Thomas Caswell |
Peter Kelly Golfman |
According to cybersecurity firm MonsterCloud, ransomware attacks were up 800% during the pandemic.[2] This increase in frequency is likely due to a combination of weaker security controls on home networks and a higher likelihood of users clicking on COVID-19-themed ransomware lure emails.
Moreover, while ransomware attacks have become more frequent, evidence suggests that they have also been more successful as many targeted companies are electing to pay ransoms in order to restore their invaluable data.[3]
Mostly recently, the Colonial Pipeline ransomware attack, which resulted in a reported $4.4 million dollar ransom payment, has spotlighted the prevalence, effectiveness and disruptive power of these cyberattacks.[4] Simply put, as we predicted, ransomware attacks have become both more common and more expensive.[5]
Generally speaking, ransomware is a type of malware — a computer virus — that embeds itself directly into a user's data, thereby rendering the data unreadable and irretrievable until a ransom is paid and the ransomware removed from data.
While this type of data loss, and the business interruption that tends to accompany it, is often protected by specific cyber insurance policies, which may not contain a "direct physical loss or damage to property" requirement, not all businesses carry such policies. As a result, insureds may attempt to recoup ransomware-related business income losses by turning to their traditional property policies, which do require a showing of physical loss or damage as a predicate to coverage, including for business income losses.
The physical loss or damage issue in the ransomware context was recently considered by the U.S. District Court for the District of Maryland in National Ink & Stitch LLC v. State Auto Property & Casualty Insurance Co., where an embroidery and screen printing business experienced a ransomware attack preventing it from accessing its art files and software. In its January 2020 decision, the court joined the growing majority across the country finding that electronic data, when impaired by a cyberattack, does trigger a property policy's physical loss or damage requirement.[6]
Critical to the National Ink decision, however, was the fact that the ransomware attack ultimately corrupted the insured's computer system as not all data was recovered. Therefore, although the insured was able to recover much of its data, its computer system had been sufficiently distorted to demonstrate physical loss or damage, thereby opening the door for the insured to recover business income losses caused by the cyber intrusion.
But the facts of National Ink are somewhat unusual, in that the insured was never able to fully recover all its files and the attack left the insured's software impaired, despite the insured paying the ransom. After all, an estimated 70% of organizations that elect to pay ransoms successfully recover their data.[7]
This begs a question not considered by the court in National Ink: What happens from a coverage perspective when the payment of a ransom leads to the full recovery of data? Does the intervening and temporary inability to use the ransomed data still trigger the physical loss or damage requirement of traditional property policies and thereby allow an insured to recoup business income losses? A trove of recent COVID-19 related case law may shed light on these questions.
COVID-19 Insurance Case Law
Over the last year, numerous courts across the country have been forced to tackle one recurring question: Do restrictions on an insured's use of property due to governmental shutdown orders or the alleged presence of COVID-19 constitute physical loss or damage within the meaning of traditional property policies, potentially allowing businesses to recover lost income?
While there is not complete unanimity on the topic, the resounding majority of courts considering the issue have found that although government restrictions or the presence of COVID-19 may inhibit an insured's use of property, the resulting inability to use property for its intended purpose does not constitute or arise from physical loss or damage as a matter of law.
For example, in Frank Van's Auto Tag LLC v. Selective Insurance Co. of the Southeast, an auto title transfer, tag and registration business temporarily closed its locations as a result of shutdown orders due to COVID-19 and sought coverage for its business losses under its commercial property policy claiming the property sustained physical loss or damage.[8]
In rejecting the insured's argument that it was entitled to coverage, the U.S. District Court for the Eastern District of Pennsylvania found in a Jan. 27 opinion that "there must be some issue with the physical premises which precludes or impedes the business operations" and that a "mere loss of the opportunity to function" is not physical loss or damage.
Similarly, in Mena Catering Inc. v. Scottsdale Insurance Co., a food catering company sought coverage under a commercial property policy alleging that COVID-19 had temporarily rendered its property "unfit for its intended use and therefore caused physical property damage or loss."[9]
The U.S. District Court for the Southern District of Florida rejected that argument, explaining in a Jan. 11 decision that "direct physical loss—unambiguously requires some form of actual, physical damage to the insured premises to trigger coverage" but the plaintiff "simply cannot show any such loss as a result of ... inability to access its own office." The court further noted that the "coronavirus does not physically alter the appearance, shape, color, structure, or other material dimension of the property."
In Pappy's Barber Shops Inc. v. Farmers Group Inc., a group of barber shops sought coverage for financial losses suffered as a result of stay-at-home orders related to COVID-19, arguing that their property was rendered "uninhabitable or unsuitable for its intended purpose" which "qualifies as a physical loss."[10]
Again, the U.S. District Court for the Southern District of California disagreed, finding instead in a Sept. 11, 2020, opinion that "losses from inability to use property do not amount to 'direct physical loss of or damage to property' within the ordinary and popular meaning of that phrase" and that "[p]hysical loss or damage occurs only when property undergoes a 'distinct, demonstrable, physical alteration.'" The court also noted that "temporary impairment to economically valuable use of property" is not "physical loss or damage."
Finally, in Pez Seafood DTLA LLC v. Travelers Indemnity Co., a restaurant sought coverage under its property policy "stemming from an inability of the property to be used for one of its core functions—dine-in food service" during the COVID-19 pandemic.[11]
In rejecting the restaurant's argument, the U.S. District Court for the Central District of California explained in its Jan. 20 opinion that "in order for a loss of functionality to constitute a 'direct physical loss,' there must be a nexus between the loss and a physical change or effect on or near the premises" and that "physical damage" requires "some physical intrusion that compromises the physical integrity of property."
Notably, the Pez Seafood court expressly distinguished the temporary loss experienced by the plaintiff-restaurant from the permanent data loss and system distortion at issue in the National Ink case.
Application to Ransomware Losses
So, how could the above outlined coronavirus case law impact the availability, or unavailability, of silent cyber coverage for ransomware losses? As a starting point, we expect policyholders to argue that these holdings should support a finding of coverage. The argument will likely be that during a ransomware attack, the ransomware is embedded directly into a user's data, rendering the data unreadable and irretrievable until a ransom is paid.
Policyholders may argue that this distinguishes ransomware attacks from coronavirus losses, because while courts have found that the "coronavirus does not physically alter the appearance, shape, color, structure, or other material dimension" of property,[12] data infected with ransomware has been altered. Insureds may also attempt to argue that this alleged data alteration, making data unreadable and irretrievable, is sufficient to demonstrate physical loss or damage, even where the ransom is paid and data is returned.
Nevertheless, insurers can counter these arguments by pointing to the notable parallels that exist between COVID-19 losses and ransomware. Specifically, in each of the above-referenced coronavirus cases, the claimed business income losses were alleged to have resulted primarily from the inability to use property. Insureds in the ransomware context are making a similar argument; that is, they allege that their claimed business income losses stem from the unavailability of data held ransom.
Additionally, insurers may point to the fact that, just as the alleged loss of use or function of the subject properties in the above-refenced coronavirus cases was (at most) temporary in nature, ransomware losses are also temporary. Once coronavirus restrictions are lifted, or the pandemic subsides, an insured's property, which the insured alleged was unusable, indisputably becomes usable once again for its preloss function.
The same argument can be made for ransomware, where regardless of the fact that data was temporarily rendered unreadable and irretrievable by a cyberattack, a ransom payment will result in the data's restoration to its preloss function. In this regard, insurers can point to the fact that many courts have found that the "direct physical loss or damage" requirement contemplates that that property "become unsatisfactory for future use" or requires that "repairs be made to make it so."[13]
But where cybercriminals return ransomed data, that data should be immediately functional and no repairs should be required for its future use. Importantly, such a loss would be distinguishable from National Ink, where the ransomware attack permanently corrupted the insured's computer system and not all data was recovered.
Therefore, in both the COVID-19 and ransomware contexts, the loss may be best characterized as a "temporary impairment to economically valuable use of property," which coronavirus case law indicates is insufficient to trigger coverage under a property policy.
While we expect policyholders will look to distinguish ransomware losses from the spate of coronavirus decisions finding that a temporary inability to use property, without more, is insufficient to prove physical loss or damage, the parallels should not be ignored. Both instances involve a business income loss that is primarily driven by a temporary inability to use property for its intended purpose. We therefore expect the wealth of case law developed during the pandemic to play an important role in future cyber litigation.
Thomas Caswell is a partner and Peter Kelly Golfman is a senior associate at Zelle LLP.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
[1] COVID-19 pandemic sparks 72% ransomware growth, mobile vulnerabilities grow 50%, available at:https://www.securitymagazine.com/articles/92886-covid-19-pandemic-sparks-72-ransomware-growth-mobile-vulnerabilities-grow-50.
[2] Top Cyber Security Experts Report: 4,000 Cyber Attacks a Day Since COVID-19 Pandemic, available at https://www.prnewswire.com/news-releases/top-cyber-security-experts-report-4-000-cyber-attacks-a-day-since-covid-19-pandemic-301110157.html.
[3] The rise of ransomware during COVID-19, available at https://home.kpmg/xx/en/home/insights/2020/05/rise-of-ransomware-during-covid-19.html.
[4] Hackers behind Colonial Pipeline attack reportedly received $90 million in bitcoin before shutting down, available at: https://www.cnbc.com/2021/05/18/colonial-pipeline-hackers-darkside-received-90-million-in-bitcoin.html.
[5] https://www.claimsjournal.com/news/national/2016/06/27/271786.htm.
[6] Nat'l Ink & Stitch, LLC v. State Auto Prop. & Cas. Ins. Co. , 435 F. Supp. 3d 679 (D. Md. 2020).
[7] Ransomware: When Companies Pay Hackers, Do They Get Their Data Back, available at https://www.secureworldexpo.com/industry-news/ransomware-when-companies-pay-hackers-do-they-get-their-data-back.
[8] Frank Van's Auto Tag, LLC v. Selective Ins. Co. of the Se. , 2021 WL 289547, at *1 (E.D. Pa. 2021).
[9] Mena Catering, Inc. v. Scottsdale Insurance Co. , 2021 WL 86777 (S.D. Fla. 2021).
[10] Pappy's Barber Shops, Inc. v. Farmers Grp., Inc. , 487 F. Supp. 3d 937, 943–44 (S.D. Cal. 2020).
[11] Pez Seafood DTLA, LLC v. Travelers Indem. Co. , 2021 WL 234355, at *4 (C.D. Cal. 2021).
[12] Mena Catering, 2021 WL 86777.
[13] See, e.g., AFLAC Inc. v. Chubb & Sons, Inc. , 260 Ga. App. 306, 308 (2003); Graspa Consulting, Inc. v. United Nat'l Ins. Co. , 2021 WL 1540907, at *5 (S.D. Fla. Apr. 16, 2021); Great Plains Ventures, Inc. v. Liberty Mut. Fire Ins. Co. , No. 14-1136-JAR, 2016 WL 1715453, at *3 (D. Kan. Apr. 29, 2016).
For a reprint of this article, please contact reprints@law360.com.