Today, when many companies are running their daily businesses from home, the crucial data kept on cell phones, computers, and mainframes may be vulnerable to cyber risks. Many businesses should re-evaluate their insurance policies to protect themselves from cyber-related insurance claims.
Ransomware has grown to be a big problem on the web. Ransomware is malicious software (malware) that encrypts a victim’s files. Once malware is installed, the attackers can steal confidential information, interrupt service, or disable access to files and critical data until a ransom is paid.
Recently, the U.S. District Court for the District of Maryland held that the insurance company was obligated to cover the cost of replacing a computer system after a ransomware attack slowed the system and left it vulnerable to further infection.1
In National Ink, the insured’s business was the victim of a ransomware attack. The attacker demanded a ransom from the insured to restore access to the data upon payment. The insured made the requested payment. However, the attacker demanded further payment and refused to release the software and data.
The insured retained a security company to replace the business software and to installed protective software. Although the insured’s computers still functioned, the protective software installation slowed the system and resulted in efficiency loss. The leftovers of the ransomware virus in the computer system threatened to re-infect it. To eliminate the risk of further infection and due to the loss of efficiency, the insured purchased an entirely new server and components.
The insured sought coverage under its Business Owner’s Policy for damage suffered to its computer system as a result of the ransomware attack. The policy provided that the insurance company would:
[P]ay for direct physical loss of or damage to Covered Property at the premises described in the Declarations caused by or resulting from any Covered Cause of Loss.
The insurance company denied coverage for the new system arguing that because Plaintiff only lost data, an intangible asset, and could still use its computer system to operate its business, it did not experience “direct physical loss” as covered by the policy.
The court rejected that argument, explaining that data and software were expressly treated by the policy as “covered” property, so they must be capable of suffering physical loss within the policy’s coverage. Specifically, the policy’s “Computer Coverage” endorsement defined covered property to include not only “physical processing, recording, or storage media” but also (and separately) the “data stored on such media.”
The court further found that the insured had “demonstrated damage to the computer system itself,” and not just to the data and software residing on that system. In so doing, the court rejected the insurer’s argument that the system still functioned, concluding that a system with diminished operability and performance had suffered “damage” within the plain terms of the policy:
In the instant case, [insurance company] seems to equate ‘physical loss or damage’ to Plaintiff’s computer system to require an utter inability to function. The Policy language, and the relevant case law, impose no such prerequisite.
The ruling is significant because a straightforward application of express traditional policy wording may result in such coverage. Although traditional policies may cover certain cyber losses, a prudent business owner should contact his/her agent to inquire about specialty cyber insurance, which may cover a wide variety of losses related to cyber security and data protection. This ruling further adds a small piece of clarification to the dark world of cyber-related insurance claims.
1 National Ink and Stitch, LLC v. State Auto Property and Cas. Ins. Co., No. 1:18-cv-02138 (D. Md. Jan. 23, 2020).