Briefing Note - Disaster Recovery, IT Contracts and the Insurance Policy: Infiltration of Viruses and Insurance Contracts

Disputes under insurance contracts may arise from the meaning of meaning of the wording of the insurance policy. Recently, a case was heard which could have implications for businesses where the business processes were dependent on an IT system.

The case involved a company which made a claim on its business interruption policy when a computer virus destroyed computer code, leaving the software on a backup copy (held on a laptop computer by a director) useless. A subsequent burglary then resulted in the loss of the remaining copies of the source code of the program in electronic and hard copy.

The insurance policy excluded deliberate damage and damage by malicious persons. The company argued that a virus was not deliberately introduced into their system, nor was it knowingly put there by malicious persons.

The court decided that the loss caused by the virus was due to people who deliberately sought to create damage and accordingly it was excluded from cover provided by the insurance policy. Although the burglary had contributed to the loss - it was the main reason for it - the damage done by the virus had increased the risk of the loss of all the data occurring. The overall loss could therefore be considered to have resulted indirectly from the virus. The occurrence of loss due to a single excluded act prevented the claim.

It is important to implement a disaster recovery plan, which caters for the creation of off-site backups of critical data and software. The backups should be verified and the restoration process tested intermittently. Data and program integrity should also be subject to periodic verification, especially after dealing with known virus attacks. Anti-virus measures that are in place that do not work when needed wastes company resources and on a practical level may as well not exist in the first place in the event that data be irretrievably corrupted or lost. Businesses should ensure what your insurance policy does and does not cover and obtain confirmation from the insurer if there is any doubt.

Any business would hope to avoid having to make an insurance claim of this kind but, when one needs to be made, you need to know the claim is well-founded. If your insurance policy does not afford cover for loss resulting from a virus attack, your ability to obtain compensation (by way of damages) from the perpetrator for the harm caused is slight.