4 minute read
Commentary from Counsel - Ransomware Coverage
Federal Court Rules Business owners Policy Covers Ransomware Attack Damages In late January, the United States District Court for the District of Maryland, in National Ink & Stitch, LLC v. State Auto Property & Casualty Insurance Co., ruled that a business owners policy provided coverage for an embroidery and screen-printing business that had fallen victim to a ransomware attack. The court described its decision as a continuation of a nationwide trend of courts finding coverage for loss of data or systems functionality following a cyber-attack. Implicit in the court’s decision may have been a recognition of the increasing frequency and severity of ransomware attacks across the country. It is critical that you and your agencies also take note of these trends.
The National Ink & Stitch Case and Decision In December 2016, National Ink & Stitch suffered a ransomware attack, which prevented it from accessing all art files and other data contained on its server along with most of its software. The attacker demanded payment in the form of bitcoin to release access to the software and data, which National Ink & Stitch paid. However, the attacker then requested further payment. At that point, National Ink & Stitch contracted with a security company to replace and reinstall its software. While the business’s computers functioned after the reinstall, the new protective software slowed the system. Further, National Ink & Stitch still does not have access to the lost data, meaning it has to reproduce all of the lost art files. Finally, computer experts found that it was likely there are still remnants of the virus on the business’s computers, which could ultimately “re-infect the entire system.”
Advertisement
Due to past and continuing damages resulting from the attack, National Ink & Stitch presented a claim to its insurer, State Auto, for the cost of replacing its computer system. The relevant business owners policy states that State Auto “will pay for direct physical loss of or damage to Covered Property…resulting from any Covered Cause of Loss.” The policy defines “Covered Property” to include “Electronic Media and Records (Including Software).” However, State Auto denied the claim, finding its insured did not experience “direct physical loss of or damage to” its computer system under the policy. National Ink & Stitch then sued to resolve the coverage dispute.
Ultimately, the court held that State Auto’s policy did provide coverage for National Ink & Stitch’s losses. The court began with the policy language, which explicitly includes “data” and “software” within the definitions of “Covered Property.” The court also construed the phrase “physical loss or damage” to include the inefficiency of National Ink & Stitch’s computer system following the installation of protective software, finding that a computer can “suffer ‘damage’ without becoming completely inoperable.” While the court came to its conclusions based on an analysis of Maryland state law, it noted that its interpretation tracks with holdings “reached by the majority of courts interpreting similar policies.”
Now What? Before getting to the potential effects of this ruling on your agencies and clients, it is important to understand the basics. Ransomware is a computer virus that effectively holds a computer, or an entire system, hostage until a fee is paid. Ransomware attacks have become increasingly common in recent years. In the first four months of 2019 alone, there were more than 40 million ransomware detections. Experts predict that by 2021, a business will fall victim to a ransomware attack every 11 seconds. Further, the costs for businesses targeted with ransomware can be incredibly high. The total damages associated with ransomware in 2019 surpassed $11.5 billion, or an average of $141,000 per incident. In other words, this problem is common, it’s expensive, and it’s not going away any time soon.
So what does this all mean for your agency? To start, as reflected by the National Ink & Stitch decision, courts across the country have begun to construe business owners policies to cover damages arising from ransomware attacks. Given the severity and frequency of the problem, and its effects on organizations ranging from multi-national corporations to small towns, courts are unlikely to reverse this trend. As a result, it is critical that you and your agencies understand the policy language you are presenting to your clients and the coverage they are requesting. Further, it is increasingly important to have connections with consultants, lawyers or firms that have expertise in not only insurance law, but in the expanding field of data privacy and cybersecurity, so that evaluating response strategy, security planning and coverage can be accomplished.
Conclusion Ransomware attacks may soon become a daily headache for your business clients. In order to recoup some of the costs associated with these attacks, those clients are likely to bring claims under their business owners policies. If past is prelude, courts may be sympathetic to those claims and you need to be prepared to handle coverage requests and claims arising from these attacks.
