Federal Court Acknowledges Coverage for Ransomware Losses Under Traditional Property Insurance Policy
When responding to cyberattacks, commercial policyholders should carefully review all potentially applicable insurance policies and not overlook traditional coverages.
In a significant victory for policyholders, the United States District Court for the District of Maryland recently determined that certain ransomware-related losses are covered under language commonly found in traditional commercial property insurance policies. National Ink & Stitch, LLC v. State Auto Property & Casualty Insurance Company, No. CV SAG-18-2138, 2020 WL 374460 (D. Md. Jan. 23, 2020) ("National Ink").
In National Ink, the policyholder's computer network experienced a ransomware attack, which prevented access to nearly all of the operational software, files, and data essential to the company's embroidery and screen printing business. When its attacker refused to restore access and demanded the payment of an additional bitcoin ransom, the policyholder declined to do so and engaged a security consultant to reinstall its software and add protective programs to its computer network. Following these restoration efforts, the policyholder's computer network functioned less efficiently and still contained dormant remnants of the ransomware virus. To eliminate the risk of reinfection to its computer network, the policyholder purchased an entirely new server and turned to its commercial property insurer for coverage.
Denying coverage, the insurer contended that, because the policyholder only lost intangible electronic data and its computer network had a "residual ability to function" after the attack, there had been no "direct physical loss of or damage to" covered property as required under the policy. Rejecting the insurer's position as unsupported by the plain language of the policy, the court noted that the policy did not limit coverage to "tangible" property and instead expressly listed "data" and "software" as categories of "covered property."
Likewise, the court rejected the insurer's position that a computer network must be rendered "completely and permanently inoperable" in order to trigger coverage, finding that the policy "impose[d] no such prerequisite." Instead, the court determined that the plain language of the disjunctive phrase "direct physical loss of or damage to" covered property encompassed any "loss of use, loss of reliability, or impaired functionality" of the computer network, noting that "in many instances, a computer will suffer 'damage' without becoming completely inoperable."
- When responding to cyberattacks, commercial policyholders should carefully review all potentially applicable insurance policies and not overlook traditional coverages.
- In addition to the loss of electronic data itself, commercial property insurance policies may afford coverage for the impaired functionality or reliability of computer networks following ransomware or other cyberattacks.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.