U.S. District Court Upholds Insurance Claim Following Cyber Attack

The U.S. District Court for the District of Maryland ruled that an insurance carrier should pay out on coverage it sold to a client whose computer system was damaged by a ransomware attack.

Source: MONDAQ | Published on January 31, 2020

BEC attacks

According to the Memorandum Opinion, the client - an embroidery and screen printing business - suffered a ransomware attack in December 2016 and was unable to access much of its data. Although the business paid an initial ransom, the hacker demanded an additional payment. To this day, the business is unable to access art files stored on the server. Following the incident, the business hired a security company to replace the software and install protective software that slowed the system and thus lowered the business's efficiency. According to computer experts, full functionality will be restored only if either (i) the entire system is "wipe[d]" and reinstalled or (ii) a new server and components are purchased and installed.

After choosing to buy a new computer system to return to full functionality, the business submitted a claim to its insurance carrier. The insurer denied the claim, disputing whether the business suffered "direct physical loss of or damage to" the computer system. Specifically, the insurer argued that (i) the business lost only data, which it considers an "intangible asset," and (ii) the computer system is still functioning.

The Court granted the business's claim, determining that (i) the "intangible asset" (i.e., data) could suffer "physical loss or damage," and (ii) the computer system's inefficiency counted as "physical damage."