When responding to cyberattacks, commercial policyholders should carefully review all potentially applicable insurance policies and not overlook traditional coverages.
In a significant victory for policyholders, the United States District Court for the District of Maryland recently determined that certain ransomware-related losses are covered under language commonly found in traditional commercial property insurance policies. National Ink & Stitch, LLC v. State Auto Property & Casualty Insurance Company, No. CV SAG-18-2138, 2020 WL 374460 (D. Md. Jan. 23, 2020) ("National Ink").
In National Ink, the policyholder's computer network experienced a ransomware attack, which prevented access to nearly all of the operational software, files, and data essential to the company's embroidery and screen printing business. When its attacker refused to restore access and demanded the payment of an additional bitcoin ransom, the policyholder declined to do so and engaged a security consultant to reinstall its software and add protective programs to its computer network. Following these restoration efforts, the policyholder's computer network functioned less efficiently and still contained dormant remnants of the ransomware virus. To eliminate the risk of reinfection to its computer network, the policyholder purchased an entirely new server and turned to its commercial property insurer for coverage.
Denying coverage, the insurer contended that, because the policyholder only lost intangible electronic data and its computer network had a "residual ability to function" after the attack, there had been no "direct physical loss of or damage to" covered property as required under the policy. Rejecting the insurer's position as unsupported by the plain language of the policy, the court noted that the policy did not limit coverage to "tangible" property and instead expressly listed "data" and "software" as categories of "covered property."
Likewise, the court rejected the insurer's position that a computer network must be rendered "completely and permanently inoperable" in order to trigger coverage, finding that the policy "impose[d] no such prerequisite." Instead, the court determined that the plain language of the disjunctive phrase "direct physical loss of or damage to" covered property encompassed any "loss of use, loss of reliability, or impaired functionality" of the computer network, noting that "in many instances, a computer will suffer 'damage' without becoming completely inoperable."
- When responding to cyberattacks, commercial policyholders should carefully review all potentially applicable insurance policies and not overlook traditional coverages.
- In addition to the loss of electronic data itself, commercial property insurance policies may afford coverage for the impaired functionality or reliability of computer networks following ransomware or other cyberattacks.