Source code: Keep it safe, keep it secret

March 1, 2005

Question: how many back-up copies of his source code should a wise man keep? Answer: difficult to say, but probably quite a few. It would also be prudent to keep them at several different locations, just to be on the safe side.

These were some of the lessons learnt by software company Tektrol Limited, following an unsuccessful attempt by it to sue its insurers under a business interruption policy. Tektrol had lost all five back-up copies of the source code of its main product, “PowerMiser”, through a combination of events that took place in quick succession. First, in December 2001 two of the back-up copies (one stored on the managing director’s laptop and another on a PC at a remote site) were wiped out by a computer virus that had been attached to an e-mail. The remaining three copies (two stored on PCs and one hard-copy kept in a pilot case, all at the company’s premises) were stolen just over two weeks later during a break-in.

The loss of the back-up copies of the source code had serious implications for the company. The operation of the PowerMiser relied upon executable code complied from the source code. Tektrol adapted the source code for each PowerMiser, according to the purpose for which the individual customer wanted to use it. Without access to the source code, Tektrol could only produce exact replicas of the existing product.

The Policy

Throughout this period Tektrol was insured for material damage and business interruption loss under the terms of a ‘Combined All Risk’ policy. The policy expressly excluded “erasure loss distortion or corruption of information on computer systems” caused deliberately by “malicious persons”. When Tektrol attempted to make a claim on its policy in respect of the lost copies of the source code, the insurance company refused to pay on the basis that the exclusion applied. It argued that the loss of the stolen back-up copies would not have mattered if the other copies had not already been erased as a result of the virus. The loss of the source code was ultimately caused by the computer virus and was therefore excluded under the terms of the policy. Tektrol took action and subsequently sued its insurers.

It was not disputed that the virus, which had caused the loss of the first two copies of the source code, had been caused by ‘malicious persons’ (although Tektrol tried, unsuccessfully, to argue that the individuals concerned had not deliberately sought to cause the loss of the source code itself). It was further agreed by the parties that the break-in had caused the loss of the remaining copies of the source code. The issue was whether, where there were two causes of the same loss and one cause was excluded by an insurance policy, the entire loss would be excluded. Unfortunately for Tektrol, the High Court held that it was. In reaching this decision the court looked at the case of Wayne Tank and Pump v Employers Liability Ltd [1974] 1 QB 57. This involved a fire at a factory. The factory owners sued the company that had installed the equipment in the factory on the basis that the equipment had caused the fire. However, it was also found that the fire had resulted in part from the conduct of one of the defendant company’s employees. The company was found liable and sought to recover its losses from its insurers. The insurers had excluded liability for damage resulting from the equipment, but not for damage relating to the conduct of the employee. The Court of Appeal in this instance found that where there were two causes of damage, one covered by an insurance policy and one specifically excluded, the insurers could rely on the exclusion.

The logic behind the Court of Appeal’s decision appeared to be that the insurers would lose the benefit of the exclusion if the loss caused in part by the excluded event was nevertheless recoverable because it was caused in part by another event that was not excluded. In the present case, the insurers had excluded from cover certain losses of electronically held information precisely because the extent of such losses could, potentially, be considerable. The High Court found, therefore, that if the consequences of either the virus or the break-in were excluded from cover, the loss of the back-up copies of the source code would not be covered by the policy. Nevertheless, the High Court then went on to consider the remaining provisions of the insurance policy and found that loss of the source code as a result of the break-in was also excluded. However, for the reasons explained, even if it had been the case that only one of the causes of the loss was excluded from cover, Tektrol’s claim would have still failed.

Conclusion

The High Court’s ruling brings into sharp focus the fact that the courts will find in favour of insurance companies in their attempts to exclude liability for certain types of loss, and to an extent, irrespective of the cause (or causes) of such loss. This is not to say that business interruption insurance is not worth taking out. On the contrary, it is recommended that companies do maintain such insurance cover, particularly in current times when there are so many potential risks to business continuity (ranging from cyber-crime and cyber-terrorism to major power outages such as that experienced in the United States in August 2003). However, care should be taken to establish the scope of the cover being offered together with the scope of the exclusions from such cover. If there is potential for an excluded event to occur, a company should look at what other practical steps it may be able to take to ensure that, as far as possible, any losses it would suffer from the excluded event taking place are kept to a minimum.

For software companies such practical steps would include keeping numerous back-up copies of crucial software and/or data at numerous locations and on different types of media – essentially covering all eventualities. As the Tektrol case proves, you can never be too careful in planning for business continuity, as lightning can, occasionally, strike twice.

Paul Barton (paul.barton@ffw.com) is a partner and Liz McSweeney (elizabeth.mcsweeney
@ffw.com) is a solicitor in the Technology Law Group at City law firm Field Fisher Waterhouse.