Ransomware Attack Involves “Direct Physical Loss of or Damage to” Software, Data and Computer Systems

January 29, 2020

A Maryland federal district court has ruled that a ransomware event involved “direct physical loss of or damage to” software, data, and computer systems, thus triggering coverage under a businessowner’s insurance policy.  National Ink & Stitch, LLC v. State Auto Prop. & Cas. Ins. Co., No. SAG-18-2138 (D. Md. Jan. 23, 2020).

The insured operated an embroidery and screen-printing business.  It stored software and data on its computer server.  The insured’s network was hit with ransomware, and it replaced and reinstalled software on the network.  In addition, the insured installed new “protective software” on its system, which “slowed the system and resulted in a loss of efficiency.”

The insured sought coverage under its businessowner’s policy, which afforded coverage for “direct physical loss of or damage to Covered Property.”  “Covered Property” included “[e]lectronic data processing, recording or storage media such as films, tapes, discs, drums or cells” and “[d]ata stored on such media,” including software.  The insured sought coverage for certain losses associated with the event, but the insurer denied coverage on the ground that there was no “direct physical loss of or damage to” the system.  Instead, the insurer maintained that the insured lost only data, which is an intangible asset, and could still use its computer system to operate its business.

The court ruled in favor of the insured.  First, the court observed that both “data” and “software” were included in the definition of covered property, suggesting that such property could suffer “direct physical loss or damage” within the meaning of the policy.  In addition, the court held that the insured had “demonstrated damage to the computer system itself,” and not just to the data and software residing on that system.  In so doing, the court rejected the insurer’s argument that the system still functioned, concluding that a system with diminished operability and performance had suffered “damage” within the plain terms of the policy.

 

Tags

Wiley Executive Summary

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek