Posted In: Insurance Recovery & Cybersecurity & Data Privacy
Corporate TIPS: Ransomware Attack - Is Losing Data Considered a Physical Loss Under Your Insurance Policy?
By Joseph K. Cole on February 21, 2020
As demonstrated in National Ink & Stitch, LLC v. State Auto Property & Casualty Insurance Company, a ransomware attack can cause headaches in multiple areas. First, an attack can result in loss of data and damage to computer servers and systems. Second, when there is a loss, a company must contend with insurance and whether the loss is covered under any of the company’s policies. Being prepared ahead of time both on the cybersecurity front and the insurance front can help avoid or minimize the pain of a ransomware attack.
The plaintiff, National Ink, an embroidery and screen printing company, experienced a ransomware attack on its computer server and networked computers that prevented it from accessing its art files, other data on its server and most of its software programs. 2020 WL 374460, *1 (Jan. 23, 2020). The attacker demanded payment to release the data and software, which National Ink paid, but the attacker demanded further payment and refused to release the software and data. National Ink then hired a security company to replace and reinstall its software and to install protective software on its system. The protective software slowed the system significantly and resulted in loss of efficiency. Additionally, National Ink’s computer experts testified that the system likely still contained dormant remnants of the ransomware that could “‘re-infect the entire system.’” Id. To address the problem, National Ink had to either wipe the entire system and reinstall all the software and information or purchase a new server and components.
National Ink tendered a claim to its insurer, State Auto, under an insurance policy that covered “direct physical loss of or damage to Covered Property.” Id. Covered Property included “Electronic Media and Records (Including Software),” which was defined to include:(a) Electronic data processing, recording or storage media such as films, tapes, discs, drums or cells;
(b) Data stored on such media
Id. at *1-2. State Auto denied coverage for the cost to replace National Ink’s computer. The parties disagreed as to whether National Ink experienced “direct physical loss of or damage to” its computer system requiring replacement of the entire system.
The federal court considered whether National Ink could recover based on (1) the loss of data and software; or (2) the loss of functionality to the computer system. According to State Auto, National Ink did not experience “direct physical loss” because National Ink only lost data, an intangible asset, and could still use the computer system to operate its business. Id. at *2. National Ink argued that that the Policy’s language covered both the loss of data and software as Covered Property and the damage to its computer system in the form of impaired functioning.
With respect to the loss of data and software, the court concluded that “the plain language of the Policy contemplates that data and software are covered and can experience direct physical loss or damage.” Id. at *3. The court explained that the policy did not limit coverage to tangible property and expressly included “data” and “software” as Covered Property.
With respect to the loss of functionality of the computer system, the court explained that State Auto’s interpreted “physical loss or damage” to National Ink’s computer system to require an “utter inability to function.” Id. at *5. The court, however, concluded that neither the Policy language nor the relevant case law imposed such a requirement. Instead, the loss of use, loss of reliability, or impaired functionality was sufficient to demonstrate the required damage. National Ink was “left with a slower system, which appears to be harboring a dormant virus, and is unable to access a significant portion of software and data store.” Id. This loss, according to the court, was covered under the Policy.
Although National Ink ultimately prevailed, it had to contend with the headache from the initial ransomware attack, the resulting inefficiencies from an impaired system, and litigation with its insurer.
How Brouse Can Help
Our attorneys can help before an incident occurs by preparing a cybersecurity plan and conducting a cyber-liability insurance review to mitigate the risk. Brouse McDowell offers legal services related to data privacy and cybersecurity, including pre-breach and cybersecurity planning services, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery, and response). Contact us for more information.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2021 Brouse McDowell. All rights reserved.