Legal Updates

Information Technology – Crime and Security – Stolen Source Code

In the recent case of Tektrol Limited v International Insurance Company of Hanover Limited, Great Lakes Reinsurance (UK) Limited [2005], Tektrol was able to recover its losses after losing critical source code because exemptions in the company’s insurance policy did not apply.  Tektrol designed, developed and manufactured energy saving control devices for industrial motors. Its main product relied on a particular piece of software. The source code for this software enabled the product to be customised to meet individual customers’ needs. Tektrol stored the source code on two development computers, on the Managing Director’s laptop, on a computer at a remote site operated by an independent company and on a paper printout kept at the office premises.

In December 2001, the Managing Director received an email with a virus that destroyed the source code on the laptop. The Managing Director believed that the copy held at the remote site was not affected and so decided to copy the source code from the remote site to his laptop. He believed that the source code was then recovered.

Subsequently, Tektrol’s premises were burgled in January 2002, and the development computers containing the source code as well as the print copy were stolen. The company soon discovered that all copies of the source code were lost because the virus had, in fact, destroyed the source code at the remote site meaning the version stored on the laptop was also corrupted. Tektrol made a claim on its insurance for the disruption caused by the events. The insurers refused to pay and subsequently Tektrol brought an action. The insurers argued successfully at first instance that the policy didn’t cover the loss sustained. The policy excluded liability for:

â–ª     damage from erasure or corruption of information stored on computers or other records caused deliberately by rioters, strikers, locked out workers, civil disturbances or malicious persons; and

â–ª     other loss or distortion unless it resulted from a ‘defined peril’ which in this case included malicious persons.

Tektrol appealed and claimed that it should receive payment on the grounds that the e-mail virus and theft resulting in the total loss of the source code were caused by malicious persons. The Court of Appeal held that:

â–ª     the relevant clause was intended to exclude loss caused by rioters and strikers committed on or near Tektrol premises;

â–ª     to extend the clause to cover hackers meant adding a category of persons to the exclusion which had not been included;

â–ª     if the insurer had wanted to exclude loss caused by hackers they should have included an express clause to this effect; and

â–ª     the insurers should pay Tektrol for losses suffered due to theft of the source code.

The appeal was allowed.

Comment: It seems that the Court will have little sympathy for insurers who use ambiguous wording in their policies.

If you require further information contact us at [email protected]

Visit http://www.rtcoopers.com/practice_it.php

© RT COOPERS, 2005. This Briefing Note does not provide a comprehensive or complete statement of the law relating to the issues discussed nor does it constitute legal advice. It is intended only to highlight general issues. Specialist legal advice should always be sought in relation to particular circumstances.