Vendor’s products liability coverage: An option for cyber breaches
Cyberattacks are in the news every day, yet too many businesses lack adequate coverage.
Adding insult to injury, businesses victimized by a cyber incident — data breaches, cyber-attacks, ransomware, etc. — due to no fault of their own, may also have little or no recourse to recoup their losses.
More often, after a cyber incident, businesses are left not only with their first-party losses but may also face third-party claims from customers and contractual counterparties. As such, businesses should carefully analyze whether they have potential product liability claims that may be asserted where software (and hardware affected malware) defects played a role in the cyberattack. Such claims should be pleaded carefully to maximize the company’s ability to access a putative defendant’s product liability insurance coverage.
Cyberattacks are in the news every day, yet too many businesses lack adequate coverage. A broker whose company services a number of Fortune 100 companies recently relayed that one of his clients had no cyber insurance coverage, and had little clue, if any, on what type of cyber coverage would best meet the company’s needs. As shocking as that might sound to anyone whose practice involves insurance, the fact is that a great number of companies are only now trying to catch up with the digital age’s darker side: malware, ransomware. phishing attacks. and hacks.
Why PL policies?
Many companies — of all sizes — are scrambling to update their internal privacy information practices, which should include the placement of cyber insurance coverage. Existing comprehensive general liability (CGL), directors and officers (D&O), errors and omissions (E&O) or professional liability coverage may not (or will not) respond to cyberattack-related losses.
That begs the question: What recourse does a company have to deal with losses from a malware attack? One possible answer: hardware and software manufacturer’s products liability (PL) policies.
Products liability claims are not a given; however, in particular, where the cyberattack exploited a software vulnerability, the software developer typically will attempt to limit its liability based on the terms of service or licensing agreement, which are crafted to limit liability caused by malware. Despite efforts to limit liability, some courts have allowed litigation to proceed. Examples include, but are not limited to, cases involving unenforceable “browsewrap” agreements (i.e., website terms and conditions that do not require affirmative agreement by the customer), licenses that failed to provide for data breach exposures, or in cases of strict liability. Once able to pierce through the license agreement, counsel for malware affected businesses may, through carefully crafted pleading, give a software developer access to indemnity coverage under its PL policy (or “Completed Operations and Product Liability” endorsement to CGL policy), and thus be in a better position to pay for such losses.
Some paths to PL coverage
A PL policy, as opposed to the more restrictive “Products-Completed Operations” endorsement to a CGL policy, will typically provide coverage for a manufacturer’s or vendor’s liability for losses to its customers and the public in general, that are caused by a design or manufacturing defect, or failure to warn. However, given traditional PL coverage was not specifically designed to address cyberattacks, it may still have gaps that may leave the software developer uninsured for third-party claims by companies suffering malware related losses; that is, unless facts are alleged in the complaint that fall within the PL coverage grant. In any event, plaintiff’s counsel should always make a demand for the hardware and software developer’s policies under New Jersey Court Rule 4:10-2(b), in order to determine both the scope of the developer’s PL coverage, as well as any exclusions.
The language of PL policies should provide the plaintiff’s counsel with a roadmap on what facts need to be alleged to support a typical product liability claim. At a minimum, the complaint should seek liability for losses and injuries proximately caused by a defectively designed or manufactured software product that was distributed, sold, handled or disposed of by the developer in the regular course of business. In addition, the pleading should allege facts supporting that the virus-infected computer software product caused the business user property damage or bodily injury losses (as for bodily injury claims, more recent “products-completed operations” endorsement forms may also bring coverage into play as an exception to “electronic data” exclusions). This should begin to open the door to allow the defendant developer to make a demand for coverage under its PL policy.
Without examining the subsequent, myriad positions the developer’s PL carrier is certain to take to disclaim coverage for a malware attack, one common position taken is that the software is neither a “good” nor a “product,” but rather a non-tangible “service” that is not covered.
Moreover, there have been several scholarly articles that call for the treatment of stand-alone software as “goods,” and the Federal Food & Drug Administration provides some guidance in the context of mobile medical devices, where it considers stand-alone software as a “product” within the form of a “device.”
Indeed, there have even been some recent, outlier decisions that have found the loss of electronic data in software — typically treated as intangible property and, thus, not “property damage ”— did, in fact, constitute a covered, tangible loss under a policy’s coverage grant. However, despite these findings, courts have more often than not focused on the tangible nature of the source of damages in the products liability and related coverage contexts and, thus, treat standalone software a non-tangible “service.”
But, times they are a-changing….
Illustrative of this change is the effect the internet of things (or “IoT” — the term used to describe the interaction between software and digital devices, by businesses and people, in transferring data over networks, such as inventory tracking, GPS, remote security devices, etc.) has had on the treatment of software as a service (SaaS) versus the more outdated “SaaP,” or software as a product, (i.e., prepackaged software in a CD-Rom).
As we continue to engage in commerce through the increased use of smart devices via the IoT — devices that necessarily integrate software with hardware, thus arguably rendering the concept of “standalone” software a relic of the past — so, too, do we increase the risk of cyberattacks, which can take the form of the viruses infecting software that also do harm to hardware. This is certainly the case when it comes to the theft of business proprietary data stored “in the cloud,” illegally accessing privately held HIPAA information from secure, blockchain-based platforms, and accidents from driverless cars using AI.
With regard to the treatment of software as a “product” through the IoT’s integration of software and hardware in the use of smart devices, the roots of such integration can be found, in part, in the Restatement (Second) of Torts §402A’s focus on delineating hardware products incorporating software as a tangible, distinct item from standalone software. Put another way, the Restatement, and its more recent decisional progeny, have deemed software to be a tangible product when used in “turnkey.”
Specifically, where hardware and software purchases (or licensing of the same) involve turnkey transactions, as is the case with IoT devices, many courts have held software to be “goods,” especially under the UCC’s Article 2 covering the sales of goods, when the fact finder deems the “major portion of the transaction involved the sale of software” and “the purpose of the contract was to transfer products and that the services promised were merely incidental.”
It is also interesting to note that, according to at least the New Jersey appellate court, the term “turnkey” does not necessarily mean the simultaneous integration of software with hardware, and one can follow after the other in time.
A look back to the future
For those companies presently not considering cyber coverage, bear in mind D&O, E&O, professional liability or, as discussed herein, hardware and software developer’s PL coverages, are all temporary measures.
Indeed, increasing spates of cyberattacks serve as a clarion call for the enactment of legislation to mandate businesses to institute IoT cybersecurity and privacy information systems, and, consequently, placing cyber insurance coverage within their overall insurance program.
On that front, only as courts obtain a better understanding of IoT’s integration of software and hardware will “tangible”/“non-tangible” distinctions be blurred and, arguably, redefined as falling more in line with products such as natural gas, which has been found to be tangible, covered “property damage.” As one court aptly wrote: “Like a motion picture, where the information and the celluloid medium are integrated, so too were the [computer] tape and data integrated at the moment the [computer] tape was lost … unlike data removable from a tape, the movie cannot exist without the film.”
Renier Pierantoni is an attorney with Cooper LLC in Cranford, N.J.. He is a commercial litigator who has represented clients in a wide variety of business-related matters.
Related: