Cyber attacks on computer systems have spawned myriad coverage disputes over whether the data stored on the computer system tangible property that comes within property insurance coverage or whether the computer system has to be rendered unusable. As cyber attacks have grown and morphed from hacking to ransomware to other types of intrusions, and as the effects of these attacks have changed, courts have been altering how they view insurance coverage for cyber attacks. A recent decision in Maryland federal court adds to this discussion.
In National Ink and Stitch, LLC, v. State Auto Property and Casualty Insurance Co., No. SAG-18-2138, 2020 U.S. Dist. LEXIS 11411 (D. Md. Jan. 23, 2020), a businessowners’ insurance carrier denied coverage for the cost of replacing a policyholder’s computer system after a ransomware attack. The attack caused the policyholder to have to replace and reinstall software, install protective software, which slowed the computer system and resulted in lost efficiency, and prevented access to certain important files. Additionally, there were dormant remnants of the ransomware virus on the system and the system was susceptible to re-infection unless the entire system was replaced.
The policy provided that it would pay for “direct physical loss of or damage to Covered Property . . . caused by or resulting from any Covered Cause of Loss.” “Covered Property” included “Electronic Media and Records (Including Software).” “Electronic Media and Records” included “(a) Electronic data processing, recording or storage media such as films, tapes, discs, drums or cells; (b) Data stored on such media.” The coverage dispute centered on whether the policyholder experienced direct physical loss of or damage to its computer system.
In granting summary judgment to the policyholder, the court held that the policyholder could recover under the insurance policy based on either (1) the loss of data and software in its computer system, or (2) the loss of functionality to the computer system itself. The court noted that if the policy intended to require physical loss or damage to the media itself, as opposed to just the data, it could have written the policy without providing that data was Covered Property under the definition of Electronic Media and Records (Including Software). The court found that the plain language of the policy contemplated that data and software were covered and could experience direct physical loss or damage.
The court analyzed several lines of cases and concluded that its interpretation of the policy’s plain language comported with the interpretations reached by a majority of the courts interpreting similar policies. Important to the court’s analysis was that the policyholder sought to replace its computer system with a fully functioning system, not one slowed by protective measures with the risk of reactivation of the ransomware virus and was not seeking solely the costs of replacing its customer data.
The court also addressed cases that limited coverage to tangible property. This policy, the court pointed out, did not limit coverage to tangible property and expressly included data and software under the definition of Covered Property.
The court rejected the argument that retaining functionality in the computer system negated coverage. The policy, the court stated, protected against physical loss, but also against damage to both the media and the data. Here, the court found that while the computer system maintained certain functionality, it was rendered slow and inefficient, and its storage capability was damaged because certain data and software could not be retrieved. Thus, the court observed that a computer system does not have to be completely and permanently inoperable for there to be coverage. Physical damage was not restricted to the physical destruction or harm to the computer, but included loss of access, loss of use, and loss of functionality. The court rejected the argument that physical loss or damage meant that the computer system had to be utterly unable to function, finding that the “Policy language, and the relevant case law, impose no such prerequisite.
The court concluded that “[b]ecause the plain language of the Policy provides coverage for such losses and damage [loss of data and software coupled with a slower system containing a dormant virus and lack of access to a significant portion of software and data], summary judgment” was granted in favor of the policyholder’s interpretation of the policy terms.