Federal Court Acknowledges Coverage for Ransomware Losses Under Traditional Property Insurance Policy - When responding to cyberattacks, commercial policyholders should carefully review all potentially applicable insurance policies and not overlook traditional coverages.

Tyrone Childress, Jason Lissy
Jones Day
Contact
LinkedIn
Facebook
X
Send
Embed

Jones Day

In a significant victory for policyholders, the United States District Court for the District of Maryland recently determined that certain ransomware-related losses are covered under language commonly found in traditional commercial property insurance policies. National Ink & Stitch, LLC v. State Auto Property & Casualty Insurance Company, No. CV SAG-18-2138, 2020 WL 374460 (D. Md. Jan. 23, 2020) ("National Ink").

In National Ink, the policyholder's computer network experienced a ransomware attack, which prevented access to nearly all of the operational software, files, and data essential to the company's embroidery and screen printing business. When its attacker refused to restore access and demanded the payment of an additional bitcoin ransom, the policyholder declined to do so and engaged a security consultant to reinstall its software and add protective programs to its computer network. Following these restoration efforts, the policyholder's computer network functioned less efficiently and still contained dormant remnants of the ransomware virus. To eliminate the risk of reinfection to its computer network, the policyholder purchased an entirely new server and turned to its commercial property insurer for coverage.

Denying coverage, the insurer contended that, because the policyholder only lost intangible electronic data and its computer network had a "residual ability to function" after the attack, there had been no "direct physical loss of or damage to" covered property as required under the policy. Rejecting the insurer's position as unsupported by the plain language of the policy, the court noted that the policy did not limit coverage to "tangible" property and instead expressly listed "data" and "software" as categories of "covered property."

Likewise, the court rejected the insurer's position that a computer network must be rendered "completely and permanently inoperable" in order to trigger coverage, finding that the policy "impose[d] no such prerequisite." Instead, the court determined that the plain language of the disjunctive phrase "direct physical loss of or damage to" covered property encompassed any "loss of use, loss of reliability, or impaired functionality" of the computer network, noting that "in many instances, a computer will suffer 'damage' without becoming completely inoperable."

Key Takeaways

  1. When responding to cyberattacks, commercial policyholders should carefully review all potentially applicable insurance policies and not overlook traditional coverages.
  2. In addition to the loss of electronic data itself, commercial property insurance policies may afford coverage for the impaired functionality or reliability of computer networks following ransomware or other cyberattacks.
Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jones Day | Attorney Advertising

Written by:

Jones Day
Jones Day
Contact
more
less

Jones Day on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide