The ruling of 21st July overturns a High Court decision in
favour of the insurer last year.
Tektrol Limited provides energy-saving control devices for
industrial motors. These devices rely on software, and Tektrol had
taken precautions to protect the source code for that software: the
code was held at its business premises on two computers and also as
a hard copy that was stored in a pilot case; it was held at a
remote site operated by an independent company, Compwise Systems;
and it was also stored on the laptop of its Managing Director, Mr
Shlaimoun.
But in December 2001, disaster struck. Mr Shlaimoun opened a
Christmas e-card and triggered a mass-mailing computer virus. The
virus wiped the source code from his laptop. Believing the remote
site's computer to be secure, Shlaimoun loaded its backup source
code onto his laptop.
A few weeks later, burglars entered Tektrol's business premises
and stole the two computers and the hard copy of the source code.
Only then was it discovered that the virus had also corrupted the
remote site's computer – meaning all copies of the source code were
lost.
Tektrol claimed on its insurance for the business interruption
caused by the losses. However, the policy excluded, among other
things, consequential losses resulting from the “erasure, loss,
distortion or corruption of information on computer systems or
other records programmes or software caused deliberately by rioters
strikers locked-out workers persons taking part in labour
disturbances or civil commotion or malicious persons.”
It also excluded consequential loss for theft.
Lord Justice Buxton, giving the majority opinion of the court,
followed a rule established in a 19th Century case that, in cases
of real doubt, exclusions in insurance policies had to be
interpreted “most strongly against the insurers; they frame the
policy and insert the exceptions.”
With this in mind, he looked at the exclusions in the policy
from the International Insurance Company of Hanover Limited.
Lord Buxton wrote:
"It will be immediately apparent that the
list 'rioters strikers locked-out workers persons taking part in
labour disturbances or civil commotion or malicious persons'
introduces at its end a significantly different category of person
from what has gone before. The concept of rioters, etc, causing
damage to information on the computers at the insured's premises
suggests strongly that the context envisaged by the draftsman is of
interferences directed specifically at those computers and
committed on or near the insured's premises. 'Deliberately' fits
well into that context, because such persons might well damage
information accidentally or carelessly in the course of other
depredations. But suddenly to tag on at the end of the excepting
clause a reference to remote hackers, a completely different
category of person making a completely different kind of attack,
significantly changes the thrust of the exception, in a way that
one would expect to be done only by much more specific wording.
"I am therefore driven to the conclusion
that although, as agreed between the parties, the author of the
virus was a 'malicious person', the clause does not extend to
interferences by such people that are not directed at the computer
systems, etc, used by the insured at the premises. If the insurer
wished to exclude all damage caused however indirectly by a
computer hacker he needed to place that exclusion in a separate
clause, and not refer to malicious persons in the same terms as
rioters or locked-out workers."
Lord Buxton was also unhappy with the wording in the
consequential loss for theft exclusion. A true reading of the
clause did not exclude the software loss, he said.
Tektrol was therefore covered by the policy.
John Salmon, a partner with Pinsent Masons, the law firm behind
OUT-LAW.COM, said:
"Businesses should check their insurance
policies to see what cover they have in such circumstances. And
insurers should take from this judgment that if they want to
exclude damage caused by viruses, they must use specific,
unambiguous wording in their policies."
