Silent Cyber – Recent court decision considers whether data is insurable tangible property loss
A federal district court has ruled that a property insurance policy could provide coverage for replacement of a business’s computer system that was damaged by a cyber-attack, even though the policy did not explicitly address cyber. Insurers and policyholders alike should take note of this decision because it demonstrates what has been called “silent cyber” — where there is cyber-insurance coverage despite the policy not contemplating or being designed to cover those risks. Here, a property insurance policy, which typically only covers tangible property, was interpreted to provide coverage for damage resulting to data and software that are more commonly understood to be intangible property.
In National Ink & Stitch, LLC v. State Auto Property & Casualty Insurance Company, No. 18-cv-2138 (D. Md. Jan. 23, 2020), Judge Stephanie A. Gallagher of the District of Maryland held that State Auto Property & Casualty Insurance Company was required to pay National Ink & Stitch (NIS) for its property damage claim after suffering a ransomware attack. The State Auto insurance policy at issue in this case covered direct physical loss of or damage to “covered property.” Under the Policy, “electronic media and records (including software)” included data stored on a variety of media. NIS submitted a claim to State Auto for reimbursement of the replacement cost for NIS’s computer system after suffering a ransomware attack that compromised the system. State Auto denied the claim on the grounds that the cyber-attack and subsequent damage to NIS’s computer systems did not amount to a “direct physical loss for or damage to” its computer system. NIS filed a declaratory judgment action against State Auto in federal court and the parties cross-moved for summary judgment.