CR 04 13–DESTRUCTION OF ELECTRONIC DATA OR COMPUTER PROGRAMS

(July 2019)

INTRODUCTION

This endorsement covers the cost to replace or restore damaged or destroyed electronic data or programs in a computer system if a computer virus or persons with unauthorized system access cause the loss.

This analysis is of the 08 13 edition. Changes from the 05 06 edition are in bold print. It does not address changes in format that do not affect coverage.

ELIGIBILITY

This endorsement can be added to the Insurance Services Office (ISO) Commercial Crime or Government Crime Coverage Forms or Policies.

LIMIT AND DEDUCTIBLE

The limit and deductible must be entered on the declarations next to the description of this insuring agreement.

ANALYSIS

This is an endorsement to the ISO Commercial Crime or Government Crime Coverage Forms and Policies and is subject to their conditions, definitions, and exclusions. The only changes are those within the endorsement.

A. Insuring Agreement (08 13 changes)

The costs the named insured incurs to replace or restore destroyed or damaged computer programs or electronic data stored within any (was “the named insured’s” in the 05 06 edition) computer system are covered. However, it applies only if they are stored within computer systems that the named insured owns, leases, or operates (08 13 words added). The damage must result directly from any of the following:

1. A virus which is designed to destroy or damage computer programs or electronic data

2. Vandalism but only when committed by an employee

3. Vandalism that is caused when a natural person gains access to the named insured’s computer system that was not authorized.

Note: This applies only if the one gaining access is a natural person. This means that access gained by a corporation or other type of artificially or legally created person is not covered.

Coverage includes the reasonable costs the named insured must incur to restore the computer system to the same level of operational capability that existed before the virus or vandalism occurred. Because the coverage intent is to only indemnify, there is no coverage for any costs to upgrade the system.

 

Examples: A hacker breaks into the named insured’s computer system and deletes several key files. This insuring agreement covers the cost to restore the files, up to the limit of insurance. A disgruntled employee intentionally downloads a virus into the named insured’s computer system that extensively damages the data. Coverage applies to the cost to restore the computer system to its condition before the loss event took place, up to the limit of insurance. The cost to add the extra security needed to prevent future attacks is an upgrade and is not covered.

B. Exclusions (08 13 changes)

1. The following exclusions that are part of the commercial crime or government coverage parts or policies, apply only to items 1. and 3. in this insuring agreement. They do not apply to item 2.

• Acts Committed by Your Employees, Managers, Directors, Trustees, or Representatives.
• Acts Committed by Your Officials, Employees, or Representatives.

2. Two exclusions are added.

Coverage does not apply when the following types of errors or omissions result in a loss:

• The design of a computer program
• Any processing or programming electronic data

The 08 13 edition eliminated the exclusion for loss that results from fraudulent preparation or input of computer programs or electronic data that was in the 05 06 edition.

C. Definitions (08 13 changes)

The following is added to the definition of occurrence in the Coverage Form or Policy:

1. The first part of the added definition applies to only Paragraph A. 1 in this endorsement that provides for coverage when a virus is introduced in a computer system. Occurrence starts when the destruction or damage is discovered and ends only when the computer system is returned to the same condition it was in immediately prior to the virus being introduced. All costs incurred during that time period are a single occurrence. If the virus reoccurs is in considered a new occurrence.

Note: Same condition means that the computer has the same level of operational capacity. It does not mean that the computer system must be totally replaced. There may be work arounds and various programming methods could return the computer to the needed operational capacity.  

2. The second part of the definitions applies to only Paragraphs A.2. and A.3 in this endorsement that provide for coverage due to vandalism that is committed by an employee or by a person who is not authorized to have access to the computer system. Occurrence is one act or event, the combined total of many related or unrelated acts or events, or related or unrelated acts or events that are in series. The act(s) or event(s) may be caused by an employee or another person while that person is acting alone or in collusion with others. The act(s) or event(s) that take place during the policy period or before the policy period are one occurrence. The 08 13 edition eliminated the definitions for computer programs, computer system, or electronic data that were in the 05 06 edition because they are now part of the coverage forms and policies. The definition of occurrence in the 05 06 edition differs from the 08 13 definition as, under item 2. It no longer refers to acts not committed by a person.