Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Electrical Engineering

The Insurance Coverage Law Information Center

advertisement 
The following article is from National Underwriter’s latest online resource,
FC&S Legal: The Insurance Coverage Law Information Center.
The Insurance Coverage Law Information Center
VIRUSES, TROJANS AND SPYWARE, OH MY! THE YELLOW BRICK
ROAD TO COVERAGE IN THE LAND OF INTERNET OZ – PART III
By Roberta D. Anderson
Insurance can play a vital role in a company’s overall strategy to address, mitigate and maximize protection against
the increasing threat of cyber risk. In Part 3 of this four-part article, we examine potential coverage for cyber and
privacy-related risks under commercial property and other common types of “traditional” insurance policies.
Part 4 will examine the types of coverages available under revolutionary new “cyber” insurance products.
Potential Coverage Under Property Policies
Injury to Computers, Data, Networks and Components
Most companies have insurance coverage that is intended to insure the company’s own assets. By way of example, the 2007
standard-form ISO commercial property policy covers the insured for “direct physical loss of or damage to Covered Property at the
premises described in the Declarations caused by or resulting from any Covered Cause of Loss.”1 Property policies may be in the
form of broadly worded “all-risk,” “difference in conditions,” “multiperil” or “inland marine” policies.
Similar to the “property damage” discussion in Part I of this article in connection with potential CGL coverage for cyber risks,2 a
company’s ability to recover for cyber attacks under all risk property policies may turn upon whether data loss comprises “physical
loss of or damage” to “covered property.” A number of courts have held that data loss does comprise “physical loss” in the first-party
context.
The District of Arizona’s decision in American Guarantee & Liability Insurance Co. v. Ingram Micro, Inc.3 is instructive. In that case
the insured sought coverage for damages it incurred when its three mainframe computers lost all of their programming information
stored in random access memory as a result of a power outage and the lost programming information had to be reentered.4 The
insured suffered additional business interruption until its employees were able to bring the network back up to operation by means of
bypassing a matrix switch, which needed to be reprogrammed.5
The insurer admitted that the insured’s “mainframe computers and the matrix switch did not function as before the power outage and
that certain data entry and reconfiguration processes were necessary,” but denied coverage on the basis that “the computer system
and the matrix switch were not ‘physically damaged’ because their capability to perform their intended functions remained intact.”6
The court rejected this argument, agreeing with the insured that “physical damage” can include “loss of use and functionality”:
At a time when computer technology dominates our professional as well as personal lives, the Court must side with [the insured]’s
broader definition of “physical damage.” The Court finds that “physical damage” is not restricted to the physical destruction or harm of
computer circuitry but includes loss of access, loss of use, and loss of functionality.7
The court, therefore, granted summary judgment to the insured.8
The Fourth Circuit’s decision in NMS Services Inc. v. Hartford9 is also instructive. In that case, a former employee of the insured
software development company installed two hacking programs on the insured’s network systems, permitting the hacker to gain
full access to the systems by “overriding security codes and unencrypting secured passwords.”10 This enabled him to cause “the
erasure of vital computer files and databases necessary for the operation of the company’s manufacturing, sales, and administrative
systems.”11
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
The insurer denied coverage and coverage litigation ensued. The court upheld coverage for business interruption under policy
language stating that the insurer would “pay for the actual loss of Business Income [the insured] sustain[s] due to the necessary
suspension of your ‘operations’ during the ‘period of restoration.’ The suspension must be caused by direct physical loss of or damage
to property at the described premises....”12 The court found that “[t]here [wa]s no question that [the insured] suffered damage to
its property, specifically, damage to the computers it owned”—thus satisfying the policy requirement of “direct physical loss of
or damage to property.”13 The court further held that the insured had extra expense coverage and additional coverage under an
extension for “Valuable Papers and Records” for its “costs to research, replace or restore the lost information….”14
Other cases have likewise found in favor of coverage, including those discussed in the next section, although the decisions are not
uniform.15
Business Interruption and Extra Expense
As the Ingram Micro and NMS Services cases illustrate, many first-party policies provide, in addition to repair or replacement coverage
for the insured’s property, so-called “time element” coverages—including “business interruption” and “extra expense” coverages—
that cover loss resulting from the company’s inability to conduct normal business operations. These coverages may cover business
interruption resulting from a cyber attack.
“Business Interruption” coverage generally reimburses the insured for its loss of earnings or revenue resulting from covered
property damage. For example, the ISO “Business Income (and Extra Expense) Coverage Form” covers the loss of net profit and
operating expenses that the insured “sustain[s] due to the necessary ‘suspension’ of [the insured’s] ‘operations’ during the ‘period of
restoration.’”16
“Extra Expense” coverage generally covers the insured for certain extra expenses incurred to minimize or avoid business interruption
and to resume normal operations. For example, the ISO standard form covers, among other things, “Extra Expense” to “[a]void or
minimize the ‘suspension’ of business and to continue operations at the described premises or at replacement premises or temporary
locations….”17
Again, the business interruption and extra expense coverage is typically subject to a requirement of “direct physical loss.” For
example, a 2007 standard industry business interruption form states that “[t]he ‘suspension’ [of the insured’s “operations”] must be
caused by direct physical loss of or damage to property at premises which are described in the Declarations and for which a Business
Income Limit of Insurance is shown in the Declarations.”18 Likewise, the form defines “Extra Expense” as “necessary expenses” that
the insured “would not have incurred if there had been no direct physical loss or damage to property caused by or resulting from a
Covered Cause of Loss.”19
Courts have upheld coverage for business interruption and extra expense caused by data loss, finding the “direct physical loss”
requirement satisfied. The Texas appellate court’s decision in Lambrecht & Associates, Inc. v. State Farm Lloyds20 is instructive. In
Lambrecht, the insured sought coverage for a loss of computer data and the related loss of business income after a “virus caused
the [insured’s] computers to have difficulties while ‘booting up,’ perform a number of ‘illegal functions’ and eventually completely
‘freeze up,’ thereby rendering the computers useless.”21 The insured’s computer system had to be taken offline and its employees
were unable to use their computers until the server was restored.22 The insurance policy at issue committed the insurer to “pay for
accidental direct physical loss to business personal property” and “the actual loss of ‘business income’ [the insured] sustained due to
the necessary suspension of [its] ‘operations’ during this ‘period of restoration.’”23
The court disagreed with the insurer’s argument that “the loss of information on [the insured’s] computer systems was not a ‘physical’
loss because the data … did not exist in physical or tangible form,”24 and held that “the plain language of the policy dictates that
the personal property losses alleged by [the insured] were ‘physical’ as a matter of law.”25 The court further held that “the business
income [the insured] lost as a result of the virus [wa]s covered under the policy.”26
To the same effect is Southeast Mental Healthcare Center, Inc. v. Pacific Insurance Co., Ltd.27 In that case, a heavy rain and windstorm
destroyed or disabled approximately twenty power and utility poles, resulting in the loss of electrical and telephone service at the
insured’s property.28 The insured alleged “that the loss of electricity also damaged its pharmacy computer … which resulted in the
loss of data from the computer” and that the insured’s “operations were suspended and it lost significant business income.”29
The insurer argued that “[the insured]’s business losses due to the damage to its pharmacy computer [we]re not covered because
there was no direct physical damage to the computer.”30 The court rejected this argument and found “that the corruption of the
pharmacy computer constitutes ‘direct physical loss of or damage to property’ under the business interruption policy.”31 In this
regard, citing with approval the Ingram Micro case, the court found “the Ingram court’s reasoning persuasive, and finds that Plaintiff’s
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
pharmacy computer sustained direct physical damage, within the meaning of the business interruption provision.”32 Accordingly, the
court granted the insured’s motion for summary judgment “as to its loss of income due to the damaged computer drive.” 33
In a more recent decision, the Middle District of Louisiana upheld coverage under a property policy in Landmark American Ins. Co.
v. Gulf Coast Analytical Laboratories, Inc.34 The insured in Landmark provided chemical data analysis to the petrochemical industry
and certain governmental agencies and, as part of its business, “analyze[d] chemical samples and stores the information as electronic
data on a hard disk storage system … called a RAID5 system.”35 This system “failed to read two hard disk drives and resulted in
the corruption of data,” resulting in “$112,000.00 in recovery costs to third party vendors and over $1 million in losses to business
income.”36
The insured sought coverage under its property policy, which covered “risks of direct physical ‘loss or damage’ to Covered Property,
including ‘computer viruses,’ except those causes of ‘loss and damage’ listed in the Exclusions.”37 The insurer filed suit “seeking
declaratory judgment that electronic data is not susceptible to direct physical loss or damage.”38 The insurer argued that “electronic
data is intangible in nature and, as a result, not susceptible to ‘direct, physical loss or damage’ as a covered cause of loss.”39 The
court initially noted that “[t]he question of whether electronic data is physical or nonphysical has been debated in several jurisdictions
and has led to various conclusions.40 Although finding the “issue of whether stored data is physical” to be one of first impression in
Louisiana, the court noted that Louisiana’s highest court “has determined electronic software data is physical.”41 Therefore, the court
found that “according to Louisiana law, [the insured]’s electronic chemical analysis data must be considered a corporeal movable
or physical in nature” and held that “summary judgment [wa]s appropriate, declaring that electronic data is susceptible to ‘direct,
physical ‘loss or damage.’” 42
Contingent Business Interruption and Service Interruption
In addition to business interruption coverage, companies may have “contingent business interruption” coverage that covers the
insured with respect to losses, including lost earnings or revenue, as a result of damage, not to the insured’s own property, but to the
property of an insured’s supplier, customer or some other business partner or entity. For example, the standard industry “Business
Income From Dependent Properties” endorsement states that the insurer:
ill pay for the actual loss of Business Income you [the insured] sustain due to the necessary “suspension” of your “operations” during
w
the “period of restoration”. The “suspension” must be caused by direct physical loss of or damage to “dependent property” at a premises
described in the Schedule caused by or resulting from a Covered Cause of Loss.43
Contingent business interruption may be increasingly important coverage in the context of “cloud” outsourcing of maintenance and
control over data to third parties. As one commentator has noted, “business interruption losses resulting from loss of access to the
cloud should, in the majority of cases, be covered under so-called ‘legacy’ contingent business interruption forms.”44
Although it should be noted that the above-quoted standard industry form contains a data limitation, which states that “coverage
under this endorsement does not apply when the only loss to ‘dependent property’ is loss or damage to electronic data, including
destruction or corruption of electronic data,”45 this exclusion should be inapplicable to many incidents of cloud interruption, including
incidents in which it is the insured, rather than the “dependent property,” that sustains a loss of or damage to data.46
In addition to contingent business interruption coverage, an insured may have service interruption coverage. Covered services
can include electricity, gas, water, phone and sewer services. By way of illustration, the current standard ISO Utility Services – Time
Element endorsement provides coverage for “loss of Business Income or Extra Expense at the described premises caused by the
interruption of service to the described premises.”47 The endorsement further states that “[t]he interruption must result from direct
physical loss or damage by a Covered Cause of Loss to the property….”48 The interruption of service includes “Water Supply
Services,” “Communication Supply Services,” and “Power Supply Services,” each as defined.49 An insured may have coverage in the
event of a cyber security-based service interruption.
Although not specifically addressing a cybersecurity event, the decision in Wakefern Food Corporation v. Liberty Mut. Fire Ins. Co.50 is
instructive. In that case, problems with the interconnected North American power system (the “electrical grid”) resulted in a four-day
electrical blackout over much of the northeastern United States and eastern Canada and the insured supermarkets “suffered losses
due to food spoilage during the blackout, in addition to incurring loss of business.”51
The insureds had purchased, in addition to a basic property policy, a “Services Away From Covered Location Coverage Extension,”
which “extended coverage for consequential loss or damage resulting from an interruption of electrical power to [the insureds]’
supermarkets where that interruption is caused by ‘physical damage’ to specified electrical equipment and property located away
from the supermarkets.”52
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
Following the outage, the insureds sought coverage for spoiled food and business interruption and the insurer denied coverage under
the “direct physical loss or damage” portions of the [basic] policy and under the ‘physical damage’ part of the Extension.”53 In doing
so, the insurer “characterized the food-spoilage damages as consequential and not direct losses and asserted that plaintiffs had failed
to present ‘evidence of any physical damage to transmission lines, connections or supply pipes which furnish electricity to any covered
location.’”54 The trial court granted summary judgment in favor of the insurer, holding that the grid was not physically damaged
because it could be returned to service after the interruption. The insureds appealed.
In a thoughtful opinion, the Appellate Division, applying well-established principles of insurance contract interpretation, concluded
“that the undefined term ‘physical damage’ was ambiguous and that the trial court construed the term too narrowly, in a manner
favoring the insurer and inconsistent with the reasonable expectations of the insured.”55 The court found that “the electrical grid
was ‘physically damaged’ because, due to a physical incident or series of incidents, the grid and its component generators and
transmission lines were physically incapable of performing their essential function of providing electricity.”56 The court also “look[ed]
at the larger picture concerning the loss of function of the system as a whole” and the reasonable expectations of the insureds:
[I]n concluding that the term “physical damage” is ambiguous, we consider the context, including the identity of the parties. These
were not two electric utilities contracting about the technical aspects of the grid. Rather, the parties are an insurance company, in the
business of covering risks, and a group of supermarkets that paid for what they believed was protection against a very serious risk-the
loss of electric power to refrigerate their food. The average policy holder in plaintiffs’ position would not be expected to understand the
arcane functioning of the power grid, or the narrowly-parsed definition of “physical damage” which the insurer urges us to adopt. In this
context, we conclude that if [the insurer] intended that its policy would provide no coverage for an electrical blackout, it was obligated to
define its policy exclusion more clearly.57
Likewise, the court found that “from the perspective of the millions of customers deprived of electric power for several days, the
system certainly suffered physical damage, because it was incapable of providing electricity.”58 The court concluded that “the term
‘physical damage’ is capable of at least two different reasonable interpretations” and therefore “is ambiguous” and “must be
construed favorably to the insured.”59 The court further noted that “[i]n reality, the entire system was incapable of producing power
for several days.”60
The Appellate Division reversed the trial court opinion and remanded the case.61
It is important to note that some standard forms seek to shift data loss from the principal coverage grant by excluding electronic
data from the definition of “Covered Property” and instead providing coverage under “additional coverage” that may be subject
to relatively low—presumptively inadequate—coverage sublimits. For example, the 2007 ISO Commercial Property Form excepts
“electronic data” from the definition of “Covered Property”62 and provides coverage under an “Additional Coverage” that is limited
to “$2,500 for all loss or damage sustained in any one policy year, regardless of the number of occurrences of loss or damage or the
number of premises, locations or computer systems.”63
Likewise, the 2007 ISO standard-form Business Income (and Extra Expense) Coverage Form excludes coverage for electronic data
under the main coverage part64 and provides coverage under an “Additional Coverage” subject to a $2,500 limit for “all loss sustained
and expense incurred in any one policy year, regardless of the number of interruptions or the number of premises, locations or
computer systems involved.”65
It should be noted that, as part of its recent April 2013 revisions to its commercial property forms, ISO has clarified that electronic data
integrated into the operation of elevators, lighting, HVAC, and security systems shall no longer be subject to the $2,500 electronic data
aggregate limit. This data shall be covered up to the limits of coverage. The Standard Property Policy66 now states:
2. Property Not Covered
Covered Property does not include:
*****
n. E
lectronic data, except as provided under the Additional Coverage, Electronic Data. Electronic data means information, facts
or computer programs stored as or on, created or used on, or transmitted to or from computer software (including systems and
applications software), on hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other repositories
of computer software which are used with electronically controlled equipment. The term computer programs, referred to in the
foregoing description of electronic data, means a set of related electronic instructions which direct the operations and functions
of a computer or device connected to it, which enable the computer or device to receive, process, store, retrieve or send data. This
paragraph, n., does not apply to your “stock” of prepackaged software, or to electronic data which is integrated in and operates or controls
the building’s elevator, lighting, heating, ventilation, air conditioning or security system[.]67
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
The Business Income (And Extra Expense) Coverage Form68 now states:
4. Additional Limitation - Interruption Of Computer Operations
a. Coverage for Business Income does not apply when a “suspension” of “operations” is caused by destruction or corruption of
electronic data, or any loss or damage to electronic data, except as provided under the Additional Coverage, Interruption Of
Computer Operations.
b. Coverage for Extra Expense does not apply when action is taken to avoid or minimize a “suspension” of “operations” caused by
destruction or corruption of electronic data, or any loss or damage to electronic data, except as provided under the Additional
Coverage, Interruption Of Computer Operations.
c. Electronic data means information, facts or computer programs stored as or on, created or used on, or transmitted to or from computer
software (including systems and applications software), on hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices
or any other repositories of computer software which are used with electronically controlled equipment. The term computer programs,
referred to in the foregoing description of electronic data, means a set of related electronic instructions which direct the operations and
functions of a computer or device connected to it, which enable the computer or device to receive, process, store, retrieve or send data.
d. T
his Additional Limitation does not apply when loss or damage to electronic data involves only electronic data which is integrated in and
operates or controls a building’s elevator, lighting, heating, ventilation, air conditioning or security system.69
Sublimits underscore the importance of considering not only what cyber risks may be covered, but also whether the limits are
sufficient.
Potential Coverage Under Other “Traditional” Policies
It is important not to overlook other types of “traditional” insurance policies that may respond to cyber risks. For example, directors’
and officers’ (“D&O”) policies provide coverage for claims against directors and officers alleging “wrongful acts” committed in
their capacity as directors and officers of the insured organization. These policies typically also provide coverage for claims against
the organization itself, although this coverage is usually limited to coverage for “securities claims.” There may be coverage under
D&O policies to the extent, for example, a data security breach impacts upon a company’s stock price. To be sure, in recent years,
shareholders have increasingly looked to hold directors and officers accountable for a drop in stock price and they may do so in the
event an argument could be made that the directors and officers did not appropriately prepare for, respond to, or mitigate a cyber
incident – all the more so in view of the SEC’s recent guidance on cybersecurity disclosures.70 Although the insured organization’s
coverage is limited to “securities claims,” at a minimum there should be coverage to the extent derivative litigation against individual
directors and officers ensues.
Coverage also may be available under professional liability or errors and omissions (“E&O”) policies, which generally cover “wrongful
acts” committed in the insured’s performance of “professional services.” For example, in the Eyeblaster case discussed in Part 3, the
Eighth Circuit also upheld coverage under an Information and Network Technology E&O policy.
In addition, many companies have various types of crime coverage, including fidelity insurance and financial institution bonds, that
may cover cyber risks and losses.71 Such policies often expressly include computer fraud, such as the transfer of money or securities
to an outside location as well as the cost to repair or replace software and data.
Addressing the question of coverage under a crime policy, the Sixth Circuit recently confirmed that an insured was covered for
more than $6.8 million in stipulated losses associated with a data breach that compromised customer credit card and checking
account information in Retail Ventures, Inc. v. National Union Fire Insurance Co. of Pittsburgh, Pa.72 In that case, the insured incurred
substantial expenses for customer communications, public relations, customer claims and lawsuits, and attorney fees in connection
with investigations by seven state Attorneys General and the Federal Trade Commission.73 The Sixth Circuit confirmed that there was
coverage under the computer fraud rider of the insured’s blanket crime policy, which stated that the insurer would pay the insured for
“Loss which the Insured shall sustain resulting directly from … [t]he theft of any Insured property by Computer Fraud.”74 “Computer
Fraud” was defined as:
the wrongful conversion of assets under the direct or indirect control of a Computer System by means of: (1) The fraudulent accessing
of such Computer System; (2) The insertion of fraudulent data or instructions into such Computer System; or (3) The fraudulent
alteration of data, programs, or routines in such Computer System. 75
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
The court also rejected the insurer’s argument that the loss was excluded by a provision excluding “any loss of proprietary
information, Trade Secrets, Confidential Processing Methods, or other confidential information of any kind,”76 finding that the “district
court did not err in finding that the loss in this case was not clearly excluded[.]”77
(Endnotes)
1. ISO Form CP 00 99 06 07 (2007), Section A.
2. See discussion in Viruses, Trojans and Spyware, Oh My! The Yellow Brick Road to Coverage in the Land of Internet Oz – Part II.
3. 2000 WL 726789 (D. Ariz. Apr. 18, 2000).
4. See id. at *1.
5. See id. at *2.
6.Id.
7.
Id. In support of its holding, the Ingram Micro court cited to various state and federal laws that make it a crime to cause “damage” to computer
hardware or data, noting that “[l]awmakers around the country have determined that when a computer’s data is unavailable, there is damage;
when a computer’s services are interrupted, there is damage; and when a computer’s software or network is altered, there is damage.” Id. at *3.
The court observed that “[r]estricting the Policy’s language to that proposed by [the insurer] would be archaic.” Id.
8. See id. at *4.
9. 62 Fed.Appx. 511 (4th Cir. Apr. 21, 2003).
10. Id. at 513.
11. Id. at 512.
12. Id. at 514 (original emphasis).
13. Id.
14.
Id. at 515. The court also found that a “dishonesty” exclusion in the policy was inapplicable because the insured’s “property was not only
damaged, but was completely destroyed … which triggers the exception to the dishonesty exclusion….” Id. at 514.
15.
Compare Greco & Traficante v. Fidelity & Guar. Ins. Co., 2009 WL 162068, at *5 (Cal. Ct. App. Jan. 26, 2009) (citing Ward) (“[I]t seems logical
to say that one cannot suffer a direct physical loss of computer data unless that data has been stored on media and is unavailable for use as a
result of corresponding computer damage … Even if the missing data were somehow stored on the computer, there is no evidence suggesting
any loss of use or functionality of the computer occurred that would amount to a physical loss of covered property.”) with Ward Gen. Ins. Servs.,
Inc. v. Employers Fire Ins. Co., 7 Cal.Rptr.3d 844, 851(Cal. App. Ct. 2003) (“Plaintiff did not lose the tangible material of the storage medium.
Rather, plaintiff lost the stored information. The sequence of ones and zeros can be altered, rearranged, or erased, without losing or damaging
the tangible material of the storage medium. We conclude the loss of the database, with its consequent economic loss, but with no loss of or
damage to tangible property, was not a “direct physical loss of or damage to” covered property under the terms of the subject insurance policy,
and, therefore, the loss is not covered.”).
16. ISO Form CP 00 30 06 07 (2007), at Section A.1. “Period of restoration” is defined as “the period of time that”:
a. Begins:
(1) 72 hours after the time of direct physical loss or damage for Business Income Coverage; or
(2) Immediately after the time of direct physical loss or damage for Extra Expense Coverage; caused by or resulting from any Covered Cause of Loss at the described
premises; and
b. Ends on the earlier of:
(1) The date when the property at the described premises should be repaired, rebuilt or replaced with reasonable speed and similar quality; or
(2) The date when business is resumed at a new permanent location.
Id. at Section F.3.
17. Id. at Section A.2.
18. Id. at Section A.1 (emphasis added).
19. Id. at Section A.2.b (emphasis added).
20. 119 S.W.3d 16 (Tex. App. Ct. 2003).
21. Id. at 23.
22.Id. at 19.
23. Id.
24. Id. at 23.
25.
Id. at 25. The policy in that case covered loss of business income caused by “accidental direct physical loss” to “electronic media and records,” as
defined to include “electronic data processing, recording or storage media such as films, tapes, discs, drums or cells,” “data stored on such media”
and “programming records used for electronic data processing or electronically controlled equipment.” Id.
26. Id.
27. 439 F.Supp. 2d 831 (W.D. Tenn. 2006) (Tennessee law).
28. See id. at 833.
29. Id. at 833-34.
30. Id. at 837.
31. Id.
32. Id. at 838.
33. Id. at 840.
34. 2012 WL 1094761 (M.D.La. Mar. 30, 2012) (Louisiana law).
35. Id. at *1.
36. Id.
37. Id. at *2.
38. Id. at *1.
39. Id.
40. Id. at *3.
41. Id. (following South Cent. Bell Telephone Co. v. Barthelemy, 643 So.2d 1240, 1244 (La.1994)).
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
42.Id. at *4.
43. See, e.g., ISO CP 15 08 04 02 (2001), Section A. “Dependent property” is defined to include:
1. “Dependent Property” means property operated by others whom you depend on to:
a. Deliver materials or services to you, or to others for your account (Contributing Locations). But any property which delivers any of the following services is not
a Contributing Location with respect to such services:
(1) Water supply services;
(2) Power supply services; or
(3) Communication supply services, including services relating to internet access or access to any electronic network;
b. Accept your products or services (Recipient Locations);
c. Manufacture products for delivery to your customers under contract of sale (Manufacturing Locations); or
d. Attract customers to your business (Leader Locations).
Id., Section E.
44.Lon Berk, CBI for the Cloud, Vol. 21, No. 6, Coverage, at 11 (ABA November/December 2011); Scott N. Godes, Insurance Coverage for Denial-ofService Attacks, 41 No. 14, The Lawyer’s Brief 6 (July 31, 2011) (“Contingent business interruption losses may include losses that the policyholder
faces arising out of a cyber security-based business interruption of another party, such as a cloud provider, network host, or others.”).
45.CP 15 08 04 02 (2001), Section A. The policy further states that “[t]he term electronic data has the meaning set forth in the Coverage Form to
which this endorsement applies.” Id. The following is a typical definition:
Electronic data means information, facts or computer programs stored as or on, created or used on, or transmitted to or from computer
software (including systems and applications software), on hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any
other repositories of computer software which are used with electronically controlled equipment. The term computer programs, referred to
in the foregoing description of electronic data, means a set of related electronic instructions which direct the operations and functions of a
computer or device connected to it, which enable the computer or device to receive, process, store, retrieve or send data.
ISO CP 15 08 04 02 (2001), Section A.4.c.
46.
See Berk, supra note 44 at 16 (“This exclusion should not apply to the vast majority of incidents that might result in interruption of computation
services provided by cloud vendors. … In the vast majority of cases, it will not be the dependent property that sustains such a loss, but the
insured’s property that is unable to access data at a vendors server farms, that is, at the dependent property. The data in other words may remain
intact at the server property, but not be accessible by the customer because of other loss at the dependent property.”).
47.BP 04 57 07 02, Section A. Again, it should be noted that the more recent iterations of this exclusion contain an “exception” stating that “[c]
overage under this endorsement does not apply to Business Income loss or Extra Expense related to interruption in utility service which causes
loss or damage to ‘electronic data’, including destruction or corruption of ‘electronic data’.” See, e.g., BP 04 57 01 06 (2004), Section B; BP 04
57 07 13, Section B. Again, this would not void coverage for a lot of scenarios, including all those where “loss or damage to ‘electronic data’”
causes the “interruption in service.”
48. BP 04 57 07 02, Section A.
49. Id., Section B.
50. 968 A.2d 724 (N.J. Super. Ct. App. Div. 2009).
51. Id. at 727.
52. Id.
A. We will pay for consequential loss or damage resulting from interruption of:
(1) Power;
B. We will pay only if the interruption results:
(1) From physical damage by a peril insured against;
(2) Away from a covered location; and,
(3) To the following types of property, if marked with an “X”:
(X) Any powerhouse, generating plant, substation, power switching station, gas compressor station, transformer, telephone exchange;
(X) Transmission lines, connections or supply pipes which furnish electricity ... to a covered location.
Id. at 728.
53.Id. at 732.
54. Id. at 732-33.
55. Id. at 734.
56. Id.
57.
Id. at 734-35. While “acknowledg[ing] that based on the highly technical analysis in the Final Report, one could certainly argue that the system
was not physically damaged,” the court noted that “the report was not written for the purpose of construing insurance policies; it was written as an
operational analysis for the purpose of determining how the blackout occurred, who was at fault, and how future blackouts could be avoided.” Id.
at 735.
58. Id. at 735.
59. Id.
60. Id. at 737.
61.
See id. at 739. In view of its conclusion that the Extension covered the loss, the court declined to address the insured’s “argument premised on
the all-risks portion of the basic policy pertaining to ‘direct physical loss to covered property.’” Id.
62.CP 00 99 06 07 (2007), Section A.2.n. Other limitations may apply. For example, although “Covered Causes of Loss include a virus, harmful code
or similar instruction introduced into or enacted on a computer system (including electronic data) or a network to which it is connected,” the
policy excludes “loss or damage caused by or resulting from manipulation of a computer system (including electronic data) by any employee….”
CP 00 99 06 07, at Section A.4e.(3)(b).
63. Id. Section A.4.e.(1),(2),(4).
64. ISO Form CP 00 30 06 07 (2007), Section A.4.
65.
Id. Section A.5.d. Again, other limitations may apply. For example, the standard form states that “there is no coverage for an interruption
related to manipulation of a computer system (including electronic data) by any employee.” Id. at Section 1.5.d.(3)(d).
66. CP 00 99 10 12 (2012).
67.Id. at Coverage A.2.n. (emphasis added); see also id. at Coverage A.4.e.(1).
68. CP 00 30 10 12 (2012).
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
69. Id., Section A.4 (emphasis added).
70.SEC Division of Corporation Finance, Cybersecurity, CF Disclosure Guidance: Topic No. 2 (Oct. 13, 2011), available at http://www.sec.gov/divisions/
corpfin/guidance/cfguidance-topic2.htm (last visited July 5, 2013).
71.
See Louis Chiafullo & Brett Kahn, Coverage for Cyber Risks, Vol. 21, No. 3, Coverage, at pp. 6-7 (ABA ay/June 2011) (discussing coverage for
cyber risks under D&O, E&O and other types of insurance coverages).
72. 691 F.3d 821 (6th Cir. 2012) (predicting Ohio law).
73. Id. at 824.
74. Id. at 826.
75. Id. at 826-27.
76. Id. at 832.
77.
Id. at 834.; see also Vonage Holdings Corp. v. Hartford Fire Ins. Co., 2012 WL 1067694, at *1 (D.N.J. Mar. 29, 2012) (New Jersey law) (denying
the insurer’s motion to dismiss an insured telecommunications company’s claim for loss arising out of the fact that “computer hackers located
outside of its premises used a computer to fraudulently access [the insured’s servers] for the purpose of transferring the use of those servers to
themselves and others” under a policy stating that the insurer would “pay for loss of and loss from damage to ‘money’, ‘securities’ and ‘other
property’ following and directly related to the use of any computer to fraudulently cause a transfer of that property from inside the ‘premises’
or ‘banking premises’” to an outside person or premises). Compare Peoples Tel. Co., Inc. v. Hartford Fire Ins. Co., 36 F. Supp. 2d 1335, 1341
(S.D. Fla. 1997) (finding that there was no coverage where “lists containing combinations of electronic serial numbers and mobile telephone
identification numbers … which are necessary to activate and use cellular phones” were stolen by an employee and sold to third parties to
“clone” cellular phones).
About the Author
Roberta D. Anderson is a partner in the Pittsburgh office of K&L Gates LLP, a law firm that regularly represents
policyholders in insurance coverage disputes. The opinions expressed in this article are those of the author, and
should not be construed as necessarily reflecting the views of her law firm, or the firm’s clients, or as an endorsement
by the law firm or the law firm’s clients of any legal position described herein. Ms. Anderson can be reached at
Roberta.Anderson@klgates.com.
This article was published in the March 2014 Insurance Coverage Law Report.
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
For more information, or to begin your free trial:
• Call: 1-800-543-0874
• Email: customerservice@SummitProNets.com
• Online: www.fcandslegal.com
FC&S Legal guarantees you instant access to the most authoritative and comprehensive
insurance coverage law information available today.
This powerful, up-to-the-minute online resource enables you to stay apprised
of the latest developments through your desktop, laptop, tablet, or smart phone
—whenever and wherever you need it.
NOTE: The content posted to this account from FC&S Legal: The Insurance Coverage Law Information Center is current to the date of its initial
publication. There may have been further developments of the issues discussed since the original publication.
This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding
that the publisher is not engaged in rendering legal, accounting or other professional service. If legal advice is required, the services of a competent
professional person should be sought.
Copyright © 2014 The National Underwriter Company. All Rights Reserved.
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
Related documents
Q.E.F. No. 6-97
Q.E.F. No. 6-97
Claim form for medical expenses (short version)
Claim form for medical expenses (short version)
Annexure-1 From (Name & Address of the sponsoring Agency) ________________________________________
Annexure-1 From (Name & Address of the sponsoring Agency) ________________________________________
Agricultural Safety Specialist
Agricultural Safety Specialist
Health Insurance
Health Insurance
Download
advertisement