Judge Finds Ransomware Damage to Computer a ‘Direct Physical Loss’
State Auto Property and Casualty Insurance Co. is liable for the cost of replacing a computer server that was damaged and perhaps permanently compromised by a ransomware attack despite the carrier’s argument that the business owner did not suffer a direct physical loss, a federal judge in Maryland ruled.
State Auto denied a claim filed by National Ink & Stitch, a screen printing and embroidery business, for the cost of replacing its computer system after suffering a ransomware attack in December 2016.
State Auto argued the business did not suffer a “direct physical loss of or damage to” the computer system. National Ink filed suit and filed a motion asking the court to issue summary judgment in its favor.
U.S. District Judge Stephanie A. Gallagher granted that motion on Thursday.
Gallagher’s written opinion notes that National Ink paid the Bitcoin demanded by the hackers who implanted ransomware on its computer system, but the system moved more slowly afterward because of new protective measures that were put in place. Also, the art files that had been stored on the server could not be assessed.
Computer experts testified that there were likely dormant remnants of the ransomware virus in the system. National Ink’s only options were to wipe the entire system and reinstall the software and data or purchase a new server and components, according to the opinion.
The State Auto businessowner’s policy included “electronic media and records (including software)” as covered items. State Farm argued that it was not liable because the company lost only data, which is an intangible asset; it could still use the computer system to operate its business.
National Ink countered that its businessowner’s policy contemplates computer data and software to be subject to “direct physical loss” under the terms of the policy.
Judge Gallagher said while Maryland courts have not addressed the question of whether data or software can be susceptible to physical loss or damage, other courts have addressed the question.
The Texas Court of Appeal, in Lambrecht & Assocs. Inc. v. State Farm Lloyds, ruled in 2003 that the insurer was liable for the cost of replace a computer server that had been infected with a virus. The court reasoned that the server falls within the definition of “electronic media and records” as defined in the policy, according to Gallagher’s opinion.
The U.S. Fourth Circuit Court of Appeals also addressed the question in 2003, in a case titled NMS Servs. Inc. v. The Hartford. A former employee had erased computer files that were essential for the operation of the company’s sales, manufacturing and administrative system. The 4th Circuit found that NMS’ policy covered resulting losses because the company has suffered a “direct physical loss” as defined in the policy.
“Indeed, a computer stores information by the rearrangement of the atoms or molecules of a disc or tape to effect the formation of a particular order of magnetic impulses, and a meaningful sequence of magnetic impulses cannot float in space,” the opinion states, citing the 4th Circuit’s ruling.
Gallagher found that National Ink’s policy did not require a total loss of function of the computer system to merit coverage.
“Because the plain language of the policy provides coverage for such losses and damage, summary judgment will be granted in favor of plaintiff’s interpretation of the policy terms,” the judge concluded.