The lawsuit at issue arose after National Ink & Stitch (NIS), an embroidery and screen-printing business, was the victim of a ransomware attack.2 The attack prevented NIS from accessing data and software contained on its computer server, including artwork used in its printing business.3 Although NIS paid the ransom, the attacker demanded further payment and refused to release the software and data.4 NIS engaged a computer security company to perform remedial measures so that it could resume operations without purchasing new computer hardware, but these measures were unsuccessful in recovering all of the encrypted data and software (none of the artwork could be recovered), caused NIS's computer systems to run less efficiently, and left open the possibility that dormant remnants of the ransomware virus might re-infect NIS's systems in the future.5 NIS was thus left with two options: "wipe" its systems and reinstall all of the software and data; or purchase new computer hardware.6
NIS sought coverage for computer hardware replacement costs from its insurer, State Auto Property and Casualty Insurance Company (State Auto). NIS had a Businessowner Policy in place with State Auto, which included coverage "for direct physical loss of or damage to Covered Property ... caused by or resulting from any Covered Cause of Loss."7 The Policy also included a "Special Form Computer Coverage" endorsement that defined "Covered Property" to include "Electronic Media and Records (Including Software)," and that defined "Electronic Media and Records" to include both "electronic data processing, recording or storage media such as films, tapes, discs, drums or cells" and "data stored on such media."8 State Auto, however, denied coverage on the ground that because NIS "only lost data, an intangible asset, and could still use its computer system to operate its business, it did not experience 'direct physical loss' as covered by the Policy."9
The court disagreed. It held that NIS was entitled to coverage "based on either (1) the loss of data and software in its computer system, or (2) the loss of functionality to the computer system itself."10 With respect to NIS's loss of its data and software, the court focused on the plain language of the Policy - specifically, the Computer Coverage endorsement - which expressly defined Covered Property to include data and software, and "contemplated that data and software ... can experience 'direct physical loss or damage.'"11 The court observed that NIS did "not seek solely the costs of replacing its customer data," but instead sought "a fully functioning computer system not (1) slowed by the necessary remedial and protective measures, or (2) at risk of reinfection from a dormant virus."12 The court also found that the language of the Policy did not limit coverage to "tangible property," but instead expressly included data and software as categories of covered property.13 Finally, the court rejected State Auto's argument that NIS did not experience a covered loss because its computer "server still function[ed]."14 The court reasoned that "the plain language of the Policy . . . protect[ed] against not only 'physical loss' but also 'damage to' both the media and data," and that a computer system does not need to be "completely and permanently inoperable" to be deemed to have suffered damage.15
As for coverage due to the loss of functionality, the court rejected State Auto's argument that coverage would be warranted only where the computer system is rendered inoperable, holding that NIS "demonstrated damage to the computer system itself, despite its residual ability to function."16 The court reasoned that "the mere fact that the system retained some limited functions d[oes] not prevent" a "finding that [the insured] suffered physical damage."17 As the court further observed, "in many instances, a computer will suffer 'damage' without becoming completely inoperable."18 Such damage may include "loss of use, loss of reliability, or impaired functionality."19
National Ink and Stitch is among the first decisions to hold that coverage may be available under a traditional first-property policy for losses arising out of a ransomware attack. Although a dedicated cyber liability policy should respond comprehensively to a ransomware attack, traditional policies may also respond to particular losses or contain endorsements adding limited cyber liability coverage. Policyholders should carefully and holistically review their entire insurance programs to determine which policies may respond in the event of a ransomware attack or other cybersecurity incident. Outside coverage counsel can be helpful in identifying particular risks, potential coverage, and potential gaps in coverage.
If you have any questions about the content of this article, or the current state of your company's coverage for ransomware attacks and other cybersecurity incidents, please contact one of the authors of this article or any other member of Reed Smith's Insurance Recovery Group. We're here to help.
- Nat’l Ink & Stitch, LLC v. State Auto Prop. & Cas. Ins. Co., No. SAG-18-2138, 2020 WL 374460 (D. Md. Jan. 23, 2020).
- Id., p. 2.
- Id.
- Id.
- Id.
- Id.
- Id.
- Id., pp. 2-3.
- Id., p. 4.
- Id., p. 5.
- Id.
- Id., p. 6.
- Id., p. 7.
- Id., p. 8.
- Id.
- Id., pp. 9-10.
- Id.
- Id., p. 11.
- Id.
Client Alert 2020-049