DAVID CANTON – For the London Free Press – December 18, 2004

Read this on Canoe

Proving that life is stranger than fiction, a U.K. company lost all copies of its source code in a bizarre chain of IT disasters. Then the courts decided they were not insured for the loss.

The fine print in an insurance policy became an issue when a U.K. company called Tektrol was left without a single copy of the source code to its most valuable asset called PowerMiser. Source code is the human written version of a software program. It is then compiled to create the object code, which is the code used by computers.

The PowerMiser source code was so valuable they kept five copies. Two copies were kept on separate computers at their headquarters, one on the managing director’s laptop and another on a computer at a remote site operated by an independent company. A final hard copy printout was kept at the headquarters.

Disaster struck in December 2001, when Tektrol’s managing director received an e-mail that purported to be a Christmas card from an acquaintance. The e-mail was in fact sent unintentionally by the acquaintance as it was generated by a virus program disguised as a Christmas card e-mail message.

The managing director opened the e-mail on his laptop, infecting the computer and destroying the PowerMiser source code. The virus hit before Tektrol had received updates to its anti-virus software to combat this particular virus.

The managing director then accessed the offsite computer to reload the source code and, in turn, infected the offsite location and destroyed that copy of the source code. This left only the two copies on separate computers and the hard copy at the headquarters.

Disaster struck again two weeks later when burglars broke into the Tektrol offices and stole both of the computers and the paper printout of the PowerMiser source code. As a result, Tektrol had no remaining copies of their source code.

Fortunately for Tektrol, they had business interruption insurance. Unfortunately, the policy did not anticipate the events of Christmas 2001. In an action against their insurer, the court decided that policy exclusions meant they did not have coverage for either the loss caused by the virus or by the burglary.

The insurance policy excluded “damage caused by or consisting of or consequential loss arising directly or indirectly from erasure loss distortion or corruption of information on computer systems or other records programmes or software caused deliberately by . . . malicious persons.”

The court found those who were responsible for the virus created it deliberately and were “malicious persons” — thus coverage was excluded.

Although this decision has been questioned, it gives insight into how to avoid the loss of critical information.

* Perform a comprehensive risk assessment including a complete review of security policies and procedures.

* Backups need to be effective and tested.

* Backups should be restored by experienced computer staff.

* Be vigilant with virus protection.

* Don’t recover directly from your only backup — copy it first.

* Ask insurers what is covered regarding code, databases and other information critical to their business.