As cyberattacks become more common, more advanced and more costly year after year, many in the insurance industry are wrestling with the question of whether and how traditional property insurance policies can be interpreted to cover over losses due to these cyber events.
Rather than appeasing insurers’ fears, a federal court in Maryland recently said yes, property insurance policies can cover losses due to cyber events — and here’s how.
In National Ink & Stitch, LLC v. State Auto Property & Casualty Co., the court ruled that an insurance company must cover the costs of software, data, computers and servers that were lost or damaged by ransomware, pursuant to the terms of a property insurance policy.
The decision is the first of its kind to find property insurance coverage for costs associated with a ransomware attack.
The case demonstrates that U.S. courts are willing to extend traditional property insurance coverage to damage sustained in a cybersecurity event.
If National Ink proves to be part of a wider trend, insurance companies must revisit the language used in even the most traditional insurance policies to reduce the risk inherent in uncontemplated situations in our digital age.
A cyberattack renders files useless, some lost forever
National Ink, a screen printing business, stored art, logos, designs and software on its computers and servers. It was the unfortunate victim of a ransomware attack, where virtually all of its files and software were held hostage and its computers were rendered useless.
National Ink ultimately had to pay the ransom twice before its software was released and some of its data was unlocked.
Regrettably, the company was not able to recover its art files, and the computers were substantially slowed and posed an ongoing threat to the company to the extent that they harbored remnants of the ransomware virus.
Coverage issues under a business owner’s insurance policy
National Ink sought coverage for the replacement costs of its entire computer system, including hardware and software. It invoked its business owner’s insurance policy, which covered “direct physical loss of or damage to covered property.”
The company also had a Business Owners Special Form Computer Coverage endorsement, which provided coverage for “Electronic Media and Records (Including Software).” The endorsement covered “electronic data processing, recording or storage media such as films, tapes, discs, drums or cells” and “data stored on such media.”
Insurance carrier refuses coverage
Insurance carrier State Auto argued it was not obligated to cover the cost of replacing National Ink’s entire computer system. It asserted that because National Ink “only lost data, an intangible asset, and could still use its computer system to operate its business, it did not experience ‘direct physical loss’” as covered in the policy.
Court rules on “covered property”
On January 23, 2020, the U.S. District Court for the District of Maryland granted National Ink’s motion for summary judgment (and denied State Auto’s), finding that National Ink could “recover based on either (1) the loss of data and software in its computer system, or (2) the loss of functionality to the computer system itself.”
The court found that the computer equipment impaired by the attack qualified as covered property because it contained hard drives (a type of “disc”). The fact that the computers were not completely inoperable did not prohibit the application of the coverage, as the language covered “damage to” property as well as “physical loss.”
Our Privacy, Cybersecurity and Data Management team will continue to share the latest developments and provide insights on this issue.