Court ruling sets new precedent on cyberattack losses and BOP coverage

A U.S. District Court discusses whether a businessowners policy should cover losses from a ransomware attack.

(Photo: Simon Dawson/Bloomberg)

In a first-of-its-kind finding, the U.S. District Court for the District of Maryland has ruled that lost data and the compromised operability of a computer system resulting from a cyberattack, both qualify as “direct physical loss” under a businessowners policy.

National Ink & Stitch, LLC (National Ink), is an embroidery and screen printing business that was covered by a business owner’s insurance policy from March 31, 2016, to March 31, 2017, through State Auto Property & Casualty Insurance Co. (State Auto.) National Ink stored art, logos, and designs for its business on its computer server, which also housed software for graphic arts, shop management, embroidery, and webstore management.

In December 2016, National Ink’s computer server and networked computers came under a ransomware attack, which prevented the company from accessing all of the art and other data stored on the server, except for the embroidery software. The attacker demanded a bitcoin payment to release access to the software and data. National Ink hired a security company to replace and install its software, and install protective software on the system. Although the computers were restored to function, the installation of the protective software slowed the system, resulting in a loss of efficiency. National Ink also lost access to the art files stored in the system and was forced to recreate those files.

Trial arguments

Computer experts testified at trial that it was likely that there were remnants of the ransomware still lingering in the system that could reinfect the entire system at any time, and gave only two options to fully recover: 1. to wipe the system and reinstall everything or 2. to purchase an entirely new server and components.

Relevantly, the policy provided that State Auto will “pay for direct physical loss of or damage to Covered Property at the premises described in the Declarations caused by or resulting from any Covered Cause of Loss.” The Businessowners Special Form Computer Coverage endorsement defined “Covered Property” to include “Electronic Media and Records (Including Software.” and defined “Electronic Media and Records” to include “electronic data processing, recording or storage media such as films, tapes, discs, drums or cells; and data stored on such media.”

National Ink filed a claim with State Auto in December 2016, for the ransomware attack. State Auto denied coverage for the cost of replacing the computer system. State Auto argued that National Ink did not experience a “direct physical loss of or damage to” the computer system to justify reimbursement under the policy of a complete replacement of the entire system, because National Ink only lost data and could still use the computer system.

National Ink argued that the policy language contemplated computer data and software to be property subject to “direct physical loss,” and that the computer system sustained damage in the form of impaired functioning.

Court ruling sides with insureds

The court agreed with National Ink.

The court held that National Ink could recover based on the loss of artwork data and software because the policy included “data stored on such media” as a separate category of Covered Property, so the plain language of the policy contemplated that “data and software are covered and can experience ‘direct physical loss or damage.’”  The court also held that National Ink showed that the damage affected the computer system itself, despite its residual ability to function.

The court rejected the insurer’s argument that “physical loss or damage” to the system required an “utter inability to function” and instead found that the policy language and relevant case law showed no such requirement, and cited cases that suggested the loss of use, reliability or impaired functionality demonstrated the required damage to a computer system consistent with the policy language.

The case is National Ink & Stitch, LLC v. State Auto Property & Casualty Insurance Co. No. SAG-18-2138, 2020 U.S. Dist. LEXIS 11411 (D. Md. Jan. 23, 2020)

Editor’s Analysis:  Significantly, this case emphasizes that a computer system can be damaged to a point that coverage will apply, without being rendered completely inoperable.

The concept that a traditional insurance policy could be required to provide coverage for losses due to cyberattacks or cybersecurity events really gets to the essence of the “silent-cyber” issue and marks a growing trend in insurance. Although the State Auto policy was not a cyber policy,  but it was still required to pay out what would be considered cyber damages, the case demonstrates that a business does not necessarily have to purchase a cyber policy to have coverage for a cyber loss.

See also: