Ransomware Attack Results in Covered Physical Loss or Damage
A Maryland federal court examines a coverage dispute regarding whether an insured had experienced a covered loss to its computer system following a ransomware attack.
As cyberattacks increase and coverage lawsuits make their way through the judicial system, policyholders have increasingly asked courts to broadly construe policy language to provide coverage for such events. In January 2020, a federal district court in Maryland found that the loss of data and software, as well as impaired functionality of a computer system due to a ransomware attack, qualified as direct physical loss or damage under a businessowners policy.1 It remains to be seen whether the insurer will appeal the novel ruling and if other courts will follow suit.
National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Company
At issue in this coverage dispute was whether the insured had experienced “direct physical loss of or damage” to its computer system following a ransomware attack. The insured, National Ink and Stitch, operated an embroidery and screen-printing business that used a computer server to store art and designs for its products, as well as different types of software.
In December 2016, National Ink’s server and network computers were subject to a ransomware attack that blocked the insured’s access to data on the server and most of the software programs. The hacker demanded payment in exchange for releasing the software and data. After receiving payment, however, the hacker refused to release the system and demanded more. National Ink hired a security company to replace the original software and install protective software that resulted in a slower and less efficient system. Despite these efforts, a residual, dormant ransomware virus likely remained in the system. Given the risk of further infection, National Ink purchased an entirely new server and related components.
National Ink brought a claim under its businessowners policy with State Auto Property and Casualty Company for the cost of replacing its computer system. The policy provided coverage for “direct physical loss of or damage to Covered Property . . . caused by or resulting from any Covered Cause of Loss.” The policy also included a Special Form Computer Coverage Endorsement that defined “Covered Property” to include “Electronic Media and Records (Including Software). This endorsement further defined “Electronic Media and Records” as:
(a) Electronic data processing, recording, or storage media such as films, tapes, discs, drums or cells; and
(b) Data stored on such media.2
State Auto denied the claim on the basis that National Ink did not experience “direct physical loss” to covered property. State Auto reasoned that National Ink could still operate its computer system and had only lost data, an intangible asset. National Ink argued that: (1) the policy language includes data and computer software as property that may be subject to “direct physical loss,” and (2) the computer system itself was damaged by the loss of functionality.
The district court granted National Ink’s motion for summary judgment, finding that the policy did not limit coverage to “tangible property” and instead “contemplates that data and software are covered and can experience ‘direct physical loss or damage.’”3 Separately, the court rejected State Auto’s argument that the repaired computer system was not damaged because it continued to function, noting that the policy language covers both “physical loss” and “damage to” the software and data. The court concluded that the impaired functionality of the slower and likely still infected computer system was sufficient, by itself, to trigger coverage under the policy.4
Why It Matters
Ransomware attacks are on the rise and increasingly target organizations and municipalities, causing widespread and substantial damage. According to a report from Cybersecurity Ventures, the estimated damage from ransomware attacks was to exceed $11.5 billion in 2019.5 A “Cyber Threat Landscape Report” by Deep Instinct found that the average estimated cost of an attack was $141,000, a substantial increase from the $46,800 average in 2018.6 As reported by the New York Times, the FBI’s Cybersection Chief views ransomware attacks as “one of the most serious cybercriminal problems we face right now.”7
Against this backdrop, policyholders may increasingly seek coverage following ransomware attacks under policies that were not intended to provide such coverage. Depending on the circumstances, insureds may view National Ink as providing a path forward for their claims. It remains to be seen whether State Auto will appeal and if other courts will find the decision compelling and follow suit. The opinion may, however, be limited in its application given the specific language in the policy’s computer coverage endorsement.
1 National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Company, No. SAG-18-2138 (D. Md. Jan. 23, 2020).
2 Id. at 2-3.
3 Id. at 5.
4 Id. at 11.
5 CYBERCRIME MAGAZINE, GLOBAL RANSOMWARE DAMAGE COSTS PREDICTED TO HIT $11.5 BILLION BY 2019 (Nov. 14, 2017), available at https://cybersecurityventures.com/ ransomware-damage-report-2017-part-2/
6 DARK READING, RANSOMEWARE DAMAGE HIT $11.5B IN 2019 (Feb. 20, 2020), available at https://www.darkreading.com/attacks-breaches/ransomware-damage-hit-%24115b-in-2019/d/d-id/1337103
7 NEW YORK TIMES, RANSOMEWARE ATTACKS GROW, CRIPPLING CITIES AND BUSINESSES (Feb. 9, 2020), available at https://www.nytimes.com/2020/02/09/technology/ ransomware-attacks.html
The articles on our website include some of the publications and papers authored by our attorneys, both before and after they joined our firm. The content of these articles should not be taken as legal advice. The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the views or official position of Robins Kaplan LLP.
Damned if You Don’t
In Times of Crisis:
If you are interested in having us represent you, you should call us so we can determine whether the matter is one for which we are willing or able to accept professional responsibility. We will not make this determination by e-mail communication. The telephone numbers and addresses for our offices are listed on this page. We reserve the right to decline any representation. We may be required to decline representation if it would create a conflict of interest with our other clients.
By accepting these terms, you are confirming that you have read and understood this important notice.