Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

KickerFeaturesSectionsNewsLJN NewslettersInsurance Coverage Law Bulletin

Hacker Attack: Data Loss Considered Covered Property Under First-Party Policy

By Robert E. Johnston
August 26, 2003

The U.S. Court of Appeals for the 4th Circuit has recently weighed in on the applicability of standard-form, first-party property policies to the loss of computer data, finding such data loss resulting from a hacker attack by a former employee of the insured to be covered property damage. NMS Services, Inc. v. The Hartford, No. 01-2491, 2003 WL 1904413 (4th Cir., April 21, 2003)

The insured, a software development company selling computer programs to the telemarketing industry, suffered considerable damage to vital computer files and databases necessary for the operation of its manufacturing, sales, and administrative systems as a result of the hacker attack, which had been perpetrated by a former technical systems administrator for the insured (who had been fired 21 days earlier). It was later determined that, while still an employee, the perpetrator had surreptitiously installed two hacking programs on the network that permitted him to gain access to the system and carry out the attack after his termination.

After reviewing the policy ' which provided basic property coverage under a 'Special Property Form' and also provided optional computer coverage under a 'Computer and Media Endorsement,' the court found that the attack was a 'Covered Cause of Loss' and also held that the erasure of data from the computer system constituted 'direct physical loss or damage' to the insured's property. See, 2003 WL 1904413 at *3 (Widener, J. concurring). Accordingly, the court found there to be coverage for the insured's lost income (under the 'Business Income' coverage provision), expenses incurred by the insured as a result of the attack (under the 'Extra Expense' coverage provision), and the cost of restoring the erased files and data (under the 'valuable papers and records' coverage extension).

The court also considered whether coverage was barred by the Dishonesty exclusion, which precluded coverage for 'loss or damage caused by or resulting from' dishonesty ' defined as any dishonest or criminal act undertaken by the insured or its employees. The carrier argued that this exclusion applied because the hacker had placed the two programs used during the attack on the insured's computer system during his employment. The court agreed with respect to the version of the dishonesty exclusion contained in the computer coverage endorsement, but held that the exception to the version of this exclusion found in the Special Property Form ' which restored coverage for 'acts of destruction by your employees' ' mandated coverage for the hacker's destruction of data.

Robert E. Johnston is a partner with the law firm of Spriggs & Hollingsworth, http://www.spriggs.com/, Mr. Johnston's practice focuses on representing policyholders in insurance coverage disputes and pursuing claims against the federal government. He has written broadly on issues related to coverage for computer systems under first-party property insurance policies and third-party liability insurance policies.

The U.S. Court of Appeals for the 4th Circuit has recently weighed in on the applicability of standard-form, first-party property policies to the loss of computer data, finding such data loss resulting from a hacker attack by a former employee of the insured to be covered property damage. NMS Services, Inc. v. The Hartford, No. 01-2491, 2003 WL 1904413 (4th Cir., April 21, 2003)

The insured, a software development company selling computer programs to the telemarketing industry, suffered considerable damage to vital computer files and databases necessary for the operation of its manufacturing, sales, and administrative systems as a result of the hacker attack, which had been perpetrated by a former technical systems administrator for the insured (who had been fired 21 days earlier). It was later determined that, while still an employee, the perpetrator had surreptitiously installed two hacking programs on the network that permitted him to gain access to the system and carry out the attack after his termination.

After reviewing the policy ' which provided basic property coverage under a 'Special Property Form' and also provided optional computer coverage under a 'Computer and Media Endorsement,' the court found that the attack was a 'Covered Cause of Loss' and also held that the erasure of data from the computer system constituted 'direct physical loss or damage' to the insured's property. See, 2003 WL 1904413 at *3 (Widener, J. concurring). Accordingly, the court found there to be coverage for the insured's lost income (under the 'Business Income' coverage provision), expenses incurred by the insured as a result of the attack (under the 'Extra Expense' coverage provision), and the cost of restoring the erased files and data (under the 'valuable papers and records' coverage extension).

The court also considered whether coverage was barred by the Dishonesty exclusion, which precluded coverage for 'loss or damage caused by or resulting from' dishonesty ' defined as any dishonest or criminal act undertaken by the insured or its employees. The carrier argued that this exclusion applied because the hacker had placed the two programs used during the attack on the insured's computer system during his employment. The court agreed with respect to the version of the dishonesty exclusion contained in the computer coverage endorsement, but held that the exception to the version of this exclusion found in the Special Property Form ' which restored coverage for 'acts of destruction by your employees' ' mandated coverage for the hacker's destruction of data.

Robert E. Johnston is a partner with the law firm of Spriggs & Hollingsworth, http://www.spriggs.com/, Mr. Johnston's practice focuses on representing policyholders in insurance coverage disputes and pursuing claims against the federal government. He has written broadly on issues related to coverage for computer systems under first-party property insurance policies and third-party liability insurance policies.

Read These Next
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers Image

In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit Image

Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.

Fresh Filings Image

Notable recent court filings in entertainment law.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.