Michael A. Rossi | November 1, 2001
In this second of a two-part article, Catherine Rivard and Michael Rossi address these questions and discuss the lack of a definitive answer by the courts. They also reveal some of the ways insurers are responding to the property and liability risks associated with computer data.
In our last article, we pointed out that in the year 2001 there has been no definitive answer from the courts as to whether electronically recorded or stored information—for example, data, programs, software and other media (hereinafter "computer data")—is "tangible property." Nor has there been any definitive answer from the courts as to whether computer data is subject to "physical loss or damage." We found the lack of definitive case law to be somewhat surprising after the flurry of early 1990s decisions in which some courts suggested these were important questions that should be explored.
Without definitive guidance from the courts, many companies are asking what to do at claim time as well as what to do at renewal time. This article will address these questions and more, as we reveal some of the ways in which insurers are reacting to the property and liability risks associated with computer data.
As we showed in Part 1 of this article, the case law seems to be trending in the direction of the policyholders with respect to whether computer data is "tangible property" and whether the loss of computer data constitutes "physical loss or damage." Still, without more definitive guidance from the courts, a hotshot claims adjuster can create a nightmare for a policyholder with a claim involving lost computer data. As a result, some buyers of business insurance have been looking beyond the standard-form language of their policies, asking their insurers to address e-commerce issues with explicit language in the policies.
Some companies have found that the simplest way to address the question of whether computer data is "tangible property" in general liability policies is to add specific language defining "tangible property" to include software, programs, and data. This strategy is the mirror image of some technology errors and omissions (E&O) policies, which expressly state that data, programs, and software are not tangible property and therefore are not excluded under the "property damage" exclusion typically found in such E&O policies.
First-party property claims often involve some tangible medium that can be considered damaged if data that was stored there is erased. Thus, the threshold concern with respect to property policies is the concern over whether the covered perils are defined broadly enough to include the causes of loss that computer data is likely to be subject to. To address this concern, some companies are asking their property insurers to confirm in explicit policy language that disruption, corruption, deletion, theft, or copying of data, software, or programs is deemed to be "physical loss or damage."
This simple modification, however, may not be enough to ensure adequate coverage for computer data losses. In the context of a first-party property loss, the question of whether the loss was caused by a covered peril is only the beginning. Nearly as important is the question of how much coverage the policy affords. Valuation provisions can be critical when it comes to computer data losses. Some policies contain language that limits coverage for loss of information stored on media to the cost of the blank media. When both the insurer and the policyholder agree that computer data is to be covered, the valuation clause should provide for coverage for the cost of restoring the data from backup, as well as for the cost of replacing or reconstructing the data if backup data is not available.
Another wrinkle in the valuation of computer data losses is the cost of establishing that lost data cannot be replaced or restored. Some commercial property insurance policies provide that if lost data is not restored or reconstructed after a period of time, say 1 or 2 years, there is no coverage at all. But what if—after much effort—it is discovered that the data cannot be reconstructed? Policyholders may want to negotiate a provision granting coverage for the sometimes substantial cost of making the determination that reconstruction of data is impossible.
And the desire to address these issues should not be limited to commercial property policies. Policyholders should consider addressing the same issue in commercial crime policies. Some crime policies limit coverage to loss of money, securities, or "tangible property." Some crime policies also have very narrow valuation provisions for losses involving computer data (expressly stating that the cost to restore lost data is not covered). And all crime policies we have reviewed to date lack specific, and favorable, valuation provisions for computer data like that which is typical in commercial property policies.
The foregoing paragraphs discuss only a sampling of the issues that are likely to arise with respect to coverage under standard general liability, property, and crime policies for losses to computer data. Space does not permit a full discussion of every typical policy provision that could impact the existence or extent of coverage for computer data losses. As always, an insurance buyer should review the policy provisions carefully while at the same time trying to imagine how that language may be applied to a computer data loss.
It is true that some companies have been successful in negotiating express language in their policies to clarify the existence of coverage for computer data losses. But there is no guarantee that all insurers will agree to include the clarifying language, or that any insurer that does agree will do so for all insureds. In fact, a few insurers—spurred by new computer virus and/or computer data exclusions in their reinsurance treaties—have been inserting similar computer virus and/or computer data exclusions in their insureds' policies at renewal. Thus, at least some insurers are taking the bull by the horns and are themselves proposing policy language that diminishes, rather than clarifies, coverage.
When an insurer proposes to add a new computer virus and/or computer data exclusion, the policyholder should check the language of the exclusion very carefully. Some of the new exclusions only apply to losses caused by a computer virus. The fact that such an exclusion is contained in the policy may imply that computer data losses are covered as long as the cause of loss is not a computer virus. But some insurers are going beyond simply excluding losses caused by computer virus. Some of the new exclusions expressly disclaim coverage for any corruption or deletion of, or detrimental change to, or loss of use, impairment of use, or loss of functionality of computer data or software.
Each policyholder's situation is different, and each will be faced with a decision: whether to (1) seek another market; (2) knowingly assume the risk of "going bare" with respect to computer virus losses, or any computer data losses, as the case may be; or (3) purchase a specialized "e-commerce" policy and undergo a rigorous underwriting process with extensive involvement of the policyholder's information technology personnel.
In the meantime, some policyholders will be faced with claims triggering policies that do not contain clarifying language of any kind. What might those companies be able to do at claim time?
Companies that have been proactive in addressing coverage for computer data in their insurance policies—up-front, before a claim is made or a loss is suffered—will have greater peace of mind knowing that claim-time surprises have been minimized. But there remain many companies that have not yet even thought to bring e-commerce issues to the table when negotiating their insurance policies. And even those companies that are negotiating favorable provisions covering computer data losses may yet face claims under prior policies that are silent with respect to the treatment of computer data.
Without any clear answer from the courts, coverage for any individual claim may well turn on factors such as the state of the market, the relationship between a particular policyholder and its insurer, and the size of the claim. Still, a policyholder faced with the insurer's denial of coverage will have ammunition toward getting its claim paid.
In the case of a third-party liability claim submitted under a commercial general liability (CGL) insurance policy, the case law (discussed in our last article) tends to support the notion that computer data is tangible property, particularly when merged into a medium such as a disk or hard drive. Many computer data claims can be characterized as claims involving damage to the medium in which the data was stored. Thus, a policyholder may argue that when data is accidentally erased from a disk, the disk ("tangible property") has been altered and thereby damaged. This same strategy could be successful in first-party claims as well. Altering the arrangement of electrons on a disk or hard drive is a physical change in the structure of the disk or hard drive.
One fact that weighs in favor of policyholders is that most insurers have paid claims involving computer data over the last several years, setting up precedent that could make it difficult for other insurers to march in the other direction. Although some insurers' introduction of computer data exclusions may make renewals more challenging, the fact that such insurers thought it necessary to add an express exclusion implies that these insurers expect computer data would have been covered in the absence of the exclusion. At the very least, it is evidence that a reasonable insured could have read the pre-exclusion language to include such coverage.
Faced with a scarcity of decisions interpreting insurance policy language in computer data loss cases, some policyholder attorneys have turned to tax law to supply answers to the question of whether computer data is tangible property. A court that is called on to decide whether computer data is subject to taxes on "tangible property" cannot duck the question, as the courts in the insurance cases have done. Still, although courts in tax cases have reached answers to difficult questions, there is no consensus as to the correct answer. Thus, even if the tax cases can be considered predictive of whether the loss of computer data will be considered "physical damage" to "tangible property," the forecast varies depending on which state's courts are involved.
For example, in South Central Bell Telephone Co. v Barthelemy, 643 S2d 1240 (La 1994), one of the leading cases in this area, the Louisiana Supreme Court held that certain software programs were taxable "tangible personal property." Central to the court's reasoning was the fact that the intellectual content was affixed in a tangible physical medium. As the court explained,
When stored on magnetic tape, disc, or computer chip, this software, or set of instructions, is physically manifested in machine readable form by arranging electrons, by use of an electric current, to create either a magnetized or unmagnetized space.... The software at issue is not merely knowledge, but rather is knowledge recorded in a physical form which has physical existence, takes up space on the tape, disc, or hard drive, makes physical things happen, and can be perceived by the senses.... The purchaser of computer software desires nor receives mere knowledge, but rather receives a certain arrangement of matter that will make his or her computer perform a desired function.... One cannot escape the fact that software, recorded in physical form, becomes inextricably intertwined with, or part and parcel of the corporeal object upon which it is recorded, be that a disk, tape, hard drive, or other device. (Id.)
After Barthelemy, the Utah Supreme Court suggested that the notion of "tangible property" might extend beyond data-as-embodied-in-a-medium to the electronic signals themselves in South Central Utah Tel. Assn. v Auditing Div. of Utah State Tax Commn., 951 P2d 218, 223-24 (Utah 1997).
Courts elsewhere, however, have held otherwise. For example, in Northeast Datacom, Inc. v City of Wallingford, 563 A2d 688, 691-92 (Conn 1989), the Connecticut Supreme Court determined that the state's property tax on "tangible personal property" could not be assessed on data, but only on the value of the magnetic disks and tapes on which the data was stored. The court drew a sharp distinction between "tangible" and "intangible" property, explaining that tax assessor had improperly attempted to tax the intangible incidents of the software, such as the right to produce and sell copies of the software and the right to license its use to others.
An Arizona court likewise held that its state property tax scheme, long construed to be inapplicable to intangible property due to the state's failure to devise a method of valuing intangible property, would not apply to computer software. See Honeywell Information Sys., Inc. v Maricopa County, 575 P2d 801, 803 (Ariz App 1977).
The view that computer data is not "tangible property" is not confined to older decisions. Just last year, a Florida appellate court, though conceding that the question was difficult, found that computer data was not "tangible property" for purposes of the state's ad valorem tax. See Gilreath v General Electric Co., 751 S2d 705, 708-09 (Fla App 2000).
Thus, even if the tax cases can be considered as precedent for the questions of whether the loss of computer data will be considered "physical damage" to "tangible property" under an insurance policy, the precedent may be favorable or unfavorable to policyholders depending on which state's courts are involved. Also, other factors make it difficult to gauge whether courts attempting to interpret insurance policies are even likely to follow precedent developed in tax cases. The outcome of a tax case may rest on the attitude of a state's courts toward taxation, which may have little or no relevance to the enforcement of private contracts.
A presumption against taxation may be the deciding factor if the court determines the language in a tax statute is ambiguous, while ambiguous language in an insurance policy usually works in favor of the policyholder. But the precedents exist, giving ammunition to lawyers for both insurers and insureds that may seek to press the issue in litigation.
We hope that this article proves useful for policyholders, brokers and others in the insurance industry as we all try to grapple with these very important issues, which will arise time and again in the coming months during renewals and at claim time. We will continue to monitor these issues, both from a claims perspective and policy renewal/placement perspective, and attempt to provide useful updates in this column.
In the meantime, we feel compelled to turn our attention to two different issues in coming articles. In our next article we will address the question of whether there is any difference between "professional services" as covered by professional liability policies, and Business-to-Business and Business-to-Consumer e-commerce activities. Do professional liability policies cover claims arising from such activities (i.e., are B2B and B2C e-commerce activities covered professional services)? Our upcoming article represents an evolution of our thinking as expressed in our articles from last year, given several developments we have witnessed since we wrote those articles.
The article after that will provide a report on what we are seeing in the first-party e-commerce insurance market. As reported earlier, and as alluded to in this article, we are seeing greater insistence on the use of computer virus exclusions and an unbelievably broad computer data exclusion by property insurers. We believe that any policyholder who is not absolutely certain that it will be able to avoid such exclusions on its next property renewal needs to prepare itself now to be able to buy a first-party e-commerce insurance policy on the renewal date of its property program. Otherwise the policyholder might get "blindsided" at the renewal of its property program and have to bear uninsured computer virus risk (or worse, computer data risk) until it can scramble quickly enough to put together a first-party e-commerce insurance program (which we are seeing is no simple or quick task).
This article was written by Catherine Rivard and edited by Michael Rossi.
Catherine Rivard is Senior Risk Management Counsel at Insurance Law Group, Inc., a law firm providing legal services to middle-market and multinational corporate risk managers. She advises on initial placements and renewals (including e-commerce issues), manuscripts insurance policies, and handles disputed claims outside of litigation. She previously was a partner of Troop Steuber Pasich Reddick & Tobey, LLP. Ms. Rivard has represented policyholders in insurance matters since the mid-1980s. She developed the first arguments for "personal injury" coverage in asbestos-in-building and environmental claims. More recently, she wrote briefs in Alpha Therapeutic Corp. v Home Insurance Co., 90 Cal App 4th 1330 (2001) (single-occurrence multi-injury claim not limited to single policy year's limits).
Ms. Rivard is a member of the State Bar of California and the American and International Bar Associations. She earned her JD degree in 1986 from Northwestern University and her AB degree in political science, cum laude, in 1982 from Occidental College. Ms. Rivard can be reached by email.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.