Ransomware Attack Replacement Costs Are Covered “Direct Physical Loss or Damage” Under Standard Business Owner’s Policy, According to Maryland Federal Court

Carlton Fields
Contact

Carlton Fields

A Maryland federal court recently weighed in on the still-murky world of insurance coverage for cybersecurity losses, finding replacement costs necessitated by a ransomware attack were “direct physical loss or damage” to a computer system within the meaning of a business owner’s policy. Even as insurers continue efforts to develop cyber insurance products, National Ink demonstrates potential exposure to carriers under existing non-cyber coverages.

Background

National Ink is an embroidery and screen printing company that used its computer server to store art, logos, designs, and various software that was integral to its business. In 2016, a ransomware attack prevented National Ink from accessing the art files and other data on the server. It was also unable to access virtually all its software. Despite paying the ransom, National Ink was never able to regain access to its art files, requiring that National Ink recreate them. And while computers connected to the server still functioned, National Ink was forced to replace and reinstall its software as well as new software that significantly slowed the speed and overall efficiency of its computer systems. Experts testified that to eliminate the risk of further infection to National Ink’s server due to potentially dormant remnants of the ransomware virus, National Ink could either “wipe” and reinstall the system, or purchase an entirely new replacement server.

National Ink went with option two — replacing the entire server and its components — and sought coverage for the replacement costs under a business owner’s policy issued by State Auto. The State Auto policy provided that State Auto would pay for “direct physical loss of or damage to Covered Property at the premises described in the Declarations caused by or resulting from any Covered Cause of Loss.” It also included a “businessowners special form computer coverage” endorsement specifically defining “covered property” to include “electronic media and records (including software).” “Electronic media and records” was defined as “[e]lectronic data processing, recording or storage media” and “[d]ata stored on such media.”

State Auto denied coverage for National Ink’s replacement cost claim on the ground that the attack did not cause “direct physical loss of or damage to” the system. National Ink, of course, disagreed with State Auto’s position and filed this action in Maryland federal court seeking a declaration of coverage.

On cross-motions for summary judgment, State Auto contended that National Ink did not suffer a “direct physical loss” because the ransomware attack resulted only in lost data, which, according to State Auto, was an intangible asset. State Auto also argued that the computer system was still capable of being used and that the mere loss of functionality did not warrant coverage under the policy. National Ink countered that the State Auto policy expressly contemplated that data and software may constitute “property” capable of “direct physical loss.” National Ink also argued that the system itself sustained physical damage, even if the damage was impaired functionality rather than complete destruction.

Applying Maryland contract interpretation principles, the court held that National Ink may recover under the policy based on either of its theories of relief; that is, based on the loss of data and software from its server, or the loss of functionality to the computer system itself.

Lost Data and Software

At the outset, the court emphasized that the State Auto policy expressly listed “data” stored on “media” as an example of “covered property.” And while State Auto could have limited coverage for physical loss or damage to the media itself — rather than for damage to the data or software — it did not. Instead, the court observed, “covered property” was specifically defined as including “data stored on such media,” and the heading describing the scope of “covered property” contained the phrase “including software.” As such, the court determined that the plain language of the policy contemplated that data and software could constitute covered property and that such property could conceivably sustain “direct physical loss or damage.”

Although Maryland courts had not squarely addressed whether data or software is susceptible to “physical loss or damage,” the court found that its interpretation of the policy language comported with the interpretations reached by the majority of courts that have interpreted similar policies.

State Auto relied principally on a 2003 California case (Ward) in which an employee inadvertently caused a computer database to “crash,” resulting in the loss of the company’s electronically stored client data. The company was able to restore the database, but it incurred substantial costs nonetheless (e.g., consultants, additional payroll, and lost income). Like the State Auto policy, the policy at issue in Ward only covered “direct physical loss of or damage to” the property. But the insured in Ward was not seeking coverage for costs to repair or replace hardware or storage media; it only sought its extra labor costs and lost business income. Ward thus raised an issue that the National Ink court did not need to reach; namely, does coverage for “direct physical loss” include loss to data, even when there is no accompanying loss or damage to the storage media or any other property? The Ward court answered that question in the negative. The National Ink court found that Ward was readily distinguishable on this basis. Unlike the insured in Ward, National Ink sought reimbursement for replacing its entire computer system — lost data, lost software, and damaged hardware. The court rejected the notion that National Ink was merely seeking the cost of replacing lost customer data, emphasizing that National Ink was in fact seeking “a fully functioning computer system not (1) slowed by the necessary remedial and protective measures, or (2) at risk of reinfection from a dormant virus.”

The National Ink court was equally unpersuaded by a case, urged by State Auto, in which the court interpreted a policy’s definition of “property damage” as “[p]hysical injury to tangible property, including all resulting loss of use of that property” or “loss of use of tangible property that is not physically injured.” In that case, the court held that “data” is neither a “physical substance” nor “tangible property,” and thus did not qualify as potentially covered “property damage” under a standard CGL policy. In National Ink, however, coverage under the State Auto policy was not limited to “tangible property.” As mentioned, the policy expressly contemplated coverage for physical loss to “data” and “software.”

The National Ink court was instead guided by a Texas decision cited by National Ink, Lambrecht. State Auto unsuccessfully attempted to distinguish Lambrecht on the ground that the server in that case was “fully incapacitated,” while National Ink’s server worked, albeit more slowly. As the court noted, however, the State Auto policy covered not only “physical loss” but also “damage to” data and its storage media. Thus, even though National Ink’s server still functioned, it operated at reduced speed, caused inefficiency, and was damaged to the point that stored data and software could no longer be retrieved. Citing Lambrecht, the court held that the plain language of the State Auto policy dictates that such property is capable of sustaining, and did sustain, a “physical loss.”

Loss of Functionality

National Ink also sought reimbursement based on a theory that loss of functionality to its computer servers constituted physical loss or damage. While the system was technically functional, the court concluded that National Ink sufficiently demonstrated that the physical computer system — distinct from the data and software stored on it — sustained covered loss.

State Auto argued that “physical loss or damage” to a computer system required an “utter inability to function,” rather than a mere reduction in functionality. But the court disagreed, finding State Auto’s position unsupported by the plain language of the State Auto policy and relevant law. The court was more persuaded by cases suggesting that “loss of use, loss of reliability, or impaired functionality” constitutes evidence that a computer system did in fact sustain “physical loss or damage,” as required to trigger coverage under the State Auto policy. The court found that to be the case here, where National Ink not only lost data and software but also was left with a slower, less efficient server system that was also physically damaged to the point that National Ink could no longer access a significant portion of its stored contents. According to the court, the State Auto policy plainly afforded coverage under these circumstances.

The Takeaway

National Ink is a significant development in cyber insurance. A number of carriers have taken the position that cybersecurity losses are not covered under standard coverage forms. While the policy in National Ink contained an endorsement specifically contemplating coverage for loss to data and software, policyholders may still use this decision to support efforts to obtain coverage for cyber losses under policies not designed to cover such claims. This decision is also significant in that it contributes one perspective about the degree of damage necessary to trigger coverage. It remains to be seen whether other courts are persuaded by the argument that mere “loss of functionality” is sufficient.

National Ink & Stitch, LLC v. State Auto Property & Casualty Insurance Co., No. 1:18-cv-02138 (D. Md. Jan. 23, 2020).

Written by:

Carlton Fields
Contact
more
less

Carlton Fields on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.