The fine print in an insurance policy becomes an issue when a bizarre chain of IT disasters leaves a company without a single copy of the source code to its flagship product.
Everything that can go wrong, will, and at the worst possible moment.
The case, decided November 3rd, involved a UK company, Tektrol, Ltd., which manufactured a device called the "PowerMiser" that reportedly saved its clients money by saving energy. The source code for the PowerMiser was apparently the company's most valuable asset -- so valuable in fact, that they kept five independent copies of it. Two copies were kept on separate computers at their headquarters, one on the managing director's laptop and another on a computer at a remote site operated by an independent company. A final hard copy print-out was kept at the headquarters.
Then the worst case scenario hit. In December 2001, the company was infected by a computer worm disguised as a Christmas card from a law firm (note to self, don't trust greetings from lawyers) which destroyed the source code from the managing director's laptop when he opened the Noel greeting. The managing director then accessed the computer at the offsite to reload the source code and -- you guessed it -- infected the offsite, and destroyed their copy of the source code. Two weeks later, the Tektrol offices were broken into, and the burglars stole both the desktop machines and the sole remaining paper copy of the source code, nicely completing the disaster.
Fortunately for Tektrol, they had business interruption insurance. Unfortunately, they either didn't read the policy very carefully or never anticipated the events of Christmas 2001. The policy covered any direct or incidental losses and business interruption in which "any ... property used by the Insured at the Premises for the purpose of the Business [is] accidentally lost destroyed or damaged." Tektrol argued that the virus' destruction of the source code was "accidental" under the policy, as the virus was not targeted at or intended to harm Tektrol. The insurer naturally argued that the loss was not accidental.
Moreover, the policy went on to specifically exclude from coverage "erasure loss distortion or corruption of information on computer systems or other records programs or software caused deliberately by ... malicious persons" or "other erasure loss distortion or corruption of information on computer systems or other records programs or software."
However, the policy did cover consequential damages relating "to computers or data processing equipment ... resulting from theft or attempted theft involving breaking into or out of the buildings of the premises by forcible and violent means."
Burgled and Burned
The language of the policy is, like all insurance policies, hopelessly convoluted, and I claim no special expertise in reading such policies. However, it's clear that if Tektrol's losses were the result of a deliberate act by malicious persons (other than burglary), they were not covered. If their losses were the result of a burglary and "are not otherwise excluded" they could recover.
The task of sorting this all out fell upon the Hon. Mr. Justice Langley of the Royal High Court of Justice, Queens Bench Division, Commercial Court. The problem was that there were really two independent causes of the "loss" -- neither of which alone would have caused an interruption of Tektrol's business. If the virus had hit, and there had been no burglary, the company would have been able to restore the source code. Had the burglary occurred and no virus destroyed the remaining copies, again the source code would have been available.
It is this portion of the case that is clearly mistaken. The court's use of a "but-for" analysis -- but for the virus, the burglary would not have resulted in business interruption -- is clearly backwards.
Before the break-in, Tektrol could not have even filed a claim for "business interruption," as no business had been interrupted. The "losses" to Tektrol did not mature until the burglary occurred two weeks later, and were a direct result of the break-in. Indeed, Tektrol never was required to have made the backup copies destroyed by the virus.
If the case was decided poorly, at least it gives us the first survival tip for a cyber Worst Case Scenarios handbook: Any comprehensive risk assessment must include a complete review not only of security policies and procedures, but also of the insurance policies designed to mitigate risks in a worse case scenario. It also reminds us that Murphy's Law still holds sway: everything that can go wrong, will, and at the worst possible moment.