Ransomware attacks can saddle a policyholder with significant costs and
expenses, including business interruption costs, ransom payments, and computer
hardware and software replacement costs. While a cyber policy is the most
obvious source of coverage, policyholders might also find coverage under a
traditional property policy, as a recent federal court decision finds.
The insuring agreement of a standard commercial property policy provides
that the insurer will pay for "direct physical loss of or damage to"
covered property. When it comes to losses caused by cyber attacks, such as
ransomware, the issue is whether damage to a computer server or component
caused by a virus or other malicious code constitutes "physical loss or
damage." Courts have reached different conclusions on this issue.
In Ward Gen. Ins. Servs. Inc. v. Employers Fire Ins. Co.,
114 Cal. App. 4th 548 (Cal. Ct. App. 2003), a policyholder's computer
system crashed during an upgrade, resulting in the loss of data stored on the
system. The court opined that "the loss of plaintiff's [data] does not
qualify as 'direct physical loss,' unless the [data] has a
material existence, forged out of tangible matter, and is perceptible to the
sense of touch."
The court found that the lost data was merely information, which does not,
itself, have a material existence. Notably, the court distinguished the lost
data from the physical medium on which it was stored and found that the
plaintiff was not seeking coverage for damage to the physical medium on which
the data was stored. Id. at 557 ("To be sure, information is
stored in a physical medium, such as magnetic disc or tape … but the
information itself remains intangible.… Plaintiff did not lose the tangible
material of the storage medium. Rather, plaintiff lost the stored
information. The sequence of ones and zeros can be altered,
rearranged, or erased, without losing or damaging the tangible material of the
storage medium.")
Similarly, in America Online, Inc. v. St. Paul Mercury Ins. Co.,
347 F.3d 89 (4th Cir. 2003), the court held that there was no coverage under a
commercial general liability policy for claims alleging that a software update
corrupted files on a user's computers and caused the computers to become
unstable and crash. The court held that the alleged damage caused by the
software update was not damage to tangible property because, while the
"physical magnetic material on the hard drive is tangible property,"
the alleged damage was only to the data on the hard drives, and data is not
tangible. Id. at 95; see also State Auto Prop. & Cas. Ins. Co.
v. Midwest Computers & More, 147 F. Supp. 2d 1113 (W.D. Okla. 2001)
("Although the medium that holds the information can be perceived,
identified or valued, the information itself cannot be. Alone, computer data
cannot be touched, held, or sensed by the human mind; it has no physical
substance. It is not tangible property.").
Other courts, however, have construed "direct physical loss or
damage" more broadly to include situations where the functionality or
reliability of computer hardware has been impaired. For example, in
American Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., 2000 U.S.
Dist. LEXIS 7299 (D. Ariz. April 19, 2000), the policyholder sought coverage
under its property policy for losses it sustained when a power outage caused
its computer system to lose programming information.
The insurer argued that the computer system was not physically damaged
because it had only lost data, and it was still able to function after the
power outage. The court held that there was coverage, finding that
"physical damage" "is not restricted to the physical destruction
or harm of computer circuitry but includes loss of access, loss of use, and
loss of functionality." Id. at *5 ("Ingram does allege
property damage—that as a result of the power outage, Ingram's computer
system and world-wide computer network physically lost the programming
information and custom configurations necessary for them to function.
Ingram's mainframes were 'physically damaged' for one and one half
hours. It wasn't until Ingram employees manually reloaded the lost
programming information that the mainframes were 'repaired.'");
see also Southeast Mental Health Ctr., Inc. v. Pacific Ins. Co., Ltd.,
439 F. Supp. 2d 831 (W.D. Tenn. 2006) ("[T]he corruption of the pharmacy
computer constitutes 'direct physical loss of or damage to
property[.]'").
Similarly, in Ashland Hosp. Corp. v. Affiliated FM Ins. Co., 2013
U.S. Dist. LEXIS 114730 (E.D. Ky. Aug. 14, 2013), the court held that there was
"physical loss or damage" where a computer data storage network was
rendered unreliable, even though it could still function, where it overheated
due to an air conditioning system malfunction. The court rejected the
insurer's argument that "physical loss or damage" required
changes to the components that were "tangible" or
"perceptive" to the senses, holding that the loss of reliability of
the network was "physical" even if the changes caused by the heat
exposure occurred on a microscopic level.
The court also rejected the insurer's argument that loss of reliability
was not "physical loss or damage" because the network still retained
some functionality; the court held that the value in the network was its
reliability, and, therefore, it sustained damage when it became less reliable.
Accordingly, the court held that the policy covered the replacement cost of the
network.
Recent Case Law
Against this backdrop, the court in National Ink & Stitch LLC v.
State Auto Prop. & Cas. Ins. Co., 2020 U.S. Dist. LEXIS 11411 (D. Md.
Jan. 23, 2020), was asked to decide whether a first-party property policy
provided coverage for the replacement cost of servers and components that were
left slower and potentially still infected by dormant computer viruses
following a ransomware attack. The policyholder, an embroidery and screen
printing business, was covered under a business owners policy, the property
portion of which provided coverage for "direct physical loss of or damage
to Covered Property." The policy included a "Special Form Computer
Coverage endorsement," providing that covered property included
"electronic media and records," which was defined as including
"electronic data processing, recording or storage media such as films,
tapes, discs, drums or cells," and "[d]ata stored on such
media."
The policyholder's servers and computers were subject to a ransomware
attack; a third-party had implanted a virus onto the policyholder's
computer systems, which prevented it from accessing files and other data. The
attacker demanded payment to grant the policyholder access to its systems. The
policyholder paid the ransom, but the attacker refused to provide access unless
an additional ransom was paid. Instead, the policyholder retained a computer
security company to replace and reinstall its software.
After the software was reinstalled, the computer systems worked but were
slower because of additional security measures that were employed on the
system, and the computer security expert advised that there could still be
dormant portions of the ransomware virus on the system that could reinfect it
in the future. As a result, the policyholder was faced with a choice of either
wiping the entire system and reinstalling all of its software or replacing its
entire server and components with new ones. The policyholder chose the second
option and sought reimbursement from its property insurer for the costs.
The insurer denied coverage, taking the position that, because they still
functioned, albeit in a diminished capacity, there was no "direct physical
loss of or damage to" the servers and components. The court rejected the
insurer's argument, holding that the policyholder was entitled to recover
because it suffered a loss of data and software in its computer system, and the
policy specifically included data and software as "covered
property."
The court also held that the policy afforded coverage because the
policyholder's servers and components had suffered "direct physical
loss or damage" by virtue of their loss of functionality after the
ransomware attack. Here, the court rejected the insurer's argument that,
because the servers and components still functioned, albeit in a more limited
capacity, there was no direct physical loss or damage. The court found that the
insurer's argument "seems to equate 'physical loss or damage'
to Plaintiff's computer system to require an utter inability to
function," a limitation that is not supported by the language of the
policy. Instead, the court held coverage was triggered because "not only
did [the policyholder] sustain a loss of its data and software, but [it] is
left with a slower system, which appears to be harboring a dormant virus, and
is unable to access a significant portion of software and stored data." As
a result, the court held that the policyholder was entitled to coverage for the
replacement cost of the servers.
The Takeaway
The court's decision in National Ink & Stitch LLC is a
reminder that policyholders should not assume that their property policies do
not afford broader coverage for losses resulting from a cyber attack.
Policyholders may be able to recover the cost of replacing computer hardware to
the extent they can show that the functionality of the hardware has been
impaired.