Ransomware attacks, third-party liability and you
Organizations need to consider unintended victims and liability to reliant third parties if their systems are attacked by ransomware.
The COVID-19 pandemic has caused a massive shift in the way organizations do business and the way their employees do their work, but, as is often the case, this shift has brought about an increase in cybersecurity risks, which should not be overlooked.
Much of this increased risk comes from the rise of ransomware attacks. According to one of the largest cyber insurance providers in North America, approximately 41% of cyber insurance claims in the first half of 2020 are attributed to ransomware attacks.
When faced with a possible ransomware attack, organizations need to consider the unintended victims and the potential for liability to reliant third parties if their computer systems remain inoperable or their data is lost. Recently, a hospital in Germany was a victim of a ransomware attack, which caused the need for emergency transport of a number of patients due to the inoperable computer systems. Tragically, one of the patients died during transport and is reported to be the first known death caused by a ransomware attack.
Software, data corruption not considered property damage
General liability policies typically offer to defend the insured faced with a lawsuit claiming either bodily injury or property damage caused by an occurrence (typically defined as an accident). Bodily injury is fairly easy to identify and clever plaintiffs can usually get around the need for an occurrence by pleading some form of negligence (i.e., negligent failure to provide security). However, a ransomware attack is far more likely to cause property damage (i.e., corrupted data and unusable computer systems) than bodily injury, and most courts around the country do not interpret corruption of software and data as property damage under traditional insurance policies.
Many, if not most, commercial general liability policies expressly preclude coverage for data-related liabilities. However, even if your policy does not exclude data-related liability, you may still have a hard time obtaining coverage for such an event.
Recently though, a federal district court in Maryland held that computer data and software loss was covered. There, the insured, an embroidery and screen-printing business was the victim of a ransomware attack and, despite paying the initial ransom, was unable to recover many of the files that it used to run its business. The company looked to its insurance to cover its own losses, and the insurer denied coverage because, according to the insurer, it had not suffered a physical loss or damage to its computer system. The court disagreed and noted that unlike many other insurance policies, the policy at issue did not limit coverage to damage to “tangible property.” In any event, it reasoned that Maryland courts would find physical damage to the computer software because the ransomware attack rendered the software inoperable.
This is one of the first instances of coverage for lost data resulting from a ransomware attack under a traditional policy, but it may not be the last. That said, this is a minority position, and the policy language was a determining factor in this case.
Given the heightened risk for ransomware attacks during the pandemic, organizations should not rely on the remote possibility that a court may rule in its favor on these issues. Rather than depend on general liability coverage, which may not cover cyber risks, organizations should consider adding cyber insurance to their insurance portfolio. These coverages, however, are far from standardized and come in a variety of shapes and sizes. For example, some cyber policies may provide coverage for expenses incurred in responding to a ransomware attack but may not provide coverage for any damage caused to third parties. Other policies may cover liability but may not provide coverage when the attack is through an employee-owned device.
Oliver Sepulveda is an associate in the Miami office of Shutts & Bowen, where he is a member of the insurance practice group.
Related: