Reed Smith Client Alerts

In an opinion with repercussions for insuring ransomware damage and losses, a federal court in Maryland recently held that a ransomware attack caused direct physical loss to a computer system sufficient to trigger coverage under the terms of a first-party property insurance policy.1 Although best practices support purchasing, when economically feasible, dedicated cyber liability insurance as pat of a larger insurance portfolio, the court's decision highlights the importance of holistically reviewing all insurance policies held by the company to see whether other policies may respond to a particular loss arising out of a cyber event.
Data breach and cyber attack signage

The lawsuit at issue arose after National Ink & Stitch (NIS), an embroidery and screen-printing business, was the victim of a ransomware attack.2 The attack prevented NIS from accessing data and software contained on its computer server, including artwork used in its printing business.3 Although NIS paid the ransom, the attacker demanded further payment and refused to release the software and data.4 NIS engaged a computer security company to perform remedial measures so that it could resume operations without purchasing new computer hardware, but these measures were unsuccessful in recovering all of the encrypted data and software (none of the artwork could be recovered), caused NIS's computer systems to run less efficiently, and left open the possibility that dormant remnants of the ransomware virus might re-infect NIS's systems in the future.5 NIS was thus left with two options: "wipe" its systems and reinstall all of the software and data; or purchase new computer hardware.6

NIS sought coverage for computer hardware replacement costs from its insurer, State Auto Property and Casualty Insurance Company (State Auto). NIS had a Businessowner Policy in place with State Auto, which included coverage "for direct physical loss of or damage to Covered Property ... caused by or resulting from any Covered Cause of Loss."7 The Policy also included a "Special Form Computer Coverage" endorsement that defined "Covered Property" to include "Electronic Media and Records (Including Software)," and that defined "Electronic Media and Records" to include both "electronic data processing, recording or storage media such as films, tapes, discs, drums or cells" and "data stored on such media."8 State Auto, however, denied coverage on the ground that because NIS "only lost data, an intangible asset, and could still use its computer system to operate its business, it did not experience 'direct physical loss' as covered by the Policy."9