Adding insult to injury, businesses victimized by a cyber-incident—data breaches, cyber-attacks, ransomware, etc.—due to no fault of their own, may also have little or no recourse to recoup their losses. More often, after a cyber-incident, businesses are left not only with their first-party losses, but may also face third-party claims from customers and contractual counter-parties. As such, businesses should carefully analyze whether they have potential products liability claims that may be asserted where software (and hardware affected malware) defects played a role in the cyber-attack. Such claims should be pleaded carefully to maximize the company’s ability to access a putative defendant’s products liability insurance coverage.
Cyber-attacks are in the news every day, yet too many businesses lack adequate coverage. A broker whose company services a number of Fortune 100 companies recently relayed that one of his clients had no cyber insurance coverage, and had little clue, if any, on what type of cyber coverage would best meet the company’s needs. As shocking as that might sound to anyone whose practice involves insurance, the fact is that a great number of companies are only now trying to catch up with the digital age’s darker side: malware, ransomware. phishing attacks. and hacks.
Why PL Policies?
Many companies—of all sizes—are scrambling to update their internal privacy information practices, which should include the placement of cyber insurance coverage. Existing comprehensive general liability (CGL), directors and officers (D&O), errors and omissions (E&O) or professional liability coverage may not (or will not) respond to cyberattack related losses. That begs the question: What recourse does a company have to deal with losses from a malware attack? One possible answer: hardware and software manufacturer’s products liability (PL) policies.
Products liability claims are not a given, however. In particular, where the cyberattack exploited a software vulnerability, the software developer typically will attempt to limit its liability based on the terms of service or licensing agreement, which are crafted to limit liability caused by malware. Despite efforts to limit liability, some courts have allowed litigation to proceed. Examples include, but are not limited to, cases involving unenforceable “browsewrap” agreements (i.e., website terms and conditions that do not require affirmative agreement by the customer), licenses that failed to provide for data breach exposures, or in cases of strict liability. Once able to pierce through the license agreement, counsel for malware affected businesses may, through carefully crafted pleading, give a software developer access to indemnity coverage under its PL policy (or “Completed Operations and Product Liability” endorsement to CGL policy), and thus be in a better position to pay for such losses.
Some Paths to PL Coverage
A PL policy, as opposed to the more restrictive “Products-Completed Operations” endorsement to a CGL policy, will typically provide coverage for a manufacturer’s or vendor’s liability for losses to its customers and the public in general, that are caused by a design or manufacturing defect, or failure to warn. However, given traditional PL coverage was not specifically designed to address cyberattacks, it may still have gaps that may leave the software developer uninsured for third-party claims by companies suffering malware related losses; that is, unless facts are alleged in the complaint that fall within the PL coverage grant. In any event, plaintiff’s counsel should always make a demand for the hardware and software developer’s policies under New Jersey Court Rule 4:10-2(b), in order to determine both the scope of the developer’s PL coverage, as well as any exclusions.
The language of PL policies should provide plaintiff’s counsel with a roadmap on what facts need to be alleged to support a typical products liability claim. At a minimum, the complaint should seek liability for losses and injuries proximately caused by a defectively designed or manufactured software product that was distributed, sold, handled or disposed of by the developer in the regular course of business. In addition, the pleading should allege facts supporting that the virus-infected computer software product caused the business user property damage or bodily injury losses (as for bodily injury claims, more recent “products-completed operations” endorsement forms may also bring coverage into play as an exception to “electronic data” exclusions). This should begin to open the door to allow the defendant developer to make a demand for coverage under its PL policy.
Without examining the subsequent, myriad positions the developer’s PL carrier is certain to take to disclaim coverage for a malware attack, one common position taken is that the software is neither a “good” nor a “product,” but rather a non-tangible “service” that is not covered. Under New Jersey law, the terms “goods” and “products” are often used interchangeably and, as such, are distinct from each other without a difference. See, e.g., N.J.S.A. 12A:2-313.2 (2013). Moreover, there have been several scholarly articles that call for the treatment of stand-alone software as “goods,” and the Federal Food & Drug Administration provides some guidance in the context of mobile medical devices, where it considers stand-alone software as a “product” within the form of a “device.” See, e.g., Food and Drug Administration, “Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices” (May 11, 2005), pp. 6, 8, 15 (“Blood Establishment Computer Software” defined as a “software product”; development of software device and revisions as “product development”).
Indeed, there have even been some recent, outlier decisions that have found the loss of electronic data in software—typically treated as intangible property and, thus, not “property damage”—did, in fact, constitute a covered, tangible loss under a policy’s coverage grant. See, Eyeblaster v. Fed. Ins. Co., 613 F.3d 797, 801-802 (8th Cir. 2010) (ruling that allegations of a computer OS being rendered inoperable as the result of the installation of new software constituted the “loss of use of tangible property.”); see also, Retail Systems v. CNA Ins. Companies, 469 N.W.2d 735 (Minn. Ct. App. 1991). However, despite these findings, courts have more often than not focused on the tangible nature of the source of damages in the products liability and related coverage contexts and, thus, treat standalone software a non-tangible “service.”
But, times they are a-changin’….
Illustrative of this change is the effect the internet of things (or “IoT”—the term used to describe the interaction between software and digital devices, by businesses and people, in transferring data over networks, such as inventory tracking, GPS, remote security devices, etc.) has had on the treatment of software as a service (“SaaS”) versus the more outdated “SaaP,” or software as a product, (i.e., prepackaged software in a CD-Rom).
As we continue to engage in commerce through the increased use of smart devices via the IoT—devices that necessarily integrate software with hardware, thus arguably rendering the concept of “standalone” software a relic of the past—so, too, do we increase the risk of cyberattacks, which can take the form of the viruses infecting software that also do harm to hardware. This is certainly the case when it comes to the theft of business proprietary data stored “in the cloud,” illegally accessing privately held HIPAA information from secure, blockchain-based platforms, and accidents from driverless cars using AI.
With regard to the treatment of software as a “product” through the IoT’s integration of software and hardware in the use of smart devices, the roots of such integration can be found, in part, in the Restatement (Second) of Torts §402A’s focus on delineating hardware products incorporating software as a tangible, distinct item from standalone software. Put another way, the Restatement, and its more recent decisional progeny, have deemed software to be a tangible product when used in “turnkey” (i.e., the integration of software with hardware) transactions. See, Youngtech v. Beijing Book Co., A-1788-05T3, 2006 WL 3903976 (N.J. Super. Ct. App. Div. Dec. 29, 2006).
Specifically, where hardware and software purchases (or licensing of the same) involve turnkey transactions, as is the case with IoT devices, many courts have held software to be “goods,” especially under the UCC’s Article 2 covering the sales of goods, when the fact finder deems the “major portion of the transaction involved the sale of software” and “the purpose of the contract was to transfer products and that the services promised were merely incidental.” See, Chatlos Systems v. National Cash Register Corp., 479 F. Supp. 738, 742 (D.N.J. 1979), aff’d and remanded on other grounds, 635 F.2d 1081 (3rd Cir. 1980) (the District Court holding that, “Article 2 of the Uniform Commercial Code, as adopted by the State of New Jersey, is the applicable law” to such turnkey transactions); see also, Conopco v. McCreadie, 826 F. Supp. 855, 869 (D.N.J. 1993), aff’d, 40 F.3d 1239 (3d Cir. 1994). It is also interesting to note that, according to at least the New Jersey appellate court, the term “turnkey” does not necessarily mean the simultaneous integration of software with hardware, and one can follow after the other in time. See, Dreier Co. v. Unitronix Corp., 218 N.J. Super. 260 (App. Div. 1986).
A Look Back to the Future
For those companies presently not considering cyber coverage, bear in mind D&O, E&O, professional liability or, as discussed herein, hardware and software developer’s PL coverages, are all temporary measures. Indeed, increasing spates of cyberattacks serve as a clarion call for the enactment of legislation to mandate businesses to institute IoT cybersecurity and privacy information systems, and, consequently, placing cyber insurance coverage within their overall insurance program. On that front, only as courts obtain a better understanding of IoT’s integration of software and hardware will “tangible”/“non-tangible” distinctions be blurred and, arguably, redefined as falling more in line with products such as natural gas, which has been found to be tangible, covered “property damage.” See, Legal Information Institute, Cornell Law School, available at https://www.law.cornell.edu/wex/Products_liability. As one court aptly wrote: “Like a motion picture, where the information and the celluloid medium are integrated, so too were the [computer] tape and data integrated at the moment the [computer] tape was lost … unlike data removable from a tape, the movie cannot exist without the film.” Retail Sys., at 737.
Renier Pierantoni is an attorney with Cooper LLC in Cranford. He is a commercial litigator who has represented clients in a wide variety of business-related matters.