This case note is based on an Article in the August 2005 Edition of the ‘(Re)insurance Bulletin’, published by the Reinsurance and Insurance teams at the international firm of lawyers, DLA Piper Rudnick Gray Cary. DLA Piper is an International Contributor to this website

Background
Tektrol's business was the design, development and manufacture of energy saving control devices for industrial motors. Its main product derived from a source code, which was adapted and customised for particular circumstances. The code was stored in a number of places to minimise the risk of loss - on two computers located at the insured's business premises; on the managing director's laptop; on a computer at a remote site operated by an independent company; and on a hard copy printout kept on the premises.

On 19 December 2001, Tektrol received an email from a firm of solicitors attaching a Christmas card. The managing director opened the attachment on his laptop, only to discover that it was a virus sent inadvertently by the solicitors, whose system had been corrupted. The virus program, which immediately disabled the keyboard and started deleting files, was designed to email itself to all contacts in the recipient's Microsoft Outlook address book.

The managing director quickly pulled out the network cable, but the virus had already deleted the source code on his laptop. Believing, however, that files stored on the remote server were still intact, he repaired and reloaded his laptop from the remote site and left for his Christmas holidays.

On about 2 January 2002, Tektrol's business premises were burgled and various items taken, including the two computers that held the source code and the hard copy printout. Because of the New Year holiday, the theft was not discovered until 7 January. It was then that the insured realised that the virus had deleted the source code held at the remote site and that all copies of the source code had been lost.

The cover
Tektrol was insured by the defendant under a combined all risks policy. Business interruption losses were covered by Section 2, subject to some specific exclusions. Clause 7 excluded "damage caused by or consisting of a consequential loss arising directly or indirectly from …

7(b) in respect of Section 2:
(i) erasure, loss, distortion or corruption of information on computer systems or other records, programs or software caused deliberately by rioters, strikers, locked-out workers, persons taking part in labour disturbances or civil commotion or malicious persons;

Clause 13 excluded damage or consequential loss in respect of computers or data processing equipment unless caused by:

The Defined Perils included fire, flood, explosion, riot, civil commotion and "malicious persons".

Causation
Both the virus and the burglary were causes of the consequential loss claimed, although the virus was an indirect cause. But, had there been no virus, the burglary would not have caused any business interruption loss because there would have been other copies of the code. Clause 7 applied, however, whether losses were caused "directly or indirectly" by excluded causes.

If a loss has two causes and one of them is excluded from the cover and the other is not, the loss is excluded in its entirety. This was the principle applied by the Court of Appeal in Wayne Tank & Pump v Employers Liability Ltd [1974] 1 QB 57 where there were two proximate causes of the loss. The judge in this case saw no reason why the same principle should not apply where there was one direct and one indirect cause, and the point was not disputed on appeal. The crucial issue was whether the virus and/or the burglary fell within the exclusions.

Applying the exclusions
Insurers argued that the loss of the source code by the virus was excluded by 7(b)(i) because it was caused deliberately by malicious persons. The loss of the other copies of the code as a result of the burglary was excluded by 7(b)(ii) and did not result from a Defined Peril. In any event, since either one of the two events was excluded and both events contributed to the total loss of the source code, the whole claim failed.

The insured argued that 7(b)(i) did not apply to the loss caused by the virus because the virus had not been deliberately aimed at or intended to harm the insured. Exclusion 7(b)(ii) did not apply because it dealt only with electronic loss, not the loss of physical items, which was covered by exclusion 13. Exclusion 13 applied to the physical loss of the computers, but not to losses caused by a Defined Peril or by theft from the insured's premises.

At first instance, the judge agreed with insurers and held there could be no recovery under the policy. The insured appealed.

Judgment
The Court of Appeal took the view that, in cases of real doubt, exclusions ought to be construed most strongly against insurers, since it was insurers who included them in the policy. In this case, it was at least a relevant factor that insurers could have made things much clearer in their own favour (if that was their intention) when they drew up the policy. Lord Justice Carnwath commented on the "bewildering and apparently comprehensive list of exclusions" contained in what was described as an all risks policy. "One should start from the presumption that the parties intended an all risks policy to cover all risks, except when they are clearly and unambiguously excluded."

The virus
Exclusion 7(b)(i) excluded losses caused deliberately by the actions of (amongst others) malicious persons. At first instance, the judge agreed with insurers that the hacker who created the virus was a malicious person acting deliberately, even though he would have been indifferent whether the insured was amongst his victims.

On appeal, the insured argued that the list of people deliberately causing damage ("rioters, strikers, locked-out workers, persons taking part in labour disturbances or civil commotion or malicious persons") suggested the draftsman was thinking of acts aimed specifically at the insured's computers and committed on or near the insured's premises. To tag on a category, which, if insurers were right, included remote hackers, introduced a completely different kind of attack.

The Court of Appeal unanimously agreed. Even though the hacker could be described as malicious, the exclusion did not extend to damage not specifically aimed at the insured's computer systems on the insured's premises. If insurers wanted to exclude all damage caused, however indirectly, by a computer hacker, they should put that exclusion into a separate clause rather than bundling it together with rioters and locked-out workers.

The burglary
At first instance, the judge took the view that "loss" in clause 7(b)(ii) referred to the loss of software, whereas clause 13 addressed the physical loss of the computers themselves. This was a case of loss of information so it fell within exclusion 7(b)(ii), unless the loss was caused by a "Defined Peril". The only remotely appropriate defined peril was "malicious persons" and that term could not apply to burglars. Consequently, the insured's claim in respect of the burglary was excluded.

The majority of the Court of Appeal, however, disagreed. Lord Justice Buxton and Sir Martin Nourse thought the judge's interpretation imputed too precise a use of language to the draftsman. Those drawing up policy wordings frequently use overlapping phrases to ensure they leave nothing out. The list of events in 7(b)(ii) – "other erasure loss distortion or corruption of information" - was an example of this "linguistic overkill".

Taken together, the words suggested loss by means of electronic interference. It seemed inherently unlikely that the word "loss" in this context introduced a completely new concept of loss of information due to the physical loss of the physical medium on which the information was carried. That event fell much more naturally into exclusion 13, which, however, did not apply in cases of burglary.

Since neither the virus nor the burglary was excluded, the insured could recover from insurers. The appeal succeeded on both counts.

Back to Top