THE “REAL WORLD” v. THE “CYBER WORLD”
Sean Quinn, Ph.D, J.D., Etc.
I have been warning readers for some time, that insures of the so-called “REAL WORLD” would begin excluding losses from the So-Called “Cyber World.” (I have also said a number of times that there are no standardized cyber insurance policies. The latter is a slight exaggeration on my part.)
Here is an example of a new cyber exclusion; it is found in an endorsement; and it is entitled “Cyber Risk Exclusion.” It comes from a form marked “USFire 000015” and marked FM 600.0 191 08 05. The origin of the first of these two, but the second is less self-explained. The initials have over many years meant “Factory Mutual,” but there is not reason to think that is true here.
In any case, the endorsement says it applies to a number of named policies. The list is restricted to cyber risks to the extent that they are found in the following parts of commerce policies: Boiler and Machinery Insurance*, plus the following parts** of other commercial policies: Crime, Inland Marine, Property. (*First “Footnote”: Boiler and Machinery policies are not explicitly named as a type of commercial policy, but they all are, as they have always been.) (**Another “Footnote”: The meaning of the word “part” is not clear. If a policy is completely devoted to one risk, say crime, so it is a “Crime Policy” and nothing else, does the cyber loss exclusion being discussed here apply to such policies? But there must be a cyber exclusion for that situation, although it might be a section in the policy itself and not in an endorsement. There would be no confusion if the exclusion applied to all the insuring agreements, and anything else that might be relevant.)
There is one exclusion with three sub-parts. The key to the exclusion is this: “The Company will not pay for Damage or Consequential loss directly or indirectly caused by, consisting of, or arising from [any of the following three:” [Emphasis added.]
1. “Any functioning or malfunctioning of the internet or similar facility [i.e., any other net],
2. “Any corruption, destruction, distortion, erasure or other loss or damage to data, software, or any kind of programming or instruction set.
3. “Loss of use or functionality[,] whether partial or entire[,] of data, coding, program, software, any computer system or any device dependent upon any microchip or embedded logic, and any ensuing liability or failure of the insured to conduct business.” [Emphasis added.]
There is another exclusion which does not identify itself as such, be that is what it is. [Here it is in abbreviated part.]: All Damage [as defined in the policy] or Consequential [as defined in the policy] loss are “excluded, regardless of any other cause that contributes concurrently or in any other sequence.” [Emphasis added.]
At the same time, reads the endorsement, the usual perils to be found in physical injury to first party property policies–or most of them, anyway–are not excluded. [I say first party property policies, but maybe not for at least a couple of areas.]
As with all endorsements of this type–exclusionary endorsements–this one states that it does expand coverage in any way. The meaning(s) of all other “terms, conditions and exclusions of the policy are unchanged.” In other words, none of them is altered in meaning.
Alternative (a) is reasonable, the other two are not. Consider the following descriptions. (i) Quinn is playing pool. He uses the all white q-ball to strike the 4-ball. Is this direct? It surely is within the game of pool, but it is part of a causal chain: Quinn looking, Quinn studying; Quinn deciding; Quinn striking the cue ball. Now consider Quinn striking the 4-ball by first striking the 2-ball. Granted the second set of facts is less direct than hitting it first. Within the game of pool this sequence seems direct, as does striking one or more sides, when contrasted with outside acts, for example, throwing the cue ball at the 4-ball, using either end of a tennis racket or throwing it at a wall, the ceiling, or another player, and then hitting the 4-ball. In other words, being direct varies with the context.
In addition, complex events are virtually never caused by simple events. Thus, if “direct” means “only,” there are no direct causes. In addition, if Damage is caused both by the corruption of data and the distortion of software at the same time then the exclusion would not be triggered, since it–that combination– is not separately in the list of exclusions it is not excluded. Correct thought this view as a matter of semantics and logic, one wonders if pragmatic and practice orient courts will buy it. So much for the literal interpretation of contracts.
When a lawyer is thinking about coverage in “direct result of” contexts, or similar wordings, s/he should be thinking of different ways to describe context, actions, omissions, and events.
Originally posted on 01/02/2014 @ 5:57 pm