premises. The Defendant, International Insurance Company of Hanover Limited, insured the Claimant in respect of material damage and business interruption loss under the terms of a Combined All Risks policy issued by Admiral Underwriting Agencies dated 18 January 2002.

In December 2001, the Managing Director of Tektrol received an email in the form of a Christmas card, which he opened on his laptop. The email attachment contained a virus which damaged or deleted some files, including the source code. Believing that the remote site had not been corrupted, the Managing Director repaired and reloaded the laptop from this site and believed that the source code had been recovered. In January 2002, the Claimant's premises were burgled and the development computers and hard copy of the source code were stolen along with other equipment and stock. It was then realised that the virus had deleted or damaged the source code on the data server, which had thus not successfully restored it to the laptop. The Claimant, therefore, had no remaining copies of the source code, which meant that they could only produce PowerMisers that were exact replicas of existing machines and not customised in any way.

Tektrol brought an action seeking an indemnity from its insurers, the Defendant, for contents, stock and business interruption losses caused by the loss of the source code due to the virus and the burglary. The insurers claimed that the losses were excluded under the policy, and this was heard as a preliminary issue. By clause 7(b)(i) of the policy, erasure, loss, distortion or corruption of information on computer systems or other records, programs or software caused deliberately by malicious persons was excluded. Under clause 7(b)(ii) other erasure, loss, distortion or corruption of information on computer systems or other records, programs or software was excluded, unless resulting from a Defined Peril not otherwise excluded. "Defined Peril" was defined as "fire, lightening, explosion, aircraft or other aerial devices or articles dropped therefrom, riot, civil commotion, strikers, locked-out workers, persons taking part in labour disturbances, malicious persons, earthquake, storm, flood, escape of water from any tank apparatus or pipe or impact by any mechanically propelled vehicle or by goods falling therefrom or animal".

Langley J held that both the virus and the burglary were causes of the business interruption claimed by Tektrol. It was an agreed fact that the virus was created by a "malicious person" but Tektrol argued that the loss caused by the virus was not "caused deliberately" (to try and avoid the exclusion in clause 7(b)(i)) because the virus was not specifically targeted at or intended to harm Tektrol. The Judge did not agree. He held that there was no need for the act which causes the loss to be directed at a specific person or object – the erasure of the source code on the laptop and at the remote site was caused deliberately by those who created and transmitted the virus. Therefore, the loss arising from the virus was excluded from cover. The Judge concluded that the consequences of the burglary did not result from a Defined Peril because the burglars were not "malicious persons" in the sense used in this clause of the policy and clause 7(b)(ii) included physical (as opposed to purely electronic) loss. It was held that, on the proper construction of the policy, the loss of the source code by the virus was excluded under clause 7(b)(i) and the loss of the source code in the burglary was excluded under 7(b)(ii). Even if loss arising from only one of the events (either the virus or the burglary) was excluded under the policy, it would be sufficient to exclude the loss to Tektrol in its entirety because the Judge held that both the virus and burglary caused the same loss (without one of the events taking place, the source code would not have been lost), and if either (not necessarily both) of the causes was excluded from cover, the loss would be excluded.

Software damage exclusions of the type found in Tektrol's policy are not unusual as considerable losses can be caused by damage to electronically held data given the reliance on computers in the business world today. Often, as in the Tektrol case, the courts are reluctant to allow claims against insurers for loss flowing from software damage to succeed to prevent the opening of floodgates to claims of this nature which were not intended to be covered by the insurance policy when it was entered into: ultimately, the courts will look at the intention of the parties when entering into the insurance to decide whether these types of losses should be covered. Insurers' and businesses' interests are obviously at odds in terms of the drafting of computer virus exclusions, as insurers will want wide exclusions which cover all types of viruses and businesses will want to ensure that they can recover for often wide-ranging losses caused by viruses.

Businesses with heavy reliance on IT systems (like Tektrol) should review their insurance policy exclusions before entering into insurance contracts and at renewal time to ensure that the relevant policy clauses cover, as far as possible, any loss to their specific business arising from software and also so that clauses can be quickly and effectively updated to take into account new advances in the types of computer virus (which are becoming more sophisticated by the day). All businesses must take precautions to prevent the loss of critical information and software, which should include up-to-date anti-virus software and strict email opening protocols, especially if the business cannot be operated without functioning IT systems. Tektrol was subject to a bizarre chain of events which caused the loss of the source code, but the case acts as a timely warning that business losses flowing from viruses can be wide-ranging and expensive.

For further information about the legal aspects of this case, or to discuss any insurance issues affecting your business, please contact Kate Tregidgo on +44 (0) 20 7367 2869 or at [email protected] , or to discuss any IT law or Intellectual Property issues affecting your business, please contact Phillip Carnell on +44 (0) 20 7367 2430 or at [email protected]