Increasingly, businesses buy cyberinsurance to protect valuable electronic assets, including computer systems themselves and the data stored within them. These policies, however, are relatively young. They frequently utilize terminology taken from traditional property/casualty policies, the meanings of which are informed by decades of case law. These seemingly familiar words, however, are creating novel cyberinsurance issues that may impact the coverage you have, or think you have.
In Nat’l Ink & Stitch, LLC v. State Auto Prop. & Cas. Ins. Co., CV SAG-18-2138, 2020 WL 374460 (D. Md. Jan. 23, 2020), a court addressed a centuries old concept – physical loss – through the cyberinsurance lens. After a screen-printing company suffered a ransomware attack, the company had data stolen and computers rendered partially inoperable. The company filed a claim under their cybersecurity policy, which familiarly stated that the carrier “will pay for direct physical loss of or damage to Covered Property…”.
The company obtained cyber coverage through an endorsement. The Businessowners Special Form Computer Coverage endorsement refined the definition of “Covered Property” to include “Electronic Media and Records (Including Software).” It defined “Electronic Media and Records” to include:
(a) Electronic data processing, recording or storage media such as films, tapes, discs, drums or cells; or
(b) Data stored on such media.
No brainer, right? Claim denied. The dispute turned on whether Plaintiff experienced “direct physical loss of or damage to” its computer system requiring covering the replacement cost for the entire system.
The court joined a growing number of jurisdictions in defining “direct physical loss or damage” to include the loss of data and system functionality “based on either (1) the loss of data and software in its computer system, or (2) the loss of functionality to the computer system itself.” The court rejected the notion that “physical loss or damage” required the complete inoperability of an insured’s computer system, as may follow a power surge or a fire. Because the policy covered “physical loss or damage to” Electronic Media and Records, both the data loss and partial loss of functionality were covered.
This holding stressed that the subject policy expressly included “data” and “software” as categories of “covered property.” Particularly when purchasing cyber coverage as an endorsement to traditional coverages, it is critical to scrutinize policy definitions of even seemingly familiar terms. The scope of “covered property” as it relates to cyber assets novel territory. Familiar terms likely require tailored definitions that reflect the new context in which they are being used. If your policy has not carefully considered the impact of recycled terminology, a carrier may argue that you have not gotten the coverage for which you paid. It is therefore critical that your cyber policy’s definition of terms like “covered property,” and particular newer terms created to refine those definitions, reflect and include your business’ most valuable electronic assets.
Patrick McKnight is an associate in the Klehr Harrison Harvey Branzburg LLP Litigation Department, a 2020 Rutgers Law graduate (JD/MBA), and a current member of the United States Army National Guard.