Third-Party Liability for Ransomware Attacks: Are You Covered?

Changes in the way organizations do business, brought about by Covid-19, have increased cybersecurity risks.

The Covid-19 pandemic has caused a massive shift in the way organizations do business and the way their employees do their work. This shift has also brought about an increase in cybersecurity risks, which should not be overlooked. Much of this increased risk comes from the increase in ransomware attacks.

According to one of the largest cyber insurance providers in North America, approximately 41 percent of cyber insurance claims in the first half of 2020 are attributed to ransomware attacks. While one can be forgiven for thinking that cybersecurity is a concern only for large corporations, that is far from the case. The malicious actors behind ransomware attacks do not discriminate. It is a problem that affects organizations large and small in various industries, including healthcare, government, construction, manufacturing, legal, and education, to name a few.

Despite this increased risk, cybersecurity companies report that more than a quarter of small businesses have no plan to mitigate a ransomware attack.

For the uninitiated, ransomware is a type of malicious software that is embedded into a computer system through a variety of different methods. It encrypts the data on that system, potentially rendering that system, and any other systems that rely on that data, inoperable. The ultimate goal of the malicious actors is to extort money—a ransom—from the victim by offering to restore the computer systems upon payment. Victims can either pay the ransom or deal with the fallout; many, at the suggestion of their cyber insurance carriers, opt to pay the ransom.


See also:


When faced with a possible ransomware attack, organizations need to consider the potential for unintended victims, and for liability to reliant third parties, if their computer systems remain inoperable or their data is lost.

Recently, a hospital in Germany fell victim to a ransomware attack. When the hospital’s computer systems were inoperable, a number of patients required emergency transport. Tragically, one of the patients died during transport. This is reported to be the first known death caused by a ransomware attack.

Blackbaud, a leading cloud services provider, is facing numerous class-action lawsuits as a result of a ransomware attack on its servers.

As small businesses rely more and more on computers and data rather than paper, such unintended consequences are likely to become more frequent. Organizations often look to their general liability policies to cover them for accidental losses, but they may find themselves up a creek without a paddle.

Many, if not most, commercial general liability policies expressly preclude coverage for data-related liabilities. Even if your policy does not specifically exclude data-related liability, you may have a hard time obtaining coverage for such an event. General liability policies typically offer to defend the insured faced with a lawsuit claiming either bodily injury or property damage caused by an occurrence (typically defined as an accident).

“Bodily injury” is fairly easy to identify, and clever plaintiffs can usually get around the need for an “occurrence” by pleading some form of negligence (e.g., negligent failure to provide effective security). However, a ransomware attack is far more likely to cause property damage (e.g., corrupted data, unusable computer systems) than bodily injury. Most courts around the country do not interpret corruption of software and data as property damage under traditional insurance policies.

Recently, a federal district court in Maryland held that loss of computer data and software was covered. There, the insured, an embroidery and screen-printing business, was the victim of a ransomware attack. Despite paying the initial ransom, the company was unable to recover many of the files that it needed to operate. The company looked to its insurance to cover its losses, and the insurer denied coverage.

According to the insurer, the company had not suffered a physical loss or damage to its computer system. The court disagreed and noted that, unlike many other insurance policies, the policy at issue did not limit coverage to damage to “tangible property”—and, in any event, it reasoned that Maryland courts would find physical damage to the computer software because the ransomware attack rendered the software inoperable.

This is one of first instances of coverage for lost data resulting from a ransomware attack under a traditional policy, but it may not be the last. That said, this is a minority position, and the policy language was a determining factor in this case.

Given the heightened risk of ransomware attacks during the pandemic, organizations should not rely on the remote possibility that a court may rule in their favor on these issues. The most prudent thing to do is to prevent such problems from arising in the first place. Indeed, when it comes to cyber attacks, an ounce of prevention is worth a pound of cure.

No cybersecurity plan is foolproof; technology changes at such a rapid pace that the risk of an attack is always present. Rather than depend on general liability coverage, which may not cover cyber risks, organizations should consider adding cyber insurance to their insurance portfolio.

These coverages are far from standardized and come in a variety of shapes and sizes. For example, some cyber policies may provide coverage for expenses incurred in responding to a ransomware attack but may not provide coverage for any damage caused to third parties. Other policies may cover liability but may not provide coverage when the attack is through an employee-owned device.

Now that working from home has become ubiquitous, companies, both big and small, should carefully evaluate their insurance portfolios and fill any gaps that they may have due to the heightened risk that this new work arrangement brings.


Oliver Sepulveda is an associate in the Miami office of Shutts & Bowen, where he is a member of the insurance practice group.

From: Daily Business Review