Cyberattacks are an increasingly frequent and costly risk faced by almost every business today. While the availability and scope of cyber-specific insurance has developed exponentially over the past few years, it is important to remember that more traditional policies (such as general liability and first-party property insurance) can still be a source for coverage in connection with cyber incidents, as a recent court decision demonstrates.
In National Ink & Stitch, LLC v. State Auto Property & Casualty Insurance Co., the U.S. District Court for the District of Maryland ruled that lost data and the compromised operability of a computer system resulting from a cyberattack qualify as “direct physical loss” under a first-party property policy. The decision is described as “first-of-its-kind,” finding coverage for costs associated with a ransomware infection of a computer system.
The case stems from a 2016 ransomware attack on National Ink and Stitch, an online screen printing and embroidery company. The attack prevented the company from accessing almost all of its software applications and art files on its servers. After the ransom demand was paid, the hacker still did not remove the malware and demanded another payment. Instead of paying more, National Ink hired a security company to reinstall its software and install a protection program on the system. National Ink was never able to recover its art files and had to recreate them.
After installing the protection program, National Ink experienced a significant slow-down of its systems and discovered that remnants of the ransomware were still present and threatened re-infection. National Ink decided to scrap the system entirely and replace it with a new server and computers. National Ink then sought coverage for the replacement costs under its business owners’ property insurance policy. Its property insurer, State Auto Property & Casualty Insurance Company, denied coverage for the replacement costs and National Ink filed suit. Both parties filed for summary judgment on the issue of whether National Ink’s loss of data and the impairment of its system constituted “direct physical loss” within the coverage of the policy.
In ruling for National Ink, the court noted that the policy included “[e]lectronic data processing, recording or storage media such as films, tapes, discs, drums or cells” and “data stored on such media” within the definition of “Covered Property.” The court, following a Texas Court of Appeals ruling involving a company whose system was rendered inoperable due to a virus infection, found that the computer equipment impaired by the ransomware attack qualified as covered property because it contained hard drives (also known as “discs”) and could not be used for “electronic data processing, recording, or storage” after the attack. State Auto also argued that National Ink’s computer system could not have suffered “direct physical loss” because it was still functional, but the court rejected that argument, ruling that complete inoperability was not required because the policy protected against “damage to” covered property as well as “physical loss.” The court also cited cases involving power outages that found “physical damage” includes “loss of access, loss of use, and loss of functionality” of computer systems.
Insurers are increasingly including exclusions or limitations on coverage for cyber-related losses in traditional general liability and property policies. Insureds should not, however, assume or accept immediately that there is no coverage for cyber incidents under those types of policies, and should consult coverage counsel. It is important for insureds to understand their insurance program and business risks and consider whether dedicated cyber policies are appropriate, but they should also remember there may be more resources available for coverage in the event of a cyber claim.