Judge Rules Insurer Must Pay for Ransomware DamageCoverage Required Because Attack Caused 'Physical Loss or Damage'
A federal judge has ruled that an insurer providing a "business owner's insurance policy" to National Ink & Stitch, which sustained a ransomware attack in 2016 and was forced to replace most of its IT infrastructure, must pay for the damages the security incident caused.
In her recent ruling, Judge Stephanie Gallagher of the U.S. District Court of Maryland wrote that the damage to Nation Ink & Stitch's computer infrastructure from a ransomware attack constituted "physical loss or damage" covered by the insurance policy and that the insurer must pay the costs to recover and rebuild the network. National Ink & Stitch is an Owings, Maryland-based embroidery and screen printing firm.
The insurer, Columbus, Ohio-based State Auto Property and Casualty Insurance Co., had denied coverage for the cost of replacing National Ink & Stitch's computer system, arguing that that the company had not experienced "direct physical loss of or damage to" its computer system, the judge noted in the ruling.
The ruling did not set a specific dollar figure, although National Ink & Stitch previously argued for a settlement of $310,000 in recovery costs, according to court documents. National Ink & Stitch and State Auto could be reached for comment.
Physical Damage Covered
National Ink & Stitch had purchased a standard business owner's insurance policy from State Auto Property, which did not specifically cover cybersecurity damages, the lawsuit states.
But the judge in the case ruled that the policy would still coverage physical damage no matter how it happened or under what circumstances, says Todd Rowe, an attorney with Tressler LLP of Chicago who specializes in insurance and privacy issues but was not involved in the case.
"Insurers may not intend for this policy language, which was designed to provide coverage for a fire, to cover a computer system that is functioning slower because of 'protective software' installed after a ransomware attack," Tressler tells Information Security Media Group. "The court goes out of its way to reject any argument that coverage only applies when there is an 'utter inability to function.' This case shows us that insurers and insureds should have a good idea of their expectations for coverage before an incident."
Impact of Ransomware Attack
National Ink & Stitch argued that its insurance policy covers "electronic media and records" that include films, tapes and disks as well as the data stored on devices.
The ransomware attack, which took place in December 2016, prevented employees from accessing all of the company's art files and data stored on servers, according to the lawsuit. The company also lost access to most of its software.
After National Ink & Stitch paid the ransom to the attackers in bitcoin, the cybercriminals demanded further payment and refused to unencrypt the software and data, the lawsuit says. The company was then forced to replace its entire computer network and install protective software, which slowed the entire infrastructure down, the lawsuit notes.
Computer experts also testified that there are likely dormant remains of ransomware in the system that could "re-infect the entire system," according to court documents.
In its lawsuit, National Ink & Stitch argued that its insurance policy covers "physical loss or damage," and that because the computer system was slow after being infected with malware, it could be categorized as damaged.
"In many instances, a computer will suffer 'damage' without becoming completely inoperable. Here, not only did the plaintiff sustain a loss of its data and software, but plaintiff is left with a slower system, which appears to be harboring a dormant virus, and is unable to access a significant portion of software and stored data," the judge said in her ruling.
Because the language in State Auto's insurance policy states that it provides coverage for such losses and damages, the insurer must pay for replacement of National Ink & Stitch's computer system, Judge Gallagher ruled.
As part of her ruling, Gallagher highlighted another case that involved similar circumstances.
In that case, Lambrecht & Associates filed a lawsuit against its insurer, State Farm Lloyds, to receive an insurance claim after a security incident wiped away most of its data and damaged its business.
State Farm Lloyds denied coverage, stating that the loss of information was not a physical loss. Another court, however, pushed back against that claim and found the server and the data it contained fall under the category of electronic media and Lambrecht should receive compensation.
Uncertainty Over Insurance
While the market for cyber insurance grew in 2018, according to a survey by Moody's Investor Service, the survey found that many insurance firms are grappling with the uncertainty that comes with offering protection for cyber incidents, such as ransomware attacks (see: Do Ransomware Attackers Single Out Cyber Insurance Holders?).
"Complexity of claim and coverage issues has raised uncertainty, including whether cyber insurance responds to claims for physical damage to property and related business interruption and contingent business interruption," the Moody's report states.
In November, for example, Target sued ACE American Insurance for up to $74 million in an attempt to recoup money it spent to replace payment cards as part of settlements over the retailer's massive 2013 data breach (see: Target Sues Insurer Over 2013 Data Breach Costs)
(Managing Editor Scott Ferguson contributed to this report.)