Proving Physical Damage in Ransomware Insurance Claims

In recent years, the threat of ransomware attacks has become an important focus of concern, both as a national security vulnerability and as a significant business risk. In fact, this past June, the East coast was hit with a ransomware attack from a virus called Petya, which affected thousands of computers in more than 150 countries. Ransomware attackers install malicious code on an organization’s computer systems, typically rendering them inaccessible until a ransom is paid. When an attack locks down a critical system, damages can quickly accumulate. As ransomware attackers grow more sophisticated—helped by foreign governments as well as criminal networks—businesses need to insure against losses from attacks not only against their own systems, but also against the systems of their critical suppliers.

Ransomware attacks are often included under a company’s business interruption policy, which typically covers lost income from physical loss or damage to the insured property. Such policies can also include contingent time element coverage, which insures against business interruption of a supplier. Policies usually require the insured to show physical loss or damage in connection with a claim.

Loss of Access Can Be Physical Damage
Showing physical loss might first appear difficult in the context of ransomware attacks, because they usually only deny access to data, without actually damaging or destroying it. In a conventional business interruption case, showing damage requires proof that an external force has caused a physical change in the insured property’s condition. But courts have held that “physical loss or damage” needn’t be “tangible, structural, or even visible.” Newman Myers Kreines Gross Harris, P.C. v. Great Northern Ins. Co., 17 F.Supp.3d 323, 330 (S.D.N.Y. 2014).

Loss of access, loss of use, and loss of functionality can constitute physical damage. American Guarantee & Liability Ins. Co. v. Ingram Micro, Inc., No. 99-185 TUC ACM 2000 WL 726789 (D. Ariz. April 18, 2000).  In Ingram, the court held that the policyholder was entitled to coverage for losses caused by a power outage that erased programming information and customer configurations from a mainframe computer, which was otherwise undamaged.

But Loss of Access Isn’t Enough
Whether loss of use constitutes physical damage largely depends on the surrounding circumstances. Like so many other legal issues involving new technology, one needs to draw analogies to cases involving real-world examples of loss of use to understand how it might work in a ransomware situation.

Simply asserting loss of access to a system doesn’t tell the whole story, with fatal results for a claim. In Newman Myers, the policyholder filed a claim for lost business income and other expenses related to a loss of power during and after a hurricane, which had forced the policyholder’s offices to close for about a week. The court sided with the insurer, noting that the policyholder hadn’t shown that the denial of access was due either to a physical change for the worse in the premises or a newly discovered risk to the premises’ physical integrity. Newman Myers, 17 F.Supp.3d at 330-32.

However, if the policyholder can show a loss of function, that may support an argument for “physical damage.” In Wakefern Food Corp. v. Liberty Mutual Fire Ins. Co., 406 N.J. Super. 524 (2009), a supermarket chain filed a claim for spoiled food and business interruption following a four-day blackout. Although the policy covered physical damage of off-premises power equipment, the insurer denied the claim on grounds that the electrical grid had not been physically damaged. The court rejected the argument, on grounds that the grid’s component systems had been “physically incapable of performing their essential function.” Id. at 540.

The Wakefern Food Corp. case offers an approach to establishing a good claim in a ransomware case, namely to show that the attack rendered the system “incapable of performing its designed function.” When an attack occurs, it is important to preserve all the facts related to it so a good case can be made in defense of a claim.

Slater Hersey Can Help
The attorneys at Slater Hersey LLP have extensive experience with complex insurance claims. If your business has been affected by a ransomware attack, either directly or through a disruption at one of your suppliers, we can help you build a strong business interruption claim. More importantly, we can help you get ahead of ransomware risk by finding the gaps in your insurance coverage that might leave you vulnerable. To schedule a consultation, give us a call today.