Technology keeps progressing in leaps and bounds. We read that robots or the much- awaited (or dreaded) artificial intelligence are going to take over property claims work in the All Things Internet New World. Unfortunately, there is a “dark side” that seeks to exploit these technological advances, as can be seen with the almost daily cyber-attacks that are reported in the news. Hardware hacks are the latest exploits of “evil doers” and insurers may be called upon to pay for economic loss related to these hacks. What does all of this portend for those of us in the first-party world? Answer: More head scratching! Yes, we will need to do the usual in-depth factual and policy wording analysis to determine if newly presented claims of this sort fit within the parameters of the coverage found in traditional first-party property policies.
On October 4, 2018, Bloomberg Businessweek broke the news story of a purported attack by Chinese spies that reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain[1]. As told by Bloomberg, a tiny microchip – – not much bigger than a grain of rice – – was discovered in server motherboards and that microchip was not part of the board’s original design. The Bloomberg article elaborates that investigators determined that these microchips allowed the attackers to create “a stealth doorway into any network that included the altered machines.” Bloomberg explained that these surveillance chips were “inserted at factories run by manufacturing subcontractors in China” and, as such, “this attack was something graver than the software-based incidents the world has grown accustomed to seeing.”
In response, Amazon called the story “untrue.” Apple said in a statement that “we have found absolutely no evidence to support any of” the allegations by Bloomberg Businessweek[2]. On October 9, 2018 Bloomberg followed up with a second news article contending that a “major U.S. telecommunications company discovered manipulated hardware . . . in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., according to a security expert working for the telecom company.[3]” On October 22, 2018 the Wall Street Journal reported that the manufacturing company identified in the initial Bloomberg article denied that malicious chips were added to its motherboards but that it is “undertaking a complicated and time-consuming review to further address the article.[4]”
So what else is new in this World? We have statements and denials, and who knows where the truth lies. But for purposes of this article, let’s indulge in the assumption that an evil doer (a person, a nation, you pick) caused the insertion of a microchip the size of a “grain of rice” into computer system hardware.
From a property insurance perspective, the question becomes whether computer hardware altered by the inclusion of a foreign physical item constitutes property damage to that computer hardware. What if the inclusion of the rogue computer hardware item causes or results in physical loss or damage to another computer or process; say, for example, the small “grain of rice” microchip causes a plant’s boilers to overheat? Is that damage the type of damage for which first-party insurance coverage should respond? What if a microchip secretly is added to an industrial motor controller that causes the motherboard to short-circuit after a certain number of hours of operation, thereby causing a loss of control of the operation of the motor? Can that scenario be viewed differently than a cyber-attack that transmits malicious code via an added rouge microchip that enables a motor to run at excessive speeds and burns out?
Just because we ask the questions does not mean there is a clear cut answer. We can tell you what we have been trained to say after reading and litigating countless first-party cases and claims in our professional lives. The answers will depend on the specific underlying facts and policy wording at issue. Plus, a bit of guess work based on experience as to what courts are likely to say, though we all know that there is no one size fits all response.
One of the factual questions that needs to be parsed out is whether the property loss is directly attributed to the hardware hack itself or to malware instructions that were able to be transmitted at a later date via a stealth doorway created by the added hardware. It is difficult to predict potential scenarios for a hardware hack, but, depending on the facts surrounding the property loss, this information may become relevant and/or add a whole new level of complexity to investigating and determining coverage for the property loss. The interaction between the actual hardware hack and the involved software coding / instructions may be difficult to separate from a causation standpoint.
The physical location of the affected server or controller with the hacked microchip along with the physical location of the damaged equipment or machinery that it operates will also need to be ascertained as many property policies limit the territory for insured property. This identification of locations will need to take into account any “cloud” computing along with remote operations via the internet.
Under the assumption that a forensic investigation is able to determine that the computer hardware physically was hacked (the added “rice” or microchip or whatever differs from the original design) and there is a causal connection to the property loss, another preliminary inquiry will be who is the perpetrator(s) behind the attack. To the extent that a hostile nation / state sponsor actor is identified, then if the policy has a war, warlike, or terrorism exclusion, such exclusion potentially may apply to bar or limit coverage for the property loss.
In order to apply the exclusions, insurers will need to have a good understanding of not only the technical aspects of how the hardware was originally designed and what was done to hack the hardware, but also the intended purpose of the hack, who performed it, and at whose direction. In other words, get the right expert, i.e., someone who has actual experience in both computer hardware and programming of computers and related systems.
At times the factual investigation ends without the perpetrator being definitively identified or a dispute may arise between the policyholder and insurer over who is the true actor. Recently, as the frequency and severity of cyber-attacks has been increasing, governments are now starting to step in and publically identify the perpetrators. This information can potentially assist with applying these exclusions.
For example, with respect to the May 14, 2017 “WannaCry” cyber ransomware attack that encrypted hundreds of thousands of computers across the world, the United States, as well as other governments, publicly attributed the WannaCry cyberattack to North Korea and called it “a careless and reckless attack[5].”
For the “NotPetya” cyber-attack that took place on June 30, 2017, the United States publically attributed the destructive malware to “the Russian military [that] launched the most destructive and costly cyber-attack in history. The attack, dubbed ‘NotPetya,’ quickly spread worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas.” The United States called NotPetya “a reckless and indiscriminate cyber-attack that will be met with international consequences.” [6]
Another avenue of inquiry with computer hardware hacks will be whether any other first-party property exclusions apply, such as exclusions for hidden or latent defect or exclusions for faulty, defective or negligent design, specifications, and errors in system programming. Of significant importance to these policy exclusions is whether or not they contain an “ensuing damage” provision and/or anti-concurrent causation wording.
Case law dealing with these topics is sparse, but one can look to similar situations for some general impressions. One potential argument is that computer hardware hacks causing damage during a manufacturing process are akin to malfunctions or faulty workmanship, designs, or materials. For example, in Worldwide Sorbent Prod., Inc. v. Invensys Sys., Inc., No. 1:13-CV-252, 2014 WL 12597394 (E.D. Tex. July 31, 2014), judgment entered sub nom. Worldwide Sorbent Prod., Inc. v. Travelers Lloyds Ins. Co., No. 1:13-CV-252, 2014 WL 12597392 (E.D. Tex. Sept. 10, 2014), the insured alleged that a commercial oven overheated because of a malfunctioning electronic controller switch, damaging the products inside and portions of the oven itself. The insured sought coverage under an all-risk property policy for its losses. The original controller switch was replaced by the new controller switch at issue that was manufactured by a third-party. The experts reached similar conclusions that the loss was caused by a defect in the insured’s software or firmware, attributable to the oven’s controller switch that acted to deactivate the oven’s heating elements at a particular temperature. The court held that, since the purported defect was not discoverable by a customary inspection of the device, and was not otherwise apparent, it was “hidden or latent, and the defect exclusion would exclude coverage if the defect was determined to be the cause of [] loss.” Id. at *8.
Of note in the Worldside case is that the defective controller switch was manufactured by another party and then installed by the insured in its oven. Insurers may be able to argue that such a situation is similar to a manufacturer producing a computer motherboard that contains hacked hardware and this component subsequently being incorporated into a product for another manufacturer that ends up malfunctioning.
Courts have also addressed situations where a component part renders a mass produced product unmarketable. For example, in H.P. Hood LLC v. Allianz Glob. Risks U.S. Ins. Co., 88 Mass. App. Ct. 613, 39 N.E.3d 769 (2015), the court dealt with the issue of a specialty beverage bottle cap liner that became more “slippery” over time and affected the amount of torque needed to seal the bottles property in order to maintain a hermetic seal. As a result of this condition existing in a certain percentage of the bottles, almost two million bottles involved in the production run could not be marketed and subsequently were destroyed. The insured sought coverage under a first-party property policy for its various losses. The Court of Appeals of Massachusetts affirmed the lower court’s ruling that the losses fell within the exclusion for “faulty workmanship, material, construction or design, from any cause.” The court stated that: “We agree with the motion judge that the plain language of this exclusion applies to the bottle cap liner issue, whether that problem be viewed as one of faulty “material” (the fact that the characteristics of the bottle cap liners changed as they aged), faulty “workmanship” (the failure by Hood to apply the correct torque), or faulty “design” (the fact that the bottling process did not take into account the changes to the liners as they aged).” Id. at 617. The Massachusetts Court of Appeals concluded that “[b]oth conceptually and practically, the losses entailed here cannot reasonably be characterized as ‘separable.’ (citation omitted). Instead, a problem with the bottle cap liners directly rendered the entire product unsaleable. The loss of that product falls squarely within the exclusion language.” Id. at 619-20.
An insurer could argue that a similar decision would have been reached if a computer hardware hack associated with manufacturing the bottle lid seals had been responsible for causing the “slippery” condition over time. Another potential provision to explore for a computer hack is the exclusion for vandalism or malicious mischief.
* * *
We are living in the age of computers and the drive of technology, both good and bad, keeps marching forward. As such, traditional first-party policies are confronted with new loss scenarios. We could say “please take this latest computer hacking event with a grain of salt,” but here, the “real” story is no larger than a grain of rice.
[1] See https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies (Bloomberg Businessweek, dated October 4, 2018).
[2] See https://www.washingtonpost.com/technology/2018/10/04/china-inserted-surveillance-microchip-servers-used-by-amazon-apple-according-report/?noredirect=on&utm_term=.df231a3ead20 (The Washington Post, dated October 4, 2018).
[3] See https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecom (Bloomberg News, dated October 9, 2018).
[4] See https://www.wsj.com/articles/super-micro-computer-denies-malicious-chip-report-1540213555?mod=searchresults&page=1&pos=1 (Wall Street Journal, dated October 22, 2018).
[5] See https://www.whitehouse.gov/briefings-statements/press-briefing-on-the-attribution-of-the-wannacry-malware-attack-to-north-korea-121917/ (White House Press Briefings, dated December 19, 2017).
[6] See https://www.whitehouse.gov/briefings-statements/statement-press-secretary-25/ (White House Statements & Releases, dated February 15, 2018).