The United States District Court for the District of Maryland recently held that an insurer must cover an insured’s costs to replace its computer systems following a ransomware attack. The case, National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Company, Civ. No. SAG-18-2138 (D. Md. January 23, 2020), contains lessons for business and insurance companies going forward.

Plaintiff, an embroidery and screen printing business, obtained a businessowner’s insurance policy from the defendant, State Auto. The policy provided that State Auto “will pay for direct physical loss of or damage to Covered Property at the premises described in the Declarations caused by or resulting from any Covered Cause of Loss. The policy defined “covered Property” to include “Electronic Media and Records (Including Software).” It further defined “Electronic Media and Records” to include “electronic data processing, recording or storage media [and] data stored on such media.”

A December 2016 ransomware attack rendered Plaintiff unable to access the art, logos, and design for its business on its computer server, in addition to other software related to its business. Plaintiff paid, but the attacker demanded an additional payment. Eventually, Plaintiff employed a security company to replace and reinstall its software and to install protective software on its computer system. Plaintiff’s computers still functioned, but the installation of the anti-malware software slowed the computer system, which cost Plaintiff some efficiency. Plaintiff lost the art files permanently.

State Auto declined coverage on the ground that Plaintiff did not suffer “direct physical loss.” Plaintiff disagreed. Both parties moved for summary judgment. The court granted Plaintiff’s motion and denied State Auto’s. The court held that the policy’s plain language defined “Covered Property” to include “data,” and therefore, Plaintiff’s loss of data qualified for coverage. State Auto contended that the policy limited coverage to data stored on physical media, but the court rejected this conclusion based on the policy’s language. State Auto also claimed that Plaintiff could not recover because its computers were not completely incapacitated, but the court ruled that the policy provided coverage even absent complete inoperability.

After the Fourth Circuit decided Travelers Indemnity vs. Portal Healthcare Solutions, many observers believed that insurance companies would exclude damages from data breaches from their commercial general liability (CGL) policies and begin covering such damages only through policies or endorsements specifically written to address cybersecurity. However, coverage uncertainty and questions regarded pricing led many companies to offer cybersecurity insurance in other policies, such as the businessowner’s insurance policy at issue here.

As always, the lesson remains for both parties to an insurance policy to make clear what the policy covers and what it does not. Businesses should take care to ensure that their insurance policies do not contain gaps in coverage that might leave them exposed in the event of a data breach.

For more information regarding this article, please contact Sean Griffin.

For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.