Tektrol Ltd v International Insurance Company of Hanover Ltd & Anor

Factual and Procedural Background

The appeal concerns the interpretation of an "All Risks" business loss insurance policy issued by the insurer to the appellants, hereinafter referred to as the Plaintiff. The Plaintiff operates a business providing computer-related energy saving devices, relying heavily on a "source code" integral to their operations. The source code was stored in five locations: two computers at the Plaintiff's business premises, a laptop of the managing director, a computer at a remote site operated by an independent company, and a hard copy printout at the business premises.

On 19 December 2001, the managing director opened an email attachment that was a virus, which deleted the source code on his laptop. The virus author was a malicious person unknown to the Plaintiff, who intended the virus to spread and cause data erasure wherever activated, but had no knowledge or intent specifically targeting the Plaintiff. The managing director believed the remote site computer was unaffected and restored the laptop from it.

Subsequently, around 2 January 2002, the Plaintiff's business premises were burglarized, resulting in the theft of the two computers and the hard copy containing the source code. When discovered on 7 January, it was found that the virus had also deleted the source code from the remote site, meaning all copies were lost.

The Plaintiff sought recovery under the policy for business interruption losses arising from these two incidents (the virus and the burglary). The insurer contended that liability was excluded for both incidents under various policy exclusions. The lower court accepted that if either incident fell within an exclusion, the insurer was not liable for any loss from the other incident. The Plaintiff thus had to demonstrate coverage for both incidents.

Legal Issues Presented

1. Whether the virus incident falls within the policy's exclusion for erasure, loss, distortion or corruption of information caused deliberately by malicious persons.
2. Whether the burglary incident, involving theft of computers containing the source code, is excluded under the policy's clauses relating to loss or damage of information on computer systems, given the insurer's acceptance of liability for burglary under a separate exclusion.
3. The proper construction and application of exclusion clauses in an "All Risks" business loss policy, particularly the interpretation of "loss" and "malicious persons" within the context of computer information damage.

Arguments of the Parties

Appellant's Arguments

• The virus damage should not be excluded because the hacker did not deliberately target the Plaintiff's computer systems; the damage was incidental and therefore does not meet the deliberate causation requirement in the exclusion.
• The burglary loss should be covered since it involved physical theft of computers, which is accepted as a risk under the policy, and the consequential loss of information stored on them should be recoverable.
• The exclusion clauses should be narrowly construed against the insurer, particularly where ambiguity exists, consistent with contra proferentem principles.

Appellee's Arguments

• The virus incident falls squarely within exclusion 7(b)(i) as it involved erasure of information caused deliberately by a malicious person (the hacker).
• The burglary loss is excluded under exclusion 7(b)(ii) because theft is not a "Defined Peril" and the loss of information on stolen computers is excluded.
• The insurer argued that exclusion 13, which provides some coverage for theft, relates only to physical damage to hardware and does not extend to loss of data or information.
• The policy language is clear and unambiguous, so contra proferentem does not apply.

Table of Precedents Cited

Court's Reasoning and Analysis

The court first examined the virus incident under exclusion 7(b)(i), which excludes erasure or corruption of information caused deliberately by malicious persons. The court reasoned that the hacker's general intent to cause disruption to any susceptible computer system sufficed as deliberate causation, even if the hacker had no specific knowledge of or intent towards the Plaintiff. However, a nuanced analysis of the clause’s language and context led the court to conclude that the exclusion was intended to apply to malicious acts directed specifically at the insured's premises and computer systems, akin to rioters or strikers causing damage on site. The inclusion of "malicious persons" alongside those categories did not extend the exclusion to remote hackers causing indirect or non-targeted damage. Therefore, the virus damage did not fall within this exclusion.

Regarding the burglary, the court rejected the lower court’s interpretation that the loss of information on stolen computers was excluded under 7(b)(ii). The court found that the word "loss" in the exclusion clause was part of a phrase targeting electronic interference with information, not physical loss of the hardware containing the information. The court relied on established principles of insurance drafting that employ overlapping phrases to ensure comprehensive coverage of electronic data interference, but not to exclude physical theft-related losses. The court noted exclusion 13 explicitly contemplates coverage for damage or consequential loss caused by theft or attempted theft involving forcible entry, which supports coverage for burglary losses.

One judge dissented on the burglary issue, emphasizing a stricter textual interpretation of exclusion 7(b)(ii) and viewing the exclusion as unambiguous in excluding loss of information unless caused by a defined peril. This dissent highlights the interpretative difficulties but does not alter the majority’s reasoning.

Overall, the court applied the contra proferentem principle narrowly, focusing on the context and purpose of the exclusion clauses rather than isolated wording. The analysis balanced the insurer’s drafting intentions against the reasonable expectations of coverage under an "All Risks" policy.

Holding and Implications

The court ALLOWED THE APPEAL, holding that the insurer’s exclusion clauses do not exclude liability for loss caused by the virus or the burglary incidents suffered by the Plaintiff.

The direct effect is that the Plaintiff is entitled to recover under the policy for business interruption losses resulting from both the virus and the burglary. The decision clarifies the limits of exclusions relating to malicious computer interference and theft of computer equipment in the context of an "All Risks" business loss policy. No new broad precedent was established beyond the interpretation of the specific policy language at issue.