Ransomware Attack Involves “Direct Physical Loss of or Damage to” Software, Data and Computer Systems
A Maryland federal district court has ruled that a ransomware event involved “direct physical loss of or damage to” software, data, and computer systems, thus triggering coverage under a businessowner’s insurance policy. National Ink & Stitch, LLC v. State Auto Prop. & Cas. Ins. Co., No. SAG-18-2138 (D. Md. Jan. 23, 2020).
The insured operated an embroidery and screen-printing business. It stored software and data on its computer server. The insured’s network was hit with ransomware, and it replaced and reinstalled software on the network. In addition, the insured installed new “protective software” on its system, which “slowed the system and resulted in a loss of efficiency.”
The insured sought coverage under its businessowner’s policy, which afforded coverage for “direct physical loss of or damage to Covered Property.” “Covered Property” included “[e]lectronic data processing, recording or storage media such as films, tapes, discs, drums or cells” and “[d]ata stored on such media,” including software. The insured sought coverage for certain losses associated with the event, but the insurer denied coverage on the ground that there was no “direct physical loss of or damage to” the system. Instead, the insurer maintained that the insured lost only data, which is an intangible asset, and could still use its computer system to operate its business.
The court ruled in favor of the insured. First, the court observed that both “data” and “software” were included in the definition of covered property, suggesting that such property could suffer “direct physical loss or damage” within the meaning of the policy. In addition, the court held that the insured had “demonstrated damage to the computer system itself,” and not just to the data and software residing on that system. In so doing, the court rejected the insurer’s argument that the system still functioned, concluding that a system with diminished operability and performance had suffered “damage” within the plain terms of the policy.