Arguing the finer points of policy exclusion clauses
Posted by Michael Scholtz on October 15 2008 14:53:58
Arguing the finer points of policy exclusion clauses

A recent Appeals Court decision in the United Kingdom, involving a disputed insurance claim by a company which had lost critical software source code through a series of malicious acts, serves as a wake-up call to all South African organisations who depend on computer programs to run their businesses.


The travails of Tektrol Limited, a UK provider of energy-saving control devices for industrial motors, are reported on the Out-Law website (www.out-law.com/page-5960).


Extended News
It transpires that the devices manufactured by Tektrol rely on software programs, and that the criticality of the software had prompted Tektrol to adopt what appeared to be sensible and effective precautions to safeguard the source code upon which the programs are based: copies of the source were held at Tektrol''s business premises on two separate desktop computers, as well as in hardcopy form in a pilot case. A third ''soft'' copy was held off-site, at the premises of an independent company, while a fourth resided on the managing director''s laptop.

In a bizarre and unfortunate sequence of events, a mass-mailing computer virus made its way onto the MD''s notebook and, when activated, proceeded to wipe out the copy of the source code on that machine. In the understandable belief that the version on the remote site was secure, the MD loaded it onto his computer. A short while later, burglars entered the Tektrol premises and made off with the two desktop computers and the hardcopy. To Tektrol''s dismay, it was then realised that the email virus had also corrupted the version at the remote site, and that there was now no working copy of the vital source code.

Tektrol lodged a claim with its insurance company for losses suffered, only to have the application rejected on the basis of a clause in the policy which excludes consequential losses resulting from the ''erasure, loss, distortion or corruption of information on computer systems or other records programmes or software caused deliberately by rioters strikers locked-out workers persons taking part in labour disturbances or civil commotion or malicious persons''. Consequential loss for theft was also excluded.

Initially, the British High Court ruled in favour of the insurer, but in a newer development an Appeals Court found in favour of the insured. The appellate justices ruled that the exclusion clause held no force because the individual who had designed the virus, though indeed a ''malicious person'', had not directly interfered with the computer systems used by Tektrol at its premises. The court further found that ''if the insurer wished to exclude all damage caused... indirectly by a computer hacker he needed to place that exclusion in a separate clause, and not refer to malicious persons in the same terms as rioters or locked-out workers''.

The court also rejected the second exclusion in the policy on the grounds that ''a true reading of the clause did not exclude the software loss''. As a result, Tektrol was deemed to be covered by the policy and therefore able to recover its losses.

Commenting on the case, Andrew Stekhoven, Managing Director of Escrow Europe (South Africa), a leading provider of active escrow services and a trusted third party that secures, verifies, updates and retains deposits of software source code and associated documentation on behalf of users of licensed software products, says: ''The obvious lesson from the proceedings is that organisations who rely on computer software for key areas of their business must take great care to ensure that they are comprehensively and unequivocally covered by their insurance policy.

''The other important message from the Tektrol experience is that the securing of source code is an aspect of business which deserves and indeed demands more focus than most companies might realise. Disasters clearly do happen, even to organisations that think they do enough to protect themselves. Source code, once corrupted, destroyed or stolen, can be incredibly difficult and expensive to regenerate, and in some cases might not be renewable at all.

''Therefore, sound corporate governance dictates that proper measures be taken to ensure that, should the unthinkable happen, business will continue with the absolute minimum of disruption. This is why we recommend that organisations consider active software escrow as part of their risk management and contingency planning. Active software escrow ensures that source code held in trust for the software user is, firstly, a full working copy of the program(s) currently in use. This helps to ensure that any impacted system(s) can be re-implemented in their entirety in the shortest possible time.

''Secondly, professional escrow providers such as Escrow Europe know what is required to guarantee the security of customer source code, and they have an array of precautionary measures in place to ensure that software under their aegis will never become corrupted or otherwise unusable, whether by accident or design. Companies thereby are substantially less likely to find themselves in courts of law, arguing the finer points of policy exclusion clauses with their insurers.''