Cyber Insurance Experiencing Future Shock

Expanding Liability

Recent court decisions show how a cyber claim can arise under a traditional policy:

• A Maryland federal district court determined that a ransomware attack — and the insured's attempts to remedy that attack — caused "direct physical loss or damage" to the insured's computer system by slowing the system and making it less useful. The carrier argued that the critical issue was whether the software or data had been damaged, and that both were intangible. The court reasoned that the business owner's policy listed among covered items "data stored" on physical media, including software. Thus, the policy contemplated that these things could experience direct physical loss or damage. Nat'l Ink and Stitch, LLC v. State Auto Prop. and Cas. Ins. Co., 435 F.Supp.3d 679 (D. Md. 2020).
• Under a similar policy, Ohio's Court of Appeals determined that the encryption of a company's data — when hackers locked the data after gaining access to the company's systems — may fall within the definition of "direct physical damage." The court noted that in addition to damage to data and media, the attack resulted in the company's phone system being completely unworkable. EMO Servs., LLC v. Owners Ins. Co., 2021 Ohio App. LEXIS 3849. The Supreme Court of Ohio has accepted review.
• A company that operated restaurants, hotels, and casinos suffered a data breach which led to the loss of customer credit card data. A credit card processor sued the company after a data breach seeking to recover $20,000,000 in assessments from MasterCard. The company in sough coverage from its insurer under a commercial general liability policy. The United States Court of Appeals for the 5th Circuit Court found that the retail company's loss of the data was a "publication" of that information that triggered "personal and advertising injury" coverage. The insurer had to defend the case against the retail company because the complaint alleged that the breach had exposed consumer data and violated the right of the consumers to keep credit card data private. Landry's, Inc. v. Ins. Co. of the Pa., 4 F.4th 366 (5th Cir. 2021).
• The most recent example comes from the court that reversed itself. Target's 2013 breach led to $138 million in losses, including $74 million to replace credit cards that were compromised. After finding no coverage in a 2021 ruling, the court changed its mind in March 2022, ruling that the loss of use of the compromised cards had occurred to "tangible property that is not physically injured." Target Corp. v. Ace Am. Ins. Co., 19-cv-2916 (WMW/DTS), 2022 U.S. Dist. LEXIS 51044 (D. Minn. Mar. 22, 2022).

What Makes Cyber Claims So Difficult?

As the cases above show, cyber claims can have huge stakes. This has caused insurers to try to clarify when such losses are covered. They have tried to exclude cyber liability from traditional policies for more than a decade, seeking to push coverage for such claims towards cyber-insurance policies. But this is where the Future Shock comes; insurers cannot write new policy language as quickly as hackers change their tactics. Freeman Mathis & Gary partner Jonathan Schwartz pointed this out in a recent interview with Law 360: While insurers are "writing a policy and accepting premium based on the risk that they're assuming," the criminals' changing tactics force courts to apply policies that may not be tailored to the new circumstances. This is how adjusters who handle claims under traditional policies may find themselves adjusting what seems like a cyber loss.