Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherJoin the NetworkGet StartedSubscribeSupport
Contact Us
Search
Close

Maryland Court Orders Insurance Company to Pay Ransomware Damages Under Businessowner’s Policy

By Sean C. Griffin on February 20, 2020
Email this postTweet this postLike this postShare this post on LinkedIn

The United States District Court for the District of Maryland recently held that an insurer must cover an insured’s costs to replace its computer systems following a ransomware attack. The case, National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Company, Civ. No. SAG-18-2138 (D. Md. January 23, 2020), contains lessons for business and insurance companies going forward.

Plaintiff, an embroidery and screen printing business, obtained a businessowner’s insurance policy from the defendant, State Auto. The policy provided that State Auto “will pay for direct physical loss of or damage to Covered Property at the premises described in the Declarations caused by or resulting from any Covered Cause of Loss. The policy defined “covered Property” to include “Electronic Media and Records (Including Software).” It further defined “Electronic Media and Records” to include “electronic data processing, recording or storage media [and] data stored on such media.”

A December 2016 ransomware attack rendered Plaintiff unable to access the art, logos, and design for its business on its computer server, in addition to other software related to its business. Plaintiff paid, but the attacker demanded an additional payment. Eventually, Plaintiff employed a security company to replace and reinstall its software and to install protective software on its computer system. Plaintiff’s computers still functioned, but the installation of the anti-malware software slowed the computer system, which cost Plaintiff some efficiency. Plaintiff lost the art files permanently.

State Auto declined coverage on the ground that Plaintiff did not suffer “direct physical loss.” Plaintiff disagreed. Both parties moved for summary judgment. The court granted Plaintiff’s motion and denied State Auto’s. The court held that the policy’s plain language defined “Covered Property” to include “data,” and therefore, Plaintiff’s loss of data qualified for coverage. State Auto contended that the policy limited coverage to data stored on physical media, but the court rejected this conclusion based on the policy’s language. State Auto also claimed that Plaintiff could not recover because its computers were not completely incapacitated, but the court ruled that the policy provided coverage even absent complete inoperability.

After the Fourth Circuit decided Travelers Indemnity vs. Portal Healthcare Solutions, many observers believed that insurance companies would exclude damages from data breaches from their commercial general liability (CGL) policies and begin covering such damages only through policies or endorsements specifically written to address cybersecurity. However, coverage uncertainty and questions regarded pricing led many companies to offer cybersecurity insurance in other policies, such as the businessowner’s insurance policy at issue here.

As always, the lesson remains for both parties to an insurance policy to make clear what the policy covers and what it does not. Businesses should take care to ensure that their insurance policies do not contain gaps in coverage that might leave them exposed in the event of a data breach.

For more information regarding this article, please contact Sean Griffin.

For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.

Photo of Sean C. Griffin Sean C. Griffin

Sean C. Griffin is a Member in the Washington, D.C. office of Dykema. Sean focuses his practice on commercial litigation, with a specialty in cases involving allegations of breach of contract or fraud. His experience includes litigating cases in federal and state courts…

Sean C. Griffin is a Member in the Washington, D.C. office of Dykema. Sean focuses his practice on commercial litigation, with a specialty in cases involving allegations of breach of contract or fraud. His experience includes litigating cases in federal and state courts and arbitration panels around the country. He also responds to subpoenas investigating violations of federal or state laws, including the False Claims Act, the U.S. Foreign Corrupt Practices Act (FCPA), and securities laws. Additionally, he assists clients with data security and responding to data breaches and is an IAPP Certified Information Privacy Professional (CIPP/US).

After graduating from Columbia University School of Law, Sean clerked for the U.S. District Court for the District of Maryland. After his clerkship, he worked as a trial attorney at the U.S. Department of Justice, Civil Division, where he handled commercial litigation trials and appeals as well as government contract and construction litigation.

Read more about Sean C. GriffinEmail
Show more Show less
  • Posted in:
    Insurance
  • Blog:
    Insurance Coverage Notes and Developments
  • Organization:
    Dykema
  • Article: View Original Source

Call us at 1-800-913-0988 or email sales@lexblog.com.

Facebook LinkedIn Twitter RSS
Library at LexBlog
  • About LexBlog
  • The Field We Built
  • Library at LexBlog
  • Our Beliefs
  • Our Team
  • Contact LexBlog
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • Get Started
  • Publishing Solutions
  • Compass
  • Submit a Request
  • Support Center
  • System Status
Copyright © 2026, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo