Is source code an insured loss? Tektrol thought so!

United Kingdom

Tektrol designed, developed and manufactured energy saving control devices for industrial motors. Its most successful product contained software which could be easily customised to the needs of a particular customer. To protect the source code, Tektrol stored it in five different places: on two development computers at its premises, on a laptop belonging to the Managing Director, on a computer at a remote site operated by an independent company and on a paper printout kept at the premises.

In a bizarre chain of unfortunate events, all copies of the source code were lost or destroyed. First, the Managing Director received an email containing a virus, which destroyed the copy of the source code on the laptop and at the remote site. Then Tektrol’s premises were burgled and the development computers containing the source code and the paper copy of the code were stolen.

Tektrol brought an action seeking an indemnity from its insurers for contents, stock and business interruption losses caused by the loss of the source code due to the virus and the burglary. The insurers claimed that the losses were excluded under the policy. By clause 7(b)(i) of the policy, damage or consequential loss caused by the erasure, loss, distortion or corruption of information on computer systems or other records, programs or software caused deliberately by malicious persons was excluded.

At first instance the Judge held that Tektrol’s insurers were not liable for the losses caused by either the virus or the burglary under the terms of the policy. It was an agreed fact that the sender of the virus was a malicious person and the Judge decided that the loss had been caused deliberately even though the virus had not been specifically targeted at or intended to harm Tektrol.

The first instance decision was reversed by the Court of Appeal. The Court held that Clause 7(b)(i) of the policy only covered interferences directed specifically at the computers in question. To cover remote hackers by including them as “malicious persons” would mean adding a different category of persons making a very different kind of attack to those excluded. If the insurer wanted to exclude losses caused by remote hackers indiscriminately sending out viruses, that exclusion needed to be set out in a separate clause with specific wording.

The Court of Appeal showed a considerable amount of sympathy for Tektrol. To quote the judgment, “…it does seem harsh that the extraordinary sequence of misfortune which afflicted Tektrol in this case should be compounded by an unsuccessful legal battle to recover the loss from their so called “all risks” insurers”. Whilst this may provide some comfort to policyholders, there is no guarantee of a sympathetic court on every occasion. This case therefore provides a warning that companies should take great care when seeking insurance to cover loss of software, in particular proprietary software.

This article first appeared in our Technology Annual Review, March 2006. To view this publication, please click here to open in a new window.