Privacy & Information Security Law Blog

Hunton & Williams Insurance Litigation & Counseling partner Lon Berk reports:

The recently publicized Secure Sockets Layer (“SSL”) bug affecting Apple Inc. products raises a question regarding insurance coverage that is likely to become increasingly relevant as “The Internet of Things” expands. Specifically, on certain devices, the code used to set SSL connections contains an extra line that causes the program to skip a critical verification step. Consequently, unless a security patch is downloaded, when these devices are used on shared wireless networks they are subject to so-called “man-in-the-middle” security attacks and other serious security risks. Assuming that sellers of such devices may be held liable for damages, there may be questions about insurance to cover the risks.

Traditionally, products liability coverage is found in general liability policies. These policies, however, often contain exclusions cited by insurers to deny coverage for injuries relating to coding errors. One such exclusion bars coverage for damage to “impaired property” – essentially, property that has not sustained physical damage, but has been harmed by the insured’s work. Although at least one court has held that this exclusion precludes coverage for products that fail to function as intended due to coding errors, another court found the exclusion unintelligible and refused to enforce it.

A second exclusion often cited to restrict coverage is the “professional services” exclusion. Insurers may take the position that software engineering constitutes a “professional service” and, accordingly, liability caused by coding errors is not covered by their policies. Certain courts have accepted this interpretation notwithstanding the fact that it effectively renders products liability coverage illusory.

As The Internet of Things expands, an increasing number of everyday products will feature software components that may be susceptible to errors similar to the latest SSL bug. Accordingly, manufacturers should work with their insurance consultants to ensure that they are protected against all liabilities, including those arising out of coding errors in the devices and products they are developing.