Ransomware is a type of malicious software designed to block access to a computer system until a sum of money, a ransom, is paid. Ransomware attacks are on the rise, and with them policyholders’ requests for coverage under their insurance policies for damages from such attacks. A recent federal court decision in Maryland found that the policyholder’s insurance policy covered such losses, which exceeded the policy limits of $310,000. National Ink and Stitch, Inc. v. State Auto Property and Casualty Insurance Co., No. SAG-18-2138, 2020 U.S. Dist. LEXIS 1141, 2020 WL 374460 (D. Md. Jan. 23, 2020).
Ink & Stitch provided embroidery and silk-screening and related promotional items and saved original art and other proprietary data as well as financial information on its computers. Ink & Stich was the target of a ransomware attack, which encrypted all its data and all but one program. The ransomware attacker demanded one Bitcoin to release the key but when they had the Bitcoin in hand the attacker demanded another Bitcoin and refused to provide the key. Ink & Stitch retained an IT security company which restored some functionality, although significantly slower, but none of the original artwork, which had to be recreated.
Ink & Stich purchased a Business Owners Policy from State Auto which included a Special Property Coverage Form and a Special Form Computer Coverage, all based on standard Insurance Services Office (ISO) forms. Ink & Stitch sought reimbursement under its Policy which insured against “direct physical loss of or damage to covered property.” “Covered property” included property used in the policyholder’s business. State Auto denied coverage. It contended that Ink & Stitch’s computer data and programs were intangible and thus incapable of “physical loss.”
The court disagreed. It noted that the policy expressly defined “covered property” to include “electronic media and records (including software)” and defined “electronic media and records” to include “electronic data processing, recording or storage media such as films, tapes, discs, drums or cells” and “data stored on such media.” Thus, the court held that covered property included damage to “data” with no accompanying damage to the physical media where the data is stored.
The court pointed out the inconsistency in State Auto’s position. “By State Auto’s definition, damage to software, and the data stored within it, could never be covered, because software is not physical.” But “the plain language of the policy’s provisions and definitions dictates that such property is capable of sustaining a ‘physical loss.’”
Businesses should be prepared to prevent a ransomware attack and to respond to successful ones. Best practices for preventing ransomware attacks are constantly updated to address changing technical threats from new ransomware. Every business relying on computers—and today that is every business of any significance—should be prepared to limit the damage from a ransomware attack. A robust backup system, preferably on the cloud, is essential. Preparation includes insurance. Businesses should retain coverage counsel or an independent insurance agent who are familiar with coverage issues to review their policies, and weigh the risk-benefit ratio to determine the proper insurance that addresses their particular needs.
John regularly represents policyholders in coverage and environmental matters. He is currently representing a client seeking coverage for a ransomware attack.