The recent decision of the Court of Appeal in Tektrol Ltd v International Insurance Company of Hanover Limited  EWCA 845, examined the effectiveness of provisions for exclusion of liability in insurance contracts, regarding loss of computer data.
The appellant, Tektrol, who manufactured energy-saving devices kept five independent copies of the source code for its product. These copies were stored on a variety of mediums; on desktop and laptop computers, at a remote site operated by a third party and a paper copy. By a “very unusual series of unrelated incidents” that would appear more at home on a law student’s examination paper, Tektrol lost all of its copies of the code during the Christmas period of 2001/02. A virus on an email attachment (purporting to be a Christmas card from a firm of solicitors) deleted the source code held on the laptop and at the remote site. Upon returning after New Year, Tektrol discovered their business premises had been burgled and the desktop computers holding the source code and the paper copy had been stolen.
Tektrol’s insurers argued that Tektrol could not recover for the loss of the source code, because both the loss by the virus and by theft both fell within exclusions in their insurance policy. The High Court found in favour of Tektrol’s insurers.
Tektrol’s insurers argued that loss of code by the virus was covered by the following exclusion of loss arising directly or indirectly from,
“erasure loss distortion or corruption of information on computer systems or other records programmes or software caused deliberately by rioters strikers locked-out workers persons taking part in labour disturbances or civil commotion or malicious persons”.
The Court of Appeal held that although the author of the virus would be classed as a ‘malicious’ person, the context of the rest of the clause envisaged interferences directed specifically at the computer systems at the insured premises.
By adding on to the end of this clause an exception referring to a very different type of person making a different type of attack, which was not specifically directed at Tektrol’s computer systems, the insurers would significantly change the emphasis of the clause. The Court held that if the insurer had intended to exclude damage caused however indirectly by such a malicious person, the exclusion would have needed to be placed in a separate clause and not refer to malicious persons in the same terms as rioters and locked-out persons.
It should be noted that some of the terminology employed by the Court of Appeal in its judgment may lead to confusion. The Court of Appeal referred to the author of the virus as a ‘remote hacker’. The use of such a term may be unhelpful, as one would normally associate an attack by a ‘remote hacker’ as being specifically targeted against individual computer systems, whilst the damage caused by an author of an email-based virus would be expected to be more indiscriminate.
With regard to the question of liability regarding the burglary, Tektrol’s insurers sought to rely on the following exclusion clause, excluding loss arising from,
“other erasure loss distortion or corruption of information on computer systems or other records programmes or software unless resulting from a Defined Peril in so far as it is not otherwise excluded”.
The insurers argued that the physical loss of the data that was stored on the stolen desktop computers and the print out were covered by the above exclusion and that as theft or burglary was not a “Defined Peril” under the policy, that such loss could not be recovered.
The majority of the Court of Appeal (Carnwath LJ dissenting) held that in the context of the whole clause, the word “loss” did not extend to physical loss by theft, but referred only to loss by means of electronic interference. The draftsman’s use of words in this clause was seen as “linguistic overkill” in that a number of words and phrases were used all expressing more or less the same idea. The Court would have expected the exclusion of such a different type of loss as physical loss to be covered in a separate clause.
This case clearly highlights the need for the careful drafting of clauses, particularly exclusion clauses, in IT contracts. The Court of Appeal has demonstrated its intolerance of a “scatter-gun” approach to drafting exclusions of liability. A more thoughtful approach is required, taking into account the different types of risk that may arise in each situation and dealing with these separately.