Tektrol's worst case scenario
How the judgment may thwart attempts to recover
The fine print in an insurance policy becomes an issue when a bizarre chain of IT disasters leaves a company without a single copy of the source code to its flagship product.
A series of booklets by Joshua Priven describe how to survive a series of "Worst Case Scenarios." These include telling readers how to escape from quicksand, survive a bear attack, land a plane, or perform an emergency tracheotomy. A recent case in the Queens Bench in London illustrates the need for just such a handbook for the IT security environment, particularly as it applies to insurance policies that are supposed to protect you from loss of electronic information.
The case, decided November 3rd, involved a UK company, Tektrol, Ltd., which manufactured a device called the "PowerMiser" that reportedly saved its clients money by saving energy. The source code for the PowerMiser was apparently the company's most valuable asset -- so valuable in fact, that they kept five independent copies of it. Two copies were kept on separate computers at their headquarters, one on the managing director's laptop and another on a computer at a remote site operated by an independent company. A final hard copy print-out was kept at the headquarters.
Then the worst case scenario hit. In December 2001, the company was infected by a computer worm disguised as a Christmas card from a law firm (note to self, don't trust greetings from lawyers) which destroyed the source code from the managing director's laptop when he opened the Noel greeting. The managing director then accessed the computer at the offsite to reload the source code and -- you guessed it -- infected the offsite, and destroyed their copy of the source code. Two weeks later, the Tektrol offices were broken into, and the burglars stole both the desktop machines and the sole remaining paper copy of the source code, nicely completing the disaster.
Fortunately for Tektrol, they had business interruption insurance. Unfortunately, they either didn't read the policy very carefully or never anticipated the events of Christmas 2001. The policy covered any direct or incidental losses and business interruption in which "any ... property used by the Insured at the Premises for the purpose of the Business [is] accidentally lost destroyed or damaged." Tektrol argued that the virus' destruction of the source code was "accidental" under the policy, as the virus was not targeted at or intended to harm Tektrol. The insurer naturally argued that the loss was not accidental.
Moreover, the policy went on to specifically exclude from coverage "erasure loss distortion or corruption of information on computer systems or other records programs or software caused deliberately by ... malicious persons" or "other erasure loss distortion or corruption of information on computer systems or other records programs or software."
However, the policy did cover consequential damages relating "to computers or data processing equipment ... resulting from theft or attempted theft involving breaking into or out of the buildings of the premises by forcible and violent means."
Burgled and Burned
The language of the policy is, like all insurance policies, hopelessly convoluted, and I claim no special expertise in reading such policies. However, it's clear that if Tektrol's losses were the result of a deliberate act by malicious persons (other than burglary), they were not covered. If their losses were the result of a burglary and "are not otherwise excluded" they could recover.
The task of sorting this all out fell upon the Hon. Mr. Justice Langley of the Royal High Court of Justice, Queens Bench Division, Commercial Court. The problem was that there were really two independent causes of the "loss" -- neither of which alone would have caused an interruption of Tektrol's business. If the virus had hit, and there had been no burglary, the company would have been able to restore the source code. Had the burglary occurred and no virus destroyed the remaining copies, again the source code would have been available.
Justice Langley concluded therefore that if either of these independent causes of the business interruption were excluded from the coverage of the policy, then the insured could not recover. As he explained, "In my judgment, whether as a matter of 'instinct' or on the basis of an increased risk of loss, in the context of this policy both the virus and the burglary are properly to be described as causes of the consequential loss (business interruption) claimed by Tektrol." He went on to explain, "if the consequences of either the virus or the burglary are excluded from cover[age], insurers succeed." Because the losses from the virus were excluded from the policy, Tektrol loses.
It is this portion of the case that is clearly mistaken. The court's use of a "but-for" analysis -- but for the virus, the burglary would not have resulted in business interruption -- is clearly backwards.
Before the break-in, Tektrol could not have even filed a claim for "business interruption," as no business had been interrupted. The "losses" to Tektrol did not mature until the burglary occurred two weeks later, and were a direct result of the break-in. Indeed, Tektrol never was required to have made the backup copies destroyed by the virus.
If the case was decided poorly, at least it gives us the first survival tip for a cyber Worst Case Scenarios handbook: Any comprehensive risk assessment must include a complete review not only of security policies and procedures, but also of the insurance policies designed to mitigate risks in a worse case scenario. It also reminds us that Murphy's Law still holds sway: everything that can go wrong, will, and at the worst possible moment.
SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.