Cyber insurance policies are typically a company’s first line of defense following a cybersecurity event, but a recent decision from a federal court in Maryland illustrates why businesses should always look for cyber coverage under other lines of insurance, too.
In National Ink & Stitch, LLC v. State Auto Property & Casualty Insurance Co, the U.S. District Court for the District of Maryland recently granted summary judgment on liability in favor of a policyholder seeking coverage under a businessowner’s property insurance policy for losses arising from a ransomware attack. Nat’l Ink & Stitch, LLC v. State Auto Prop. & Cas. Ins. Co., No. SAG-18-2138, Memorandum Op. (D. Md. Jan. 23, 2020). The policyholder stored logos, designs, and various types of software on its computer server. In December 2016, the policyholder suffered a ransomware attack, in which an attacker prevented the policyholder from accessing most of the data contained on its server and demanded a bitcoin payment to release access to the data. The policyholder’s attempts to remedy the damage caused by the attack and to prevent future attacks caused its computer system to slow down, resulting in a loss of efficiency. The policyholder turned to its insurer to cover the loss it incurred due to the ransomware attack, including the cost of replacing its entire computer system.
In the “Businessowners Special Property Coverage Form” section of the policy, the insurer had promised to “pay for direct physical loss of or damage to Covered Property at the premises described in the Declarations caused by or resulting from any Covered Cause of Loss.” The policy defined “Covered Property” to include electronic media and records (including software). Nevertheless, the insurer denied coverage for the cost of replacing the policyholder’s computer system arguing that the attacks on the policyholder’s system did not cause “direct physical loss of or damage to Covered Property.” After the parties cross-moved for summary judgment, the Court ruled in favor of the policyholder and held that it could “recover based on either (1) the loss of data and software in its computer system, or (2) the loss of functionality to the computer system itself.” The Court explained that under the language of the policy, data and software could experience “direct physical loss or damage.” And despite the policyholder’s computer system retaining some functionality, the fact that it was rendered slow and inefficient and its storage capacity compromised constituted “damage to” the system. Thus, the court held that the terms of the policy did not require the computer system to be completely and permanently inoperable to trigger coverage.
This ruling serves as a reminder that policyholders should always explore all potential avenues of insurance coverage in the wake of a cybersecurity event to avoid leaving valuable insurance assets on the table.