In our last article, we pointed out that in the
year 2001 there has been no definitive answer from the courts as to whether
electronically recorded or stored information—for example, data, programs,
software and other media (hereinafter "computer data")—is
"tangible property." Nor has there been any definitive answer from
the courts as to whether computer data is subject to "physical loss or
damage." We found the lack of definitive case law to be somewhat
surprising after the flurry of early 1990s decisions in which some courts
suggested these were important questions that should be explored.
Without definitive guidance from the courts, many companies are asking
what to do at claim time as well as what to do at renewal time. This article
will address these questions and more, as we reveal some of the ways in which
insurers are reacting to the property and liability risks associated with
computer data.
What Can the Policyholder Do at Renewal Time?
As we showed in Part 1 of
this article, the case law seems to be trending in the direction of the
policyholders with respect to whether computer data is "tangible
property" and whether the loss of computer data constitutes
"physical loss or damage." Still, without more definitive guidance
from the courts, a hotshot claims adjuster can create a nightmare for a
policyholder with a claim involving lost computer data. As a result, some
buyers of business insurance have been looking beyond the standard-form
language of their policies, asking their insurers to address e-commerce
issues with explicit language in the policies.
Express Language to Address Computer Data Losses
Some companies have found that the simplest way to address the question of
whether computer data is "tangible property" in general liability
policies is to add specific language defining "tangible property"
to include software, programs, and data. This strategy is the mirror image of
some technology errors and omissions (E&O) policies, which expressly
state that data, programs, and software are not
tangible property and therefore are not excluded
under the "property damage" exclusion typically found in such
E&O policies.
First-party property claims often involve some tangible medium that can be
considered damaged if data that was stored there is erased. Thus, the
threshold concern with respect to property policies is the concern over
whether the covered perils are defined broadly enough to include the causes
of loss that computer data is likely to be subject to. To address this
concern, some companies are asking their property insurers to confirm in
explicit policy language that disruption, corruption, deletion, theft, or
copying of data, software, or programs is deemed to be "physical loss or
damage."
This simple modification, however, may not be enough to ensure adequate
coverage for computer data losses. In the context of a first-party property
loss, the question of whether the loss was caused by a covered peril is only
the beginning. Nearly as important is the question of how much coverage the
policy affords. Valuation provisions can be critical when it comes to
computer data losses. Some policies contain language that limits coverage for
loss of information stored on media to the cost of the blank media. When both
the insurer and the policyholder agree that computer data is to be covered,
the valuation clause should provide for coverage for the cost of restoring
the data from backup, as well as for the cost of replacing or reconstructing
the data if backup data is not available.
Another wrinkle in the valuation of computer data losses is the cost of
establishing that lost data cannot be replaced or restored. Some commercial
property insurance policies provide that if lost data is not restored or
reconstructed after a period of time, say 1 or 2 years, there is no coverage
at all. But what if—after much effort—it is discovered that the data cannot
be reconstructed? Policyholders may want to negotiate a provision granting
coverage for the sometimes substantial cost of making the determination that
reconstruction of data is impossible.
And the desire to address these issues should not be limited to commercial
property policies. Policyholders should consider addressing the same issue in
commercial crime policies. Some crime policies limit coverage to loss of
money, securities, or "tangible property." Some crime policies also
have very narrow valuation provisions for losses involving computer data
(expressly stating that the cost to restore lost data is not
covered). And all crime policies we have reviewed to date lack specific, and
favorable, valuation provisions for computer data like that which is typical
in commercial property policies.
The foregoing paragraphs discuss only a sampling of the issues that are
likely to arise with respect to coverage under standard general liability,
property, and crime policies for losses to computer data. Space does not
permit a full discussion of every typical policy provision that could impact
the existence or extent of coverage for computer data losses. As always, an
insurance buyer should review the policy provisions carefully while at the
same time trying to imagine how that language may be applied to a computer
data loss.
Some Insurers Respond Negatively
It is true that some companies have been successful in negotiating express
language in their policies to clarify the existence of coverage for computer
data losses. But there is no guarantee that all insurers will agree to
include the clarifying language, or that any insurer that does agree will do
so for all insureds. In fact, a few insurers—spurred by new computer virus
and/or computer data exclusions in their reinsurance treaties—have been
inserting similar computer virus and/or computer data exclusions in their
insureds' policies at renewal. Thus, at least some insurers are taking
the bull by the horns and are themselves proposing policy language that
diminishes, rather than clarifies, coverage.
When an insurer proposes to add a new computer virus and/or computer data
exclusion, the policyholder should check the language of the exclusion very
carefully. Some of the new exclusions only apply to losses caused by a
computer virus. The fact that such an exclusion is contained in the policy
may imply that computer data losses are covered as long as the cause of loss
is not a computer virus. But some insurers are going beyond simply excluding
losses caused by computer virus. Some of the new exclusions expressly
disclaim coverage for any corruption or deletion of, or detrimental change
to, or loss of use, impairment of use, or loss of functionality of computer
data or software.
Each policyholder's situation is different, and each will be faced
with a decision: whether to (1) seek another market; (2) knowingly assume the
risk of "going bare" with respect to computer virus losses, or any
computer data losses, as the case may be; or (3) purchase a specialized
"e-commerce" policy and undergo a rigorous underwriting process
with extensive involvement of the policyholder's information technology
personnel.
In the meantime, some policyholders will be faced with claims triggering
policies that do not contain clarifying language of any kind. What might
those companies be able to do at claim time?
What Can the Policyholder Do at Claim Time?
Companies that have been proactive in addressing coverage for computer
data in their insurance policies—up-front, before a claim is made or a loss
is suffered—will have greater peace of mind knowing that claim-time surprises
have been minimized. But there remain many companies that have not yet even
thought to bring e-commerce issues to the table when negotiating their
insurance policies. And even those companies that are negotiating favorable
provisions covering computer data losses may yet face claims under prior
policies that are silent with respect to the treatment of computer data.
Without any clear answer from the courts, coverage for any individual
claim may well turn on factors such as the state of the market, the
relationship between a particular policyholder and its insurer, and the size
of the claim. Still, a policyholder faced with the insurer's denial of
coverage will have ammunition toward getting its claim paid.
Arguments in Favor of Coverage for Computer Data Losses
In the case of a third-party liability claim submitted under a commercial
general liability (CGL) insurance policy, the case law (discussed in our last
article) tends to support the notion that computer data is tangible property,
particularly when merged into a medium such as a disk or hard drive. Many
computer data claims can be characterized as claims involving damage to the
medium in which the data was stored. Thus, a policyholder may argue that when
data is accidentally erased from a disk, the disk ("tangible
property") has been altered and thereby damaged. This same strategy
could be successful in first-party claims as well. Altering the arrangement
of electrons on a disk or hard drive is a physical change in the structure of
the disk or hard drive.
One fact that weighs in favor of policyholders is that most insurers have
paid claims involving computer data over the last several years, setting up
precedent that could make it difficult for other insurers to march in the
other direction. Although some insurers' introduction of computer data
exclusions may make renewals more challenging, the fact that such insurers
thought it necessary to add an express exclusion implies that these insurers
expect computer data would have been covered in the absence of the exclusion.
At the very least, it is evidence that a reasonable insured could have read
the pre-exclusion language to include such coverage.
The Tax Cases
Faced with a scarcity of decisions interpreting insurance policy language
in computer data loss cases, some policyholder attorneys have turned to tax
law to supply answers to the question of whether computer data is tangible
property. A court that is called on to decide whether computer data is
subject to taxes on "tangible property" cannot duck the question,
as the courts in the insurance cases have done. Still, although courts in tax
cases have reached answers to difficult questions, there is no consensus as
to the correct answer. Thus, even if the tax cases can be considered
predictive of whether the loss of computer data will be considered
"physical damage" to "tangible property," the forecast
varies depending on which state's courts are involved.
For example, in South Central Bell Telephone Co. v
Barthelemy, 643 S2d 1240 (La 1994), one of the leading cases in this
area, the Louisiana Supreme Court held that certain software programs were
taxable "tangible personal property." Central to the court's
reasoning was the fact that the intellectual content was affixed in a
tangible physical medium. As the court explained,
When stored on magnetic tape, disc, or computer chip, this software, or
set of instructions, is physically manifested in machine readable form by
arranging electrons, by use of an electric current, to create either a
magnetized or unmagnetized space.... The software at issue is not merely
knowledge, but rather is knowledge recorded in a physical form which has
physical existence, takes up space on the tape, disc, or hard drive, makes
physical things happen, and can be perceived by the senses.... The
purchaser of computer software desires nor receives mere knowledge, but
rather receives a certain arrangement of matter that will make his or her
computer perform a desired function.... One cannot escape the fact that
software, recorded in physical form, becomes inextricably intertwined with,
or part and parcel of the corporeal object upon which it is recorded, be
that a disk, tape, hard drive, or other device. (Id.)
After Barthelemy, the Utah Supreme Court
suggested that the notion of "tangible property" might extend
beyond data-as-embodied-in-a-medium to the electronic signals themselves in
South Central Utah Tel. Assn. v Auditing Div. of Utah
State Tax Commn., 951 P2d 218, 223-24 (Utah 1997).
Courts elsewhere, however, have held otherwise. For example, in
Northeast Datacom, Inc. v City of Wallingford,
563 A2d 688, 691-92 (Conn 1989), the Connecticut Supreme Court determined
that the state's property tax on "tangible personal property"
could not be assessed on data, but only on the value of the magnetic disks
and tapes on which the data was stored. The court drew a sharp distinction
between "tangible" and "intangible" property, explaining
that tax assessor had improperly attempted to tax the intangible incidents of
the software, such as the right to produce and sell copies of the software
and the right to license its use to others.
An Arizona court likewise held that its state property tax scheme, long
construed to be inapplicable to intangible property due to the state's
failure to devise a method of valuing intangible property, would not apply to
computer software. See Honeywell Information Sys.,
Inc. v Maricopa County, 575 P2d 801, 803 (Ariz App 1977).
The view that computer data is not "tangible property" is not
confined to older decisions. Just last year, a Florida appellate court,
though conceding that the question was difficult, found that computer data
was not "tangible property" for purposes of the state's ad
valorem tax. See Gilreath v General Electric
Co., 751 S2d 705, 708-09 (Fla App 2000).
Thus, even if the tax cases can be considered as precedent for the
questions of whether the loss of computer data will be considered
"physical damage" to "tangible property" under an
insurance policy, the precedent may be favorable or unfavorable to
policyholders depending on which state's courts are involved. Also, other
factors make it difficult to gauge whether courts attempting to interpret
insurance policies are even likely to follow precedent developed in tax
cases. The outcome of a tax case may rest on the attitude of a state's
courts toward taxation, which may have little or no relevance to the
enforcement of private contracts.
A presumption against taxation may be the deciding factor if the court
determines the language in a tax statute is ambiguous, while ambiguous
language in an insurance policy usually works in favor of the policyholder.
But the precedents exist, giving ammunition to lawyers for both insurers and
insureds that may seek to press the issue in litigation.
Summary and Upcoming Articles
We hope that this article proves useful for policyholders, brokers and
others in the insurance industry as we all try to grapple with these very
important issues, which will arise time and again in the coming months during
renewals and at claim time. We will continue to monitor these issues, both
from a claims perspective and policy renewal/placement perspective, and
attempt to provide useful updates in this column.
In the meantime, we feel compelled to turn our attention to two different
issues in coming articles. In our next article we will address the question
of whether there is any difference between "professional services"
as covered by professional liability policies, and Business-to-Business and
Business-to-Consumer e-commerce activities. Do professional liability
policies cover claims arising from such activities (i.e., are B2B and B2C
e-commerce activities covered professional services)? Our upcoming article
represents an evolution of our thinking as expressed in our articles from
last year, given several developments we have witnessed since we wrote those
articles.
The article after that will provide a report on what we are seeing in the
first-party e-commerce insurance market. As reported earlier, and as alluded
to in this article, we are seeing greater insistence on the use of computer
virus exclusions and an unbelievably broad computer data exclusion by
property insurers. We believe that any policyholder who is not absolutely
certain that it will be able to avoid such exclusions on its next property
renewal needs to prepare itself now to be able to
buy a first-party e-commerce insurance policy on the renewal date of its
property program. Otherwise the policyholder might get "blindsided"
at the renewal of its property program and have to bear uninsured computer
virus risk (or worse, computer data risk) until it can scramble quickly
enough to put together a first-party e-commerce insurance program (which we
are seeing is no simple or quick task).
This article was
written by Catherine Rivard and edited by Michael Rossi.
Catherine
Rivard is Senior Risk Management Counsel at Insurance Law Group,
Inc., a law firm providing legal services to middle-market and multinational
corporate risk managers. She advises on initial placements and renewals
(including e-commerce issues), manuscripts insurance policies, and handles
disputed claims outside of litigation. She previously was a partner of Troop
Steuber Pasich Reddick & Tobey, LLP. Ms. Rivard has represented
policyholders in insurance matters since the mid-1980s. She developed the
first arguments for "personal injury" coverage in
asbestos-in-building and environmental claims. More recently, she wrote
briefs in Alpha Therapeutic Corp. v Home Insurance
Co., 90 Cal App 4th 1330 (2001) (single-occurrence multi-injury claim
not limited to single policy year's limits).
Ms. Rivard is a member of the State Bar of California and
the American and International Bar Associations. She earned her JD degree in
1986 from Northwestern University and her AB degree in political science, cum
laude, in 1982 from Occidental College. Ms. Rivard can be reached by
email.