The Office of General Counsel issued the following informal opinion on November 18, 2003, representing the position of the New York State Insurance Department.

Re: N.Y. Ins. Law § 3446 (McKinney 2000) – Product or System Group Insurance Policy

Questions Presented:

1. Pursuant to N.Y. Ins. Law § 3446 (McKinney 2000), may an authorized insurer issue a group policy that would provide coverage to the customers of the inquirer’s client who subscribe to the client’s service that is intended to protect them against the unauthorized use of their credit cards or other unauthorized transactions?

2. Pursuant to N.Y. Ins. Law § 3446 (McKinney 2000), may an authorized insurer issue a group policy that would provide coverage to customers of the inquirer’s client who subscribe to such client’s service that is intended to protect them against the theft, damage or deletion of electronic data stored on their computers, as a result of a hacker attack or a malicious code?

3. Pursuant to N.Y. Ins. Law § 3446 (McKinney 2000), may an authorized insurer issue a group policy that would provide coverage to a "hosting" company’s customers where the "hosting" company subscribes to a service that is intended to protect against the theft, damage or deletion of the customers’ electronic data stored on the "hosting" company’s computer, as a result of a hacker attack or a malicious code?

Conclusions:

1. No. The inquirer’s client is providing a service to its customers, rather than a product or system, as is required to come within the purview of N.Y. Ins. Law § 3446 (McKinney 2000).

2. Yes. Provided that the customer of the inquirer’s client owns the software that the inquirer’s client installs in the customers’ computers to detect attempted security intrusions and the loss is caused by the failure of that software, a policy may be issued under N.Y. Ins. Law § 3446 (McKinney 2000).

3. No. Even if as part of the service the inquirer’s client installs software in the customer’s host computer, the policy would not be covering the "hosting" company's losses. Rather it would be covering the losses incurred by the "hosting" company's customers. This does not come within the purview of N.Y. Ins. Law § 3446 (McKinney 2000).

Facts:

The inquirer asked whether, pursuant to N.Y. Ins. Law § 3446 (McKinney 2000), in each of the three situations described below, the inquirer’s client may purchase a group policy that would accompany the sale of different types of identity theft, credit monitoring, and computer network security services.

Analysis:

N.Y. Ins. Law § 3446 (McKinney 2000) provides:

(a) A group policy may be issued to a group policyholder, who shall be a manufacturer, distributor, or installer of a product or system, or a trustee of a trust established, or participated in, by one or more manufacturers, distributors, or installers, in accordance with the provisions of this section.

(b) The group shall consist only of members who have purchased or own the product or system where the manufacturer, distributor, or installer has represented that the product or system is designed to prevent loss or damage to property from a specific cause (other than loss or damage resulting from defect in materials or workmanship, or wear and tear), and the policy shall only cover such loss or damage.

(c) The policy, and certificates issued thereunder, may provide coverage for a kind of insurance authorized by paragraphs four through twelve, nineteen and twenty of subsection (a) of section one thousand one hundred thirteen of this chapter, and may be issued or delivered in this state only by an insurer authorized in this state to write the coverage.

(d) The coverage shall not be duplicative of coverage under any other applicable insurance policy.

(e) The insurer must treat in like manner all eligible group members of the same class.

(f) The premium for the group policy, including certificates thereunder, shall be paid by the group policyholder from funds contributed wholly by the group policyholder.

(g) The superintendent may promulgate regulations regarding product and system group policies, including regulations governing issuance of certificates to group members; minimum provisions of certificates; policy cancellation and renewal; minimum number of group members; payment of premium; and policy dividends, retrospective premium credits, or retrospective premium refunds; and may establish other reasonable limitations.

(h) A product or system group policyholder shall comply with the provisions of section two thousand one hundred twenty-two of this chapter, in the same manner as an insurance agent or broker, in any advertisement, sign, pamphlet, circular, card, or other public announcement referring to coverage under a group policy or certificate.

  1. A product or system group policy or certificate shall not be subject to section three thousand four hundred twenty-five or section three thousand four hundred twenty-six of this article.

(j)(1) "Manufacturer" means a person that:

(A) manufactures or produces the product or system and sells it under its own trade name or label;

(B) does not manufacture or produce the product or system but sells it under its own trade name or label;

(C) manufactures or produces the product or system and it is sold under the trade name or label of another person; or

(D) does not manufacture or produce the product or system but, pursuant to a written contract, licenses the use of its trade name or label to another person that sells the product or system under the licensor's trade name or label.

(2) "Manufacturer" shall also include a distributor which is a parent, affiliate, or subsidiary of a manufacturer.

(3) The holder of a patent shall not be considered a manufacturer solely because it receives royalties on its patents.

Chapter 187 of the Laws of 1999 added section 3446 to the Insurance Law in response to the practice of certain manufacturers, distributors or installers of items such as personal safes, locks and etching systems to offer a guarantee to their customers that their products would remain in tact despite attempts at theft or the possibility of a fire. The offer of such a guarantee or warranty by the manufacturer, distributor or installer constitutes doing an insurance business without a license because the intervening fortuitous event that causes the loss prevents these agreements from being true warranties or guarantees. Section 3446 permits an authorized insurer to issue a group policy to a manufacturer, distributor or installer of a product or system or to a trustee on behalf of more than one manufacturer, distributor or installer. The manufacturer, distributor, installer or trustee is the policyholder. The certificateholders under the policy are the persons who have purchased or owned the product or system. Where the manufacturer, distributor or installer has represented that the product or system is designed to prevent loss or damage to property from a specific cause, the policy covers certain loss or damage incurred by the certificateholder. N.Y. Ins. Law § 3446(g) authorized the Superintendent to promulgate regulations regarding product and system group policies. N.Y. Comp. Codes R. & Regs. tit. 11, §§ 310.0-310.6 (Reg. 167) was promulgated in accordance therewith.

In the first scenario provided, the inquirer’s client would provide services designed to prevent consumers from suffering a loss through identity theft. As was discussed above, the legislative history demonstrates that section 3446 was enacted to address the provision of guarantees by manufacturers, distributors and installers of locks, safes, and etching systems; thus, the terms product and system were used. Here, the client is providing a service rather than a product or system, as is required by section 3446. Accordingly, the insurance may not be offered.

The inquirer confirmed to me that, under the second scenario, in certain cases the client would sell and install software in the customers’ computers to detect attempted security intrusions. Provided that the customer of the inquirer’s client owns the software that the client installs in the customers’ computers to detect attempted security intrusions and the loss is caused by the failure of that software, a policy may be issued under N.Y. Ins. Law § 3446 (McKinney 2000). In accordance with section 310.2 of Reg. 167, the individual certificate would have to be issued at the time that the software was purchased and would have to provide coverage for a specified period. The premium for the group policy, including the certificates thereunder, would have to be paid by the group policyholder from funds contributed wholly by the group policyholder. At the end of the specified policy period the insurer may offer to continue the coverage under an individual policy.

Section 310.1(g) of Regulation 167 provides:

Product or system group policy means a policy issued on a group basis to a group policyholder that provides coverage to group members when the manufacturer, distributor, or installer of a product or system has represented that the product or system is designed to prevent loss or damage to property from a specific cause (other than loss or damage resulting from defect in materials or workmanship, or wear and tear), and the coverage provided to the group members is for loss or damage to such property from such cause. For purposes of this Part, loss or damage to the property (valued as actual cash value, stated value, replacement cost, or other method of valuation acceptable to the superintendent) may also include unreimbursed incidental expenses that may be incurred as a result of the loss or damage to the property, such as rental or registration costs for replacement property.

Accordingly, the cost of restoring or recollecting lost electronic data and/or the stated value of the lost electronic data and lost income and extra expenses resulting from the theft, damage or deletion of electronic data needed to operate the system could be compensated, provided that it could be shown that the loss resulted from the failure of the installed software to prevent the hacking or infection from the malicious code.

The inquirer suggests that coverage could also be provided for companies whose certified computer system was hacked into or infected with malicious code, against claims by third parties whose electronically stored (by such company) data was stolen, damaged or destroyed. Section 310.0(a) of Regulation 167 provides:

Chapter 187 of the Laws of 1999 added a new Section 3446 to the Insurance Law, entitled "Product or system group insurance policies." This Part implements Section 3446, which permits a group policy to be issued to a manufacturer, distributor, or installer of a product or system, or a trustee on behalf of more than one manufacturer, distributor or installer. The policy insures persons who have purchased or own the product or system where the manufacturer, distributor, or installer has represented that the product or system is designed to prevent loss or damage to property from a specific cause. The policy covers the loss or damage to the property from such cause. The policy may not cover loss or damage resulting from a defect in materials or workmanship, or wear and tear and may not be duplicative of coverage under any other applicable insurance policy. The policy may provide coverage for unreimbursed incidental expenses that may be incurred as a result of the loss or damage to the property. (Emphasis added).

In view of the above, we disagree that the third parties’ losses may be covered under these policies. These third parties have not purchased nor do they own the product or system that is "designed to prevent loss or damage to the property." Moreover, because liability insurance is not a kind of insurance that may be written under a section 3446 policy, the liability exposure of the companies may not be covered under the policy.

The third situation presented involves a company engaged in the business of providing secure internet/computer network application "hosting" or electronic data storage and transmission services for customers. The inquirer suggests that coverage could be provided to the customers of "hosting" companies against loss arising out of theft, damage or destruction of electronic data that such customers stored on or transmitted using the hosting company’s computer systems. The inquirer states that such covered loss would include the cost of restoring or recollecting the lost electronic data and/or the stated value of the lost electronic data at issue, and lost income and extra expenses resulting from the theft, damage or deletion of electronic data needed to operated a computer system. However, even assuming that the client had installed software in the hosting computers to detect attempted security intrusions, coverage could only be provided to the hosting companies. As discussed above, the customers of the hosting companies have neither purchased nor do they own this "product or system" and accordingly, can not be covered under this type of policy.

For further information you may contact Supervising Attorney Joan Siegel at the New York City Office.