COVID-19: Cybersecurity and Insurance Coverage

COVID-19-related medical facilities have been targeted in ransomware attacks. Brno University Hospital, a testing hub in the Czech Republic, was hit with one such attack — impacting operations and surgeries. Lily Hay Newman, "Coronavirus Sets the Stage for Hacking Mayhem," WIRED (March 19, 2020). And Hammersmith Medicines Research, a British company that is on standby to perform medical trials on a COVID-19 vaccine, was hit with a malicious ransomware attack in which the attackers published patient records online to try to force the company to pay the ransom. Davey Winder, "COVID-19 Vaccine Test Center Hit By Cyber Attack, Stolen Data Posted Online," Forbes (March 23, 2020).

Although companies and their employees are on high alert, the medical facility examples demonstrate that some of these attacks will succeed. When these attacks succeed, in-house counsel and risk management professionals will look for coverage under their cyber insurance policies. Insurance coverage for such incidents, however, are also present in other policies, and these other policies should not be cast aside. As National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Company (National Ink) demonstrates, careful review of all policies, including property insurance, is necessary.

'National Ink'

In National Ink, the U.S. District Court for the District of Maryland held that a businessowner's insurance policy provided coverage for losses arising out of a ransomware attack. Civil Case No. SAG-18-2138, 2020 WL 374460 (D. Md. Jan. 23, 2020).

The policyholder, National Ink and Stitch, LLC, is an embroidery and screen printing company (National Ink). To protect, among other things, against "direct physical loss of or damage to" its property, the policyholder purchased a businessowner's insurance policy (the Policy).

In December 2016, National Ink suffered a ransomware attack that prevented it from accessing its art files and other data contained on its server, as well as certain software. The attacker demanded payment of a bitcoin ransom. National Ink complied with the ransom demand, but the attacker then demanded further payment and refused to release the data and software it was holding. National Ink then hired a security company to replace and reinstall its software, and to install protective software on its computer system. In the end:

• The installation of protective software slowed the system and resulted in a loss of efficiency;
• Art files formerly stored on the system cannot be accessed, and National Ink either has or will have to recreate them; and
• Computer experts testified that there were likely dormant pieces of the virus in the system that could re-infect the system.

National Ink filed a claim with its insurer, seeking coverage for the attack, and resulting losses. The insurer denied coverage for the cost of replacing the company's computer system.

The policy obligated the insurer to cover "direct physical loss of or damage to Covered Property … caused by or resulting from any Covered Cause of Loss." "Covered Property" was defined "to include 'Electronic Media and Records (Including Software).'" And "Electronic Media and Records," in turn, included: 1) Electronic data processing, recording or storage media such as films, tapes, discs, drums or cells; and 2) Data stored on such media.

The insurer denied coverage for the cost of replacing National Ink's computer system on the grounds that National Ink did not suffer "direct physical loss or damage." The court rejected the insurer's position and held that National Ink suffered: 1) loss of data or software; and 2) loss of functionality, and could recover on either basis. Both findings are important for victims of ransomware attacks.

Loss of Data or Software. On the first issue, the court held that National Ink could recover for its loss of data and software in its computer system. Although the insurer tried to argue software and data could not suffer "physical" loss — as required by the policy's insuring agreement — the court reasoned that data and software were expressly treated as "covered" property under the policy, and therefore must be capable of suffering physical loss within the meaning of the policy's coverage.

Loss of Functionality. On the question of loss of functionality, the court held that National Ink was entitled to recover for the slowdown to the computer system. The court rejected the insurer's arguments that the slowdown was not damage because the systems were still functioning, holding that, "utter inability to function" is not required under the policy language. The court went on to hold that "loss of use, loss of reliability, or impaired functionality demonstrate the required damage to a computer system, consistent with the 'physical loss or damage to' language" in the policy.

'Moses Afonso'

Moses Afonso Ryan Ltd. v. Sentinel Ins. Co. Ltd. involves a similar coverage dispute. Case No. 1:17-001570-WES-LDA (D.R.I.) (Moses Afonso). In Moses Afonso, the law firm of Moses Afonso Ryan (MAR) advanced similar arguments for coverage before the U.S. District Court for the District of Rhode Island under a businessowners' insurance policy. A ransomware attack infected the firm's network, encrypting information so that it was not accessible. Although MAR paid the $25,000 ransom, it took over nine months to retrieve the corrupted information. The firm suffered over $700,000 in business income losses as a result.

MAR turned to its insurer for coverage. The insurer reimbursed MAR $20,000 pursuant to the policy's sublimit for "Computers and Media" coverage, which provided coverage for any loss related to "the cost to research, replace or restore physically lost or physically damaged 'data' and 'software'" for up to $20,000. But it refused to cover MAR's business income losses.

Like National Ink, MAR argued that it was entitled to business income coverage because the loss was due to physical loss and damage to its property (e.g., its computers, computer system, data, and information) from the cyberattack. MAR also argued that property — such as its computer system, data, and information — should be included under the definition of property. The Moses Afonso action was withdrawn, likely due to settlement, before the court could render a decision.

Protecting the Bottom Line After Attacks

National Ink and MAR demonstrate that policyholders have a path to insurance recovery under policies in addition to cyber insurance policies. Based on the arguments asserted in these two cases, and the many more that will no doubt follow, policyholders should be sure to consider coverage for COVID-19 and other ransomware losses under all policies, including those covering business and property risks.

*****

Peter A. Halprin is a partner and Jacquelyn M. Mohr is a senior managing associate at Pasich LLP. This article also appeared in the New York Law Journal, an ALM sibling of Cybersecurity Law & Strategy.