Commercial Lines--Does crime policy cover theft of data? 11/02

Commercial Lines--Does crime policy cover theft of data?

By Donald S. Malecki, CPCU

It is not unusual today to hear about missing laptops, in both the governmental and public sectors of business. The concern is not so much over the laptop itself. The concern is with the software, including the information contained therein, which, if it falls into the wrong hands, can be devastating to the owner.

One of the many questions likely to be asked following such an event is whether the employer has coverage not only for the loss of its computer but, more important, for its electronic data.

The first place the employer should look for coverage of the theft of the laptop would be under its crime policy. Two standard forms are currently available: (1) loss sustained, and (2) discovery. Since the December 2001 issue of this column discusses both forms, it is not necessary to repeat the differences here, other than to say that if the appropriate policy has been triggered, loss to the laptop should be covered. (The link to the December 2001 "Risk Management" column
is www.roughnotes.com/rnmagazine/2001/december01/12p122.htm.)

But what about the software, including electronic data? Most insurers are likely to deny coverage, pointing to the (1) employee theft insuring agreement, and (2) the definition of "other property" of ISO crime forms. The insuring agreement of either form refers to covered property as "money, securities, and 'other property.'" The term "other property," on the other hand, is defined in part to mean "tangible property" other than "money" and "securities" having "intrinsic value...."

The question is whether electronic data is tangible in nature. If the data is printed and placed in a binder on the shelf, it is tangible. But what about when data is viewed on a monitor and even edited? Is it tangible? Just recently, ISO amended its property and liability forms to specifically state that electronic data is not tangible property.

It was cases such as American Guarantee & Liability Insurance Company v. Ingram Micro, Inc., 2000WL 726789 (D. Ariz. 2000) that convinced ISO the time was ripe to amend its property forms. The court in this case held that the meaning of physical damage was not restricted to the physical destruction or harm of computer circuitry but also included loss of access, loss of use, and loss of functionality.

The ISO crime forms have not yet been amended to say the same thing that the ISO property and liability forms do. If court decisions are any indication, ISO may not have to amend its crime forms because, to this point, the decisions have favored the insurers.

In the case of Peoples Telephone Company, Inc. v. Hartford Fire Insurance Company 36 F.Supp.2d 1335 (S.D. Fla. 1997), the federal court held that an employer's crime policy did not cover loss brought about by an employee's misappropriation of mobile telephone serial numbers and identification numbers. The court said that the lists were not "tangible property with intrinsic value" under the policy's employee dishonesty coverage provisions.

Another more recent case involving an employer's crime policy is Holloway Sportswear, Inc. v. Transportation Insurance Co., 177 F.Supp.2d 764 (U.S.D.C. S.D. Ohio 2001). The plaintiff alleged that its former employee stole its software designs and other trade secrets, including confidential pricing information, which the former employee sold to a competitor. The plaintiff maintained this loss was covered under the employee dishonesty portion of its crime policy.

The insurer responded that covered property, under the crime policy, was defined as "money, securities and property other than money and securities," with property other than money and securities defined as "tangible property other than money and securities." Thus, the insurer argued, intangible property does not come within the meaning of "covered property." The Ohio court agreed, stating that trade secrets and other confidential commercial information are intangible property.

With these types of cases favoring insurers, ISO is not likely to amend its crime forms, at least not until a court rules favorably for an insured. In the meantime, employers are strictly on the defensive when it comes to seeking coverage for loss of electronic data that is misappropriated by current or past employees.

Assumption

Let's say, for purposes of assumption, that in light of the absence of a specific exclusion of electronic data in ISO crime forms, coverage applies. Coverage could very well apply in a certain fact pattern. In fact, there is an argument to be made for coverage, in the absence of an exclusion, if one looks at the Computer Fraud coverage section of these crime forms.

The fact that this section covers "other property" resulting directly from "the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises" might lead one to believe that the transfer, in some cases, might involve intangible property, which is lost before it is transformed to tangible property.

In any event, let's assume that a crime form covers loss of electronic data with the additional assumption that the data is taken from a client's premises by an employer's employee who had permission to work on the client's premises. If the client files suit against the employer for loss of electronic data, the question is whether the crime form would respond.

Those who are familiar with crime policies know that they are not liability policies. One of the policy's conditions is that the covered property is limited to that which is owned, leased, held for others, or for which the named insured is legally liable. The policy goes on to say that it is for the named insured's benefit only and provides no rights or benefits to others.

However, the answer also is given in this same condition titled "Ownership of Property; Interests Covered," where it states: "Any claim for loss that is covered under this policy must be presented by you."

So the scenario looks this way: The named insured (employer) is confronted with a suit--filed by the client--for damages, because the named insured's employee, while working at the client's premises, downloaded and misappropriated confidential information (trade secrets) that were sold to a competitor.

Whether the insurer will pay the named insured, who can then turn around and indemnify the client, will still be uncertain even if electronic data is considered to be covered. The answer hinges on the edition of the crime policy. The latest ISO crime forms carry an edition date of 2000. If this is the applicable edition, no coverage would apply, unless the named insured has obtained a so-called Clients' Property endorsement.

What this endorsement states, in effect, is that the insurer will pay for loss of money, securities or other property sustained by the named insured's client resulting from theft committed by an identified employee acting alone or in collusion. Crime policies with a pre-2000 edition automatically included this wording. Now an endorsement is necessary.

So if the named insured employer had purchased this endorsement, it would cover the loss based on the above assumption, if the employee who misappropriated the trade secrets or other data could be identified.

At this juncture, at least, coverage under crime policies for theft of computer data looks weak. But there is room for argument, and there will likely be such argument so long as the crime policies are not amended as the property and liability policies have been. *

The author

Donald S. Malecki, CPCU, is chairman and CEO of Donald S. Malecki & Associates, Inc. He is an active member of the CPCU Society, on the Examination Committee of the American Institute for CPCU, and an active member of the Society of Risk Management Consultants.