Insurance and the Millennium Bug
THE RHA REVIEW
Volume 4, No. 4, Third Quarter 1998
By Robert N. Hughes, CPCU, ARM
"The time has come," the walrus said, … not to talk of "other things" this time, but to talk of "that thing": … that "Y2K" thing. Mind you, I’d rather not. And from the lack of concern registered by most people, perhaps I, for once, am in the majority. My personal sloth notwithstanding, however, I think the time has come (maybe even passed) to come to grips with some of the issues involving insurance that are presented by this problem.
Now, for the uninitiated, the "Wye-two-kay" matter has to do with the fact that most microprocessors (which are the guts of your computers) count years in only two digits. So, for instance, 1998 is just "98." Therefore, when the old clock ticks around to midnight on 12/31/99 and the computer tells us (and itself) that the year is 00, we are told by the cyber-gurus that most computers will see that as "1900 rather than "2000" — with potentially dire results.
Frankly, I don’t know enough about the situation to discuss the technical problems sensibly, so I won’t try. What I would like to try to do, however, is to signal some of the ramifications the problem might have in an insurance context.
As usual in the world of commerce, we have two groups of players — buyers and sellers. Commingled with their interests, however, will be insurers and, inevitably, their lawyers. Once the damage caused by the demon is perceived, there will be a bustle of legal finger-pointing (which has, in fact, already begun), and, once again predictably, policyholders will be searching for insurance policies and trying to figure out what they say.
The first problem will be to determine what "loss" has been suffered. Certainly, the potential for pure financial loss is gigantic. Interest that isn’t properly accrued — bills that don’t get sent … data files that become obsolete overnight, etc. Interestingly enough, however, there is another aspect of potential loss that seems to be lost in the discussion but which could be the single most important factor in regard to insurance coverage. That is actual physical damage to property or even bodily injury … the alarm systems that are confused by the problem and neglect their jobs … machinery that is destroyed because it doesn’t rest when it is supposed to. Even more insidious is the possibility that the processors will be so distressed by the confusion that they will suffer the equivalent of nervous breakdowns. Elevators might fall, refineries might explode, etc.
Buyers of computer hardware and software will likely be looking for coverage in their all-risk property/business interruption policies and any special data processing policies they may have had the wisdom to purchase. As far as the property policies go, it will be important to remember that "all risk" policies state what the policy does not cover rather than what is covered. In other words, if a loss to covered property is not excluded, then it is covered. If there has been any physical damage to tangible property, there will likely be coverage. If the loss is purely "economic" (lost sales, etc.) then the specific policy will have to be consulted closely, but one should be careful not to presume a lack of coverage. If the loss is limited to "data," it is likely that the only coverage available will be provided by special data processing policies.
Although there are no "standard" data processing policies, they are all very similar. Most of them cover direct loss to computer equipment plus loss of income and extra expense. It seems that those users who have had enough foresight to purchase such coverage would be significantly better off than those who haven’t, but that feeling might be illusory.
When one examines the policies from the standpoint of what provisions might be invoked by any insurers determined to defend their policies from Y2K claims, several potential monsters creep out of the mire. First, most DP policies exclude data and media that "cannot be replaced" unless such have been specifically insured for a specific amount. I suspect that most companies have more irreplaceable media and data than they realize.
Maybe worse, however, are certain exclusions that, until now, have seemed innocuous. "Design error" and "faulty materials" are generally excluded. Could the "millennium bug" be considered such? Another standard exclusion is "programming errors." Sound like a potential defense against coverage? Unfortunately, considering the potential magnitude of the problem, policyholders are likely to see all of these defenses offered and perhaps even more that cannot now be conceived.
Sellers of computer products (as well as consultants) have their own problems as users, but perhaps their biggest difficulty will be in finding coverage for the inevitable third-party liability claims pressed against them by their customers and clients. As I said, third-party liability claims are already being made against these individuals and firms, and this is just the tip of the iceberg.
One of the key issues that will arise is whether there has been "bodily injury" or, even more problematic, "property damage" within the definition of the policy. Most comprehensive liability policies require that, in order for there to be coverage, there must be injury or damage during the policy period. Many courts have held that the mere incorporation of a defective part into a larger product or system equates to "physical damage to tangible property." If so, the policies that were in force during the assembly of the product would likely apply. Or perhaps the damage occurred when the software was installed.
In the case of professional liability policies (such as those that might be purchased by software designers or consultants), they usually provide that coverage applies on the policies that are in effect when the claim is first made (known as "claims made" policies). Policyholders should be cautioned that one of the primary reasons that "claims made" policies were developed was to give insurers the opportunity to cancel or non-renew coverage when a wave of new claims (such as the Y2K problem) arises. That being the case, I recommend that anyone in the cyber arena, either as a provider or consultant, who has a professional liability policy should closely examine the following:
- Definition of "claims made"
- Reporting requirements
- Extended reporting periods.
For that matter, they should look in every nook and cranny of these fairly complicated contracts to make sure that they understand them and that they understand how these contracts may or may not respond to the millennium bug.
Insurance carriers and policyholders, in dealing with asbestos, drug and environmental claims, have offered various coverage "trigger" theories in keeping with their own self-interests. Some wish to have coverage triggered by the injury "in fact." Others claim that coverage is operative when the injury "manifests" itself. Still others claim "continuous trigger." These concepts seem to me to be easily adaptable to the Y2K problem, and I would not be surprised to see the monumental litigative effort of the past 20 years repeat itself when the full impact of "millennium bug" claims is known.
I suggest that any company which feels that it is potentially at risk for either first-party or third-party losses as the result of Year 2000 begin now to examine its entire insurance account in order to determine what its position will be if the company is required to claim coverage, and to be prepared to deal with the affirmative defenses that will surely be offered by its carriers in an effort to defeat coverage. Sadly, this appears to be yet one more aberration of our modern times, in which nobody wins and everybody loses. The walrus in Alice in Wonderland wanted to "speak of other things" in order to avoid reality. Those who choose to do the same regarding Year 2000 will likely find themselves with greater problems on their hands than just a disappearing cat or a mad hatter.