Maryland Federal Court Confirms Coverage for Ransomware Damage Under Property Insurance Policy
In the latest example of a court confirming that traditional business insurance policies can cover losses from cyber-attacks, the federal district court in Maryland ruled recently that a property insurer was obligated to cover the cost of replacing a computer system after a ransomware attack slowed the system and left it vulnerable to further infection. The court’s ruling in National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Co.[1] provides at least three lessons to policyholders. First, the express wording of traditional business insurance policies may provide coverage for cyber losses, notwithstanding insurance industry attempts to describe such policies as “silent” on cyber. Second, as the National Ink court recognized, it contributes to a growing body of caselaw finding cyber-related coverage under traditional polices. Finally, a holistic approach to insuring possible cyber losses across lines of available coverage — including specialty cyber policies — may allow policyholders to maximize their recoveries for the various types of loss that may result from a cyber-attack.
The District Court's National Ink Ruling
National Ink and Stitch, LLC (“National Ink”), an embroidery and screen-printing business, was the victim of a ransomware attack in December 2016. The attack prevented National Ink from accessing important data and software stored on its server. National Ink paid the requested ransom, but the attacker then demanded another payment and refused to release the software and data. Rather than pay the additional ransom, National Ink hired a security company to replace and reinstall the business software and also to install protective software. This allowed the company’s computers to function, but it also slowed them down, resulting in lost efficiency. In addition, remnants of the ransomware virus in the computer system threatened to re-infect it. Due to this lost efficiency and the threat of re-infection, National Ink purchased an entirely new server and components.[2]
National Ink sought coverage for the costs of buying the new system from its business property insurer, State Auto Property and Casualty Insurance Co. (“State Auto”). Despite express policy wording providing coverage for damage to both “electronic” media as well as for the “data” stored thereon, State Auto denied coverage, contending that National Ink had not experienced “direct physical loss of or damage to” its computer system, as required by the policy wording.[3] National Ink initiated a coverage action in the U.S. District Court for the District of Maryland, and, on January 23, 2020, the court granted National Ink’s motion for summary judgment (and denied State Auto’s), holding that the express terms of the property policy obligated State Auto to provide coverage for a new computer system.[4]
Lessons from National Ink
1. The express wording of traditional policies may provide cyber-related coverage. Although some insurer-oriented commentary suggests that traditional policies (e.g., property and commercial general liability insurance) do not contemplate coverage for “cyber” losses such as ransomware attacks, National Ink illustrates that a straightforward application of express policy wording may result in such coverage. Indeed, by applying the wording of National Ink’s property policy, the court found two independent avenues to coverage for the replacement computer system.[5]
First, National Ink could recover based on the loss of data and software in its computer system. The insurer argued that software and data could not suffer “physical” loss or damage as required by the policy. The court rejected that argument, explaining that data and software were expressly treated by the policy as “covered” property, so they must be capable of suffering physical loss within the policy’s coverage.[6] Specifically, the policy’s “Computer Coverage” endorsement defined covered property to include not only “physical processing, recording, or storage media” but also (and separately) the “data stored on such media.”[7]
Second, National Ink could recover based on the loss of functionality — the slowdown — of the computer system itself. The court rejected State Auto’s argument that covered “physical loss of or damage to” a computer system required (in the court’s words) an “utter inability to function.”[8] The court reasoned that because the meaning of physical loss or damage is not limited to “physical destruction or harm,” but rather includes “loss of access, loss of use, and loss of functionality,” the policy wording required State Auto to pay for the new computer system.[9]
2. Other courts have also found “cyber”-related coverage in traditional policies. The National Ink court cited well-reasoned legal precedents in support of its interpretation of the policy wording to cover ransomware damage,[10] as well as cases holding that loss of data or loss of computer function give rise to coverage under traditional policies.[11] These lines of caselaw suggest that sometimes “silent” cyber coverage (as it has been termed by some in the insurance industry) is not silent as to cyber after all.[12] Rather, just like the court in National Ink, other courts have ruled that cyber-related coverage is rooted in the express language of certain traditional policies.[13]
3. A holistic approach to potential sources of insurance coverage — including specialty cyber insurance — may maximize available coverage. National Ink demonstrates the possible availability of coverage for cyber-attacks through traditional property insurance policies. It also demonstrates the potential significance of policy wording and the particular facts giving rise to a loss. Different policy wording or different facts may have led to a different result in National Ink. Additionally, while traditional policies may cover certain cyber losses, specialty cyber insurance may cover a wide variety of losses related to online security and data protection. For instance, many cyber policies expressly cover costs for ransom payments and for data recovery (coverage for which was not addressed in National Ink). A holistic review of both traditional and cyber insurance policies may support a policyholder in understanding the scope of coverage potentially available for cyber incidents, identifying any significant gaps in coverage, and, if warranted, seeking changes to policy wording to ensure appropriate coverage.
Conclusion
National Ink serves as a reminder that “traditional” property insurance should not be overlooked as a potential source of coverage for cyber-related losses. It also highlights the importance of policy wording and suggests that policyholders may benefit from a careful review of relevant policies, including cyber insurance policies. Outside coverage counsel can assist with such a review and with pursuing any changes to policy wording that may be warranted.
NOTES
[1] No. 1:18-cv-02138-SAG (D. Md. Jan. 23, 2020).
[2] Id. at *2.
[3] Id. at *2–3.
[4] Id. at *9–11.
[5] Id. at *5.
[6] Id. at *9.
[7] Id. at *5.
[8] Id. at *11.
[9] Id.
[10] See Lambrecht & Assocs., Inc. v. State Farm Lloyds, 119 S.W.3d 16, 19 (Tex. Ct. App. 2003) (interpreting coverage for “data stored on [processing, recording, or storage media]” to include coverage for loss of data due to a cyber-attack);
NMS Servs. Inc. v. The Hartford, 62 F. App’x 511, 512 (4th Cir. 2003) (holding that coverage existed for “erasure of vital computer files and databases necessary for the operation of the [company]” due to a hacking program because the erasure constituted “direct physical loss of or damage to property”).
[11] See Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., Civ. No. 99-185-TUC ACM, 2000 WL 726789, at *1 (D. Ariz. April 18, 2000) (holding that coverage existed for the loss of programming information due to a power outage, despite the fact that the computer systems still had the “capability to perform their intended functions” after reprogramming, because “damage” included “loss of access, loss of use, and loss of functionality”); Southeast Mental Health Ctr., Inc. v. Pacific Ins. Co., LTD, 439 F. Supp. 2d 831, 833–34 (W.D. Tenn. 2006) (finding that loss of data due to power outage constituted “direct physical loss of or damage to property” under business interruption policy); Ashland Hosp. Corp. v. Affiliated FM Ins. Co., No. 11-16-DLB-EBA, 2013 WL 4400516, at *1 (E.D. Ky. Aug. 14, 2013) (holding that coverage existed for loss of data and reliability due to air conditioning malfunction in a data center because “a plaintiff … need not await total failure in order to avail itself of coverage for the damage the system had sustained”).
[12] See, e.g., Lucas J. Tanglen & James E. Scheuermann, Keeping Coverage Online: Fourth Circuit Confirms Internet Data Breach Claim Triggers Commercial General Liability Policies, K&L GATES, http://www.klgates.com/keeping-coverage-online-fourth-circuit-confirms-internet-data-breach-claim-triggers-commercial-general-liability-policies-04-22-2016/.
[13] See, e.g., Lambrecht, 119 S.W.3d at 19 (holding that coverage was rooted in the policy language regarding “electronic media and records”).
Lucas J. Tanglen is an insurance recovery and counseling attorney at K&L Gates in Pittsburgh, Pennsylvania. He counsels policyholders regarding cyber-related insurance coverage under both traditional property and liability policies, as well as specialty cyber insurance policies.
Elizabeth A. Hoadley is an associate at K&L Gates in Pittsburgh, Pennsylvania. She maintains a varied litigation-focused practice, including matters involving insurance coverage.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.