Coverage for Ransomware Losses under Property Policies

The insuring agreement of a standard commercial property policy provides that the insurer will pay for "direct physical loss of or damage to" covered property. When it comes to losses caused by cyber attacks, such as ransomware, the issue is whether damage to a computer server or component caused by a virus or other malicious code constitutes "physical loss or damage." Courts have reached different conclusions on this issue.

In Ward Gen. Ins. Servs. Inc. v. Employers Fire Ins. Co., 114 Cal. App. 4th 548 (Cal. Ct. App. 2003), a policyholder's computer system crashed during an upgrade, resulting in the loss of data stored on the system. The court opined that "the loss of plaintiff's [data] does not qualify as 'direct physical loss,' unless the [data] has a material existence, forged out of tangible matter, and is perceptible to the sense of touch."

The court found that the lost data was merely information, which does not, itself, have a material existence. Notably, the court distinguished the lost data from the physical medium on which it was stored and found that the plaintiff was not seeking coverage for damage to the physical medium on which the data was stored. Id. at 557 ("To be sure, information is stored in a physical medium, such as magnetic disc or tape … but the information itself remains intangible.… Plaintiff did not lose the tangible material of the storage medium. Rather, plaintiff lost the stored information. The sequence of ones and zeros can be altered, rearranged, or erased, without losing or damaging the tangible material of the storage medium.")

Similarly, in America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89 (4th Cir. 2003), the court held that there was no coverage under a commercial general liability policy for claims alleging that a software update corrupted files on a user's computers and caused the computers to become unstable and crash. The court held that the alleged damage caused by the software update was not damage to tangible property because, while the "physical magnetic material on the hard drive is tangible property," the alleged damage was only to the data on the hard drives, and data is not tangible. Id. at 95; see also State Auto Prop. & Cas. Ins. Co. v. Midwest Computers & More, 147 F. Supp. 2d 1113 (W.D. Okla. 2001) ("Although the medium that holds the information can be perceived, identified or valued, the information itself cannot be. Alone, computer data cannot be touched, held, or sensed by the human mind; it has no physical substance. It is not tangible property.").

Other courts, however, have construed "direct physical loss or damage" more broadly to include situations where the functionality or reliability of computer hardware has been impaired. For example, in American Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., 2000 U.S. Dist. LEXIS 7299 (D. Ariz. April 19, 2000), the policyholder sought coverage under its property policy for losses it sustained when a power outage caused its computer system to lose programming information.

The insurer argued that the computer system was not physically damaged because it had only lost data, and it was still able to function after the power outage. The court held that there was coverage, finding that "physical damage" "is not restricted to the physical destruction or harm of computer circuitry but includes loss of access, loss of use, and loss of functionality." Id. at *5 ("Ingram does allege property damage—that as a result of the power outage, Ingram's computer system and world-wide computer network physically lost the programming information and custom configurations necessary for them to function. Ingram's mainframes were 'physically damaged' for one and one half hours. It wasn't until Ingram employees manually reloaded the lost programming information that the mainframes were 'repaired.'"); see also Southeast Mental Health Ctr., Inc. v. Pacific Ins. Co., Ltd., 439 F. Supp. 2d 831 (W.D. Tenn. 2006) ("[T]he corruption of the pharmacy computer constitutes 'direct physical loss of or damage to property[.]'").

Similarly, in Ashland Hosp. Corp. v. Affiliated FM Ins. Co., 2013 U.S. Dist. LEXIS 114730 (E.D. Ky. Aug. 14, 2013), the court held that there was "physical loss or damage" where a computer data storage network was rendered unreliable, even though it could still function, where it overheated due to an air conditioning system malfunction. The court rejected the insurer's argument that "physical loss or damage" required changes to the components that were "tangible" or "perceptive" to the senses, holding that the loss of reliability of the network was "physical" even if the changes caused by the heat exposure occurred on a microscopic level.

The court also rejected the insurer's argument that loss of reliability was not "physical loss or damage" because the network still retained some functionality; the court held that the value in the network was its reliability, and, therefore, it sustained damage when it became less reliable. Accordingly, the court held that the policy covered the replacement cost of the network.

Recent Case Law

Against this backdrop, the court in National Ink & Stitch LLC v. State Auto Prop. & Cas. Ins. Co., 2020 U.S. Dist. LEXIS 11411 (D. Md. Jan. 23, 2020), was asked to decide whether a first-party property policy provided coverage for the replacement cost of servers and components that were left slower and potentially still infected by dormant computer viruses following a ransomware attack. The policyholder, an embroidery and screen printing business, was covered under a business owners policy, the property portion of which provided coverage for "direct physical loss of or damage to Covered Property." The policy included a "Special Form Computer Coverage endorsement," providing that covered property included "electronic media and records," which was defined as including "electronic data processing, recording or storage media such as films, tapes, discs, drums or cells," and "[d]ata stored on such media."

The policyholder's servers and computers were subject to a ransomware attack; a third-party had implanted a virus onto the policyholder's computer systems, which prevented it from accessing files and other data. The attacker demanded payment to grant the policyholder access to its systems. The policyholder paid the ransom, but the attacker refused to provide access unless an additional ransom was paid. Instead, the policyholder retained a computer security company to replace and reinstall its software.

After the software was reinstalled, the computer systems worked but were slower because of additional security measures that were employed on the system, and the computer security expert advised that there could still be dormant portions of the ransomware virus on the system that could reinfect it in the future. As a result, the policyholder was faced with a choice of either wiping the entire system and reinstalling all of its software or replacing its entire server and components with new ones. The policyholder chose the second option and sought reimbursement from its property insurer for the costs.

The insurer denied coverage, taking the position that, because they still functioned, albeit in a diminished capacity, there was no "direct physical loss of or damage to" the servers and components. The court rejected the insurer's argument, holding that the policyholder was entitled to recover because it suffered a loss of data and software in its computer system, and the policy specifically included data and software as "covered property."

The court also held that the policy afforded coverage because the policyholder's servers and components had suffered "direct physical loss or damage" by virtue of their loss of functionality after the ransomware attack. Here, the court rejected the insurer's argument that, because the servers and components still functioned, albeit in a more limited capacity, there was no direct physical loss or damage. The court found that the insurer's argument "seems to equate 'physical loss or damage' to Plaintiff's computer system to require an utter inability to function," a limitation that is not supported by the language of the policy. Instead, the court held coverage was triggered because "not only did [the policyholder] sustain a loss of its data and software, but [it] is left with a slower system, which appears to be harboring a dormant virus, and is unable to access a significant portion of software and stored data." As a result, the court held that the policyholder was entitled to coverage for the replacement cost of the servers.

The Takeaway

The court's decision in National Ink & Stitch LLC is a reminder that policyholders should not assume that their property policies do not afford broader coverage for losses resulting from a cyber attack. Policyholders may be able to recover the cost of replacing computer hardware to the extent they can show that the functionality of the hardware has been impaired.