Ransomware case's impact could be far-reachingPosted On: Feb. 4, 2020 7:05 AM CST
A U.S. District Court ruling in Maryland that an insurer must indemnify a screen-printing business under its businessowner’s policy for costs incurred in a ransomware attack may be the first of its kind concerning ransomware, and is likely to be cited frequently by other courts, some experts say.
They say the ruling is also significant because it holds that coverage applies even though the firm’s computer system continued to function, albeit more slowly.
But some point out insurers have already been working to exclude coverage for “silent cyber” in comparable cases.
Owings Mills, Maryland-based National Ink & Stitch LLC, a screen-printing business, had a businessowners’ insurance policy with Columbus, Ohio-based State Auto Property and Casualty Insurance Co. between March 2016 and March 2017, according to last week’s ruling by the U.S. District Court in Baltimore in National Ink & Stitch LLC v. State Auto Property and Casualty Insurance Co.
In December 2016, National Ink’s server and network computers experienced a ransomware attack that prevented the company from accessing all of its art files and other data contained on the server, and all of its software, except for embroidery software, according to the ruling.
Although the company made the requested bitcoin payment, the attacker demanded further payment and refused to release the software and data. National Ink hired a security company to replace and reinstall its software and also install protective software on its computer system.
In the end, although National Ink’s computer still functioned, the protective software’s installation slowed the system and resulted in an efficiency loss, the ruling said. Furthermore, the art files formerly stored on the server could not be accessed, and the firm either has, or will have to, recreate them, according to the ruling.
National Ink filed suit after State Auto refused to pay its claim in the matter.
The ruling said, “The plain language of the Policy contemplates that data and software are covered and can experience ‘direct physical loss or damage.’”
“In addition to Plaintiff’s data and software constituting covered property under the Policy’s terms, Plaintiff has also demonstrated damage to the computer system itself, despite its residual ability to function,” it said.
“State Auto seems to equate ‘physical loss or damage’ to Plaintiff’s computer system to require an utter inability to function. The Policy language, and the relevant case law, impose no such prerequisite,” the ruling said, in granting summary judgment to National Ink.
A letter Friday from National Ink attorney Kathleen M. McDonald, a member of Kerr McDonald LLP in Baltimore, to the court requests a status/scheduling conference, stating, “There remains disputes about which coverage limit is applicable to National Ink & Stitch’s claim and about the nature, extent, and/or coverage status of various monetary elements of National Ink & Stitch’s claim, which will require expert and damages discovery unless otherwise resolved by the parties.”
Attorneys in the case did not respond to requests for comment.
Policyholder attorney Peter Vogel, of counsel with Foley & Lardner LLP in Dallas, said the probability of winning a motion for summary judgment “is very low, and so the fact that this judge ruled this way tells me the evidence in front of her was absolutely persuasive.”
It is significant as a silent cyber case, say many experts. “It goes to show that the concept of silent cyber is real, and there can be coverage even in policies that are not necessarily marketed as cyber insurance,” said policyholder attorney Scott N. Godes, partner with Barnes & Thornburg LLP in Washington, D.C.
It is one of the earliest, if not the earliest, decisions “on coverage for hardware and software losses for ransomware-related cases,” Mr. Godes said. “I anticipate it being cited quite frequently in federal court. It’s the leading decision on point right now.“
Mr. Godes said insurers have taken the position there is no damage to hardware if software is merely deleted, if the computers can be turned on, or if the computers have had their drivers wiped clean and can be started from scratch, “whereas here the court says there was damage to the computer system itself, despite its residual ability to function.”
“The court found that the impairment of the computer system, even though it was still functional, was sufficient to constitute a loss under the policy,” said policyholder attorney Michael S. Levine, a partner with Hunton Andrews Kurth LLP in Washington, D.C.
“The fact that the computer system was not totally disabled did not negate coverage. Insurers argue time and again that if the property is still functional, then it hasn’t suffered a direct physical loss, and the court rejected that.”
Insurer attorney Jenni Katzer, an associate with Troutman Sanders LLP in Irvine, California, said, it is a “well-reasoned” ruling, that a computer can be damaged without being completely inoperable. She called the decision “pretty significant.”
Laura Gregory, a partner with Sloane &Walsh LLP I Boston, who represents both insurers and policyholders, said, “It will be cited by anyone who’s attempting to get first party coverage for this type of coverage for this type of damage, because it expands what has been done in this area. So I expect unless it’s overturned, it’s going to get a fair amount” of attention. “Whether other courts follow it is another question.”
“My expectation is, we’re going to see policies that may be rewritten in such a way to avoid outcomes like this going forward,’ Mr. Vogel said.
Dan Marvin, a partner with Morrison Mahoney LLP in New York agreed. Over time, insurers will revise their policies “so ultimately these types of rulings may fade out.
“That being said, if there are other companies with similar policy language, where a similar type of ransomware attack happens, (the ruling) is something that can be used for guidance for those seeking to enforce similar policy language.”
“I don’t think (the ruling is) terribly significant” with insurers moving to channel coverage for cyber losses into tailored products, said Scott M. Seaman, co-chair of Hinshaw Culbertson LLP’s insurance services practice group in Chicago, who added the coverage in this case was written under a 1999 Insurance Services Office Inc. form, even though the policy in question was issued in 2016, and more recent policy forms have exclusions that likely would have applied here.
Mr. Seaman said, “One single federal court decision in Maryland is not a watershed movement, I believe.” If the insurer “chose to appeal, there’d be some issues worth arguing,” he said.
“I think it will be upheld on appeal,” said policyholder attorney Joshua Gold, a shareholder with Anderson Kill PC in New York. “I think the chances are strong for the case to remain on the books, and I think the case will be regularly cited in all manner of property fights over cyber-related claims.”