The United States District Court for the District of Maryland recently held that an insurer must cover an insured’s costs to replace its computer systems following a ransomware attack. The case, National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Company, Civ. No. SAG-18-2138 (D. Md. January 23, 2020), contains lessons for business and insurance companies going forward.

Plaintiff, an embroidery and screen printing business, obtained a businessowner’s insurance policy from the defendant, State Auto. The policy provided that State Auto “will pay for direct physical loss of or damage to Covered Property at the premises described in the Declarations caused by or resulting from any Covered Cause of Loss. The policy defined “covered Property” to include “Electronic Media and Records (Including Software).” It further defined “Electronic Media and Records” to include “electronic data processing, recording or storage media [and] data stored on such media.”

A December 2016 ransomware attack rendered Plaintiff unable to access the art, logos, and design for its business on its computer server, in addition to other software related to its business. Plaintiff paid, but the attacker demanded an additional payment. Eventually, Plaintiff employed a security company to replace and reinstall its software and to install protective software on its computer system. Plaintiff’s computers still functioned, but the installation of the anti-malware software slowed the computer system, which cost Plaintiff some efficiency. Plaintiff lost the art files permanently.

State Auto declined coverage on the ground that Plaintiff did not suffer “direct physical loss.” Plaintiff disagreed. Both parties moved for summary judgment. The court granted Plaintiff’s motion and denied State Auto’s. The court held that the policy’s plain language defined “Covered Property” to include “data,” and therefore, Plaintiff’s loss of data qualified for coverage. State Auto contended that the policy limited coverage to data stored on physical media, but the court rejected this conclusion based on the policy’s language. State Auto also claimed that Plaintiff could not recover because its computers were not completely incapacitated, but the court ruled that the policy provided coverage even absent complete inoperability.

After the Fourth Circuit decided Travelers Indemnity vs. Portal Healthcare Solutionsmany observers believed that insurance companies would exclude damages from data breaches from their commercial general liability (CGL) policies and begin covering such damages only through policies or endorsements specifically written to address cybersecurity. However, coverage uncertainty and questions regarded pricing led many companies to offer cybersecurity insurance in other policies, such as the businessowner’s insurance policy at issue here.

As always, the lesson remains for both parties to an insurance policy to make clear what the policy covers and what it does not. Businesses should take care to ensure that their insurance policies do not contain gaps in coverage that might leave them exposed in the event of a data breach.

For more information regarding this article, please contact Sean Griffin.

For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Sean C. Griffin Sean C. Griffin

Sean C. Griffin is a Member in the Washington, D.C. office of Dykema. Sean focuses his practice on commercial litigation, with a specialty in cases involving allegations of breach of contract or fraud. His experience includes litigating cases in federal and state courts…

Sean C. Griffin is a Member in the Washington, D.C. office of Dykema. Sean focuses his practice on commercial litigation, with a specialty in cases involving allegations of breach of contract or fraud. His experience includes litigating cases in federal and state courts and arbitration panels around the country. He also responds to subpoenas investigating violations of federal or state laws, including the False Claims Act, the U.S. Foreign Corrupt Practices Act (FCPA), and securities laws. Additionally, he assists clients with data security and responding to data breaches and is an IAPP Certified Information Privacy Professional (CIPP/US).

After graduating from Columbia University School of Law, Sean clerked for the U.S. District Court for the District of Maryland. After his clerkship, he worked as a trial attorney at the U.S. Department of Justice, Civil Division, where he handled commercial litigation trials and appeals as well as government contract and construction litigation.