The novel district court action of Moses Afonso Ryan Ltd. v. Sentinel Insurance Company Ltd. wrestles with the classification of — and, consequently, coverage for — business interruption and lost income suffered in the wake of a ransomware attack. The case offers a preview into whether courts will construe broad, general business insurance provisions to protect insureds against significant lost-business income caused by ransomware attacks, or whether insurers will enjoy wide latitude to hide behind more stringent limitations of liability found in narrower provisions related to data and software damage. The threat of corporate ransomware attacks is growing, and we expect that questions surrounding insurance coverage for business interruption and lost income resulting from these attacks will continue to rise. We urge policyholders to consider the arguments made by the Moses plaintiff in the event of a similar dispute and to take note of the outcome of the litigation when procuring coverage going forward.
In the recent action of Moses Afonso Ryan Ltd. v. Sentinel Insurance Company Ltd., the district court will decide whether a business owner insurance policy’s business income provisions extend to losses caused by a ransomware attack. In Moses, the insured alleges that it is entitled to coverage for the full amount of its loss on the basis of the policy’s broad coverage for lost-business income. The insurer, however, argues that coverage for business interruption resulting from a computer virus is limited in scope and limits by an optional computer and media coverage part. The district court must therefore decide which coverage part applies to the significant losses incurred by the insured, while its business operations were immobilized by a devastating ransomware attack.
Moses Afonso Ryan Ltd. (MAR), a Providence, Rhode Island, law firm consisting of 10 lawyers and three support staff, is the holder of a Spectrum business owner’s policy issued by Sentinel Insurance Company Ltd. (Sentinel). MAR alleges that on May 22, 2016, a lawyer at MAR opened an attachment to an email received from an unknown sender. The attachment was encoded with a ransomware encrypted virus that infected MAR’s entire computer network, rendering it inoperable. The virus also encrypted all of MAR’s information and documents stored within the computer network. MAR first attempted to resolve the issue by hiring computer experts, but these efforts were unsuccessful. MAR then searched for the identity of the perpetrators of the attack.
In June 2016, MAR made contact with the attackers and negotiated a ransom amount to secure access to the encrypted information and documents. The perpetrators required that the ransom be paid in bitcoins, which required MAR to set up a bitcoin account. The amount of the ransom, 13 bitcoins, exceeded the amount of two bitcoins per day available for purchase to new account holders, and, as a result, it took additional time for MAR to acquire all 13 bitcoins demanded. MAR subsequently paid the ransom and received decryption keys to release the encrypted information and documents. The first set of decryption keys, however, did not work. MAR’s computer experts attempted to use the decryption keys for several days, but MAR’s computer systems remained inoperable, and its information and documents stored within the computer system remained inaccessible. In July 2016, MAR contacted the perpetrators and entered into a second round of negotiations for a new ransom amount, again requiring the purchase and payment of additional bitcoins. Later that month, MAR paid the second ransom and received a second set of decryption keys from the perpetrators. This time, the decryption keys worked, and MAR’s computer experts were able to work through the process of recovering the majority of the information and documents that had been held hostage during the ransomware attack.
Unfortunately, MAR also discovered in July 2016 that the temporary server it had used during the months it was locked out of its primary computer network was unable to save the new documents, requiring all of the documents on the temporary server to be restored or recreated. It also took time for the firm to resume its typical, pre-attack level of operations. After it recovered from the attack, MAR compared its annual billing records and calculated that it had suffered a reduction in billings of over $700,000 over the three-month period of business interruption.
MAR notified its insurer, Sentinel, of the ransomware attack and sought coverage under the special property coverage form in the policy. The special property coverage form defined covered property to exclude “data” and “software,” “except as may be provided for in any Additional Coverages or Optional Coverages.” The “Additional Coverages” section provided clear coverage for the “actual loss of Business Income” sustained due to the necessary suspension of operations, “caused by direct physical loss of or physical damage to the property at the ‘scheduled premises’…caused by or resulting from a Covered Cause of Loss.” According to that same section, lost business income would be covered during the period of restoration that occurred within 12 months after the date of the physical loss or damage. The policy also contained an extended business income provision, which, in conjunction with a stretch endorsement, provided payment for lost business income up to an additional 60 consecutive days after operations had resumed but before they had returned to their preloss level. MAR asserted that its entire claim in the amount of $700,000 should be covered under the business income and extended income provisions.
Sentinel responded that MAR’s claim would instead be confined to the limited coverage available in the computers and media endorsement, which covered “the cost to research, replace or restore physically lost or physically damaged ‘data’ and ‘software.’” In the computers and media endorsement, “direct physical loss or physical damage to ‘computer equipment,’ ‘data’ or ‘software’ is extended to include” specific damages, including those caused by a computer virus. The computers and media endorsement also contains its own “Additional Coverage” section, stating that if the policy includes business income and extra expense coverage, then those additional coverages apply to computer equipment, data and software. The computers and media endorsement, in conjunction with the expansion from the stretch endorsement, limits the policy’s additional coverage to $20,000 “when the actual loss of business income” caused by the necessary suspension of operations is a result of one of the extended causes of loss, such as a computer virus. As a result, Sentinel paid MAR $20,000 under the computers and media endorsement and rejected MAR’s claims under the business income and extended business income provisions.
MAR filed suit against Sentinel on March 21, 2017, in the Providence County Superior Court for the State of Rhode Island. The complaint sought a declaration that the policy covers the business interruption claim in its entirety and included claims for breach of contract, breach of the covenant of good faith and fair dealing and for insurer bad faith. In the complaint, MAR demanded general and consequential damages, pre- and post-judgment interest, attorneys’ fees and other litigation expenses, and punitive damages. Relying upon diversity jurisdiction, Sentinel removed the case to the U.S. District Court for the District of Rhode Island on April 21, 2017.
On April 28, 2017, Sentinel answered the complaint, denying the claims against it and stating that the limits of liability contained in the computers and media endorsement and the stretch endorsement limited its liability to $20,000, which it had already paid to MAR. In addition, Sentinel raised a number of affirmative defenses. In its third affirmative defense, Sentinel asserted that the policy required it to pay for certain losses and damages to covered property but that such covered property did not include “data” or “software,” except as provided by additional coverage or optional coverage, and the additional coverage was provided under the limited computers and media endorsement. In other words, that the computers and media endorsement provides the only coverage available in the policy (limited to $20,000) for a loss caused by a computer virus. Sentinel further alleged in its fourth affirmative defense that the special property coverage form only provides coverage where a necessary suspension of operations was caused by direct physical loss of, or physical damage to, property at the scheduled premises, but there was no such direct physical loss or physical damage at the scheduled premises and no necessary suspension of operations at issue in MAR’s claim.
On Dec. 22, 2017, MAR filed a motion for partial summary judgment on whether the policy provided coverage for MAR’s business income and extended business income losses suffered in the ransomware attack. In its motion, MAR acknowledged that the special property coverage form contained a general exclusion for “data” and “software” but noted that the exclusion also expressly stated that such coverage may nonetheless be provided in the additional coverage or optional coverage sections. MAR further asserted that the business income and extended business income provisions within the additional coverage section do provide coverage for data and software because the policy did not limit “property” in those provisions to “tangible property.” MAR further noted the ease with which Sentinel could have adopted the “tangible property” definition, which is used in the standard commercial general liability form developed by the Insurance Services Office Inc., had Sentinel’s intent been to exclude electronic data from the property covered by the business income and extended business income provisions. In short, MAR argued that the requirements of the business income and extended business income provisions were met here, where its operations were paralyzed due to the physical loss and damage to its property, including its computers and its electronic data. MAR also contended that any ambiguity in whether data would be covered as “property” because it was not “physical” would be strictly construed against the insurer and in favor of coverage under well-settled principles of insurance policy interpretation.
MAR further argued in its motion that the computers and media endorsement did not expressly exclude or limit coverage otherwise available under the business income and extended business income provisions. MAR maintained that it had purchased valuable coverage for loss of business income to the full amount of the actual loss not subject to any limitations. In light of that, its purchase of an additional coverage for computers and media could not operate to sacrifice or limit that broader benefit. MAR characterized the computers and media endorsement as focused on the cost of replacing data and software, which is a different kind of risk than the suspension of operations. MAR rejected the notion that its purchase of this additional, optional insurance could possibly have the effect of either excluding coverage for “actual loss” of business income and extended business income or subjecting it to the $20,000 limit found in the computers and media endorsement. At minimum, MAR urged the district court to find any exclusionary provision or limitation in the policy ambiguous and insufficient to support the insurer’s burden to establish a clear and unambiguous exclusion warranting its denial of coverage.
As of the date of this article, the remaining briefing on the motion for partial summary judgment has yet to be completed, and the district court has yet to rule on the motion.
Pending the district court’s decision, policyholders should look to the outcome in Moses as a bellwether on coverage for business interruption and lost income claims associated with ransomware attacks. Although the resolution of the litigation will depend on the district court’s interpretation of Rhode Island law and the language in this particular policy, companies should be mindful of arguably competing policy provisions and their potential impact on the classification of business interruption and lost income losses in the event of a ransomware attack. MAR’s arguments provide a framework for other policyholders facing similar losses to argue for the maximum insurance recovery available to them. Should the district court find in favor of the insurer, Sentinel, policyholders may wish to consider evaluating the adequacy of their current business interruption and lost income coverage. On the other hand, a win by the policyholder in Moses may caution insurers against coverage denials based on an argument that endorsements containing additional coverage serve to exclude or limit broader policy provisions.