In one of the first court rulings to address this issue, U.S. District Judge Stephanie A. Gallagher of the U.S. District Court for the District of Maryland recently held that a business owner’s insurance policy covered a ransomware attack on the policyholder’s computer system that resulted in system slowdown and loss of data.
The court’s well-reasoned analysis demonstrates that coverage for cyberrisks can be found in traditional insurance contracts, not just specialized cyber policies, depending upon the policy’s terms, provisions and conditions.
In National Ink and Stitch LLC v. State Auto Property and Casualty Insurance Company, the plaintiff policyholder (an embroidery and screen printing business) was the victim of a ransomware attack, in which a third party locked the policyholder’s computer files and demanded a bitcoin payment to release the files.
Although the policyholder made the demanded payment, the attacker demanded an additional payment and did not remove the ransomware virus from the system. The policyholder hired a security company to replace and reinstall the software and install protective software. The protective software significantly slowed system performance, and certain files ultimately could not be accessed. Moreover, remnants of the ransomware virus likely remained in the system, and the options for eliminating that risk were to either wipe the system entirely or purchase a new one.
State Auto issued a business owners insurance policy to National Ink and Stitch. The policy at issue provided coverage for physical loss or damage to covered property caused by or resulting from a covered cause of loss. It also contained two endorsements, one entitled business owners special form computer coverage which defined “covered property” as electronic media and records, including software (i.e., electronic data processing, recording, or storage media and data stored on such media) and a second entitled business owners special property coverage form that broadly defined causes of loss albeit with specific exclusions.
It appears that State Auto did not dispute that the loss constituted covered property caused by or resulting from a covered cause of loss. It did, however, take issue with whether there was physical loss or damage. State Auto argued that cost of replacing the computer system was a preventative measure, and not the result of direct physical damage to the computer hardware; that the computer system remained functional; and that the policyholder was not prevented from conducting business after the ransomware event.
The parties filed cross-motions for summary judgment on the issue of whether the policyholder suffered a physical loss as contemplated by the policy. Judge Gallagher likened the loss to those suffered by other policyholders (such as a power outage — resulting in loss of access, loss of use and loss of functionality; a hurricane — resulting in loss of income due to damaged computers; and an overheated air conditioner resulting in the degradation of network disk drives).
Just as in those cases, Judge Gallagher found that a hacked system resulting in a virus spreading throughout the computer network fit the policy language’s definition of direct physical loss or damage to covered property.
Judge Gallagher’s ruling comported with the plain language of the policy, as well as common sense — the policyholder purchased coverage that protected the policyholder for not only physical loss but also damage to both the media and the data. Although the policyholder’s computer system was not completely destroyed, it was indisputably damaged and the policyholder experienced loss requiring the purchase of a fully functioning computer system. Coverage for this type of loss was clearly bargained-for under the policy.
It is easy to anticipate panic from insurers and jubilance from policyholders when a ransomware loss is found to be covered under a business owners policy. The headlines will surely read: Ransomware Coverage Now Available Under Business Owners Policies! Partisans will either criticize or support the decision based on how it impacts their own interests.
But the simple fact is that the policy at issue in National Ink and Stitch provided the exact type of coverage it was written to provide. The computer system was covered property, the loss resulted from a covered cause and the court merely needed to determine that the event constituted physical loss or damage.
Where losses that are suffered from hurricanes, power outages, overheated air conditioners, or yes, even a hacked computer system, are within the scope of the policy’s definitions of physical loss or damage and covered property, and the damage resulted from a covered cause, the policyholder can expect to prevail.
The law in the developing field of cyber coverage will continue to evolve, and insurers will adapt by tinkering with wordings as they deal with new court decisions. Although cyberrisk policies are necessary elements in a business’s toolbox, the lesson learned from National Ink is clear. Policyholders should look to all of their policies in searching out coverage for any cyber attacks, which can be devastating.
If the claim fits some of the policy’s terms, provisions and conditions, the case law may very well fill any gaps needed to complete the coverage. Just as the hackers and cyber criminals can be expected to develop ever more creative attacks, the insurance industry, the policyholder bar and the judicial system will be responding with new language, new arguments and new interpretations to employ in allocating the expense of dealing with the aftermath.
To read the article in its original form, click here