Judge forces insurer to help small business to clean up after a crippling ransomware attack

The ruling adds some clarity to the otherwise murky world of cyber-related insurance claims.
sba data exposure
Personally identifiable information of a limited number of Economic Injury Disaster Loan applicants was potentially exposed, according to the Small Business Administration. (Getty Images)

At least one insurance company will cover the costs from a cyberattack against one of its clients.

A Maryland federal judge on Thursday ruled that an Ohio insurer must cover the costs following a ransomware attack that forced a client to replace much of its technology. State Auto Property & Casualty Insurance is on the hook for losses incurred by National Ink & Stitch, a Maryland screen printing business, after a 2016 hack resulted in “direct physical loss or damage” of National Ink & Stitch’s property.

No dollar figure has been set yet. The embroidery company had sought $310,000 in damages from State Auto, which has a $1.3 billion market cap.

The summary judgment decision from Judge Stephanie A. Gallagher, of the U.S. District Court of Maryland, comes amid ongoing skepticism with the way insurance companies have waded into data security incidents, which are difficult to predict.


As a number of insurers argue in court of whether cyber-related incidents are covered under different policies, other firms now incentivize clients to purchase certain security products, while being careful to avoid endorsing those same products. Some firms, like Swiss Re Americas, a reinsurer, have been reluctant to totally embrace cyber insurance because of the uncertainty.

The facts in this case, the judge wrote, “are largely undisputed.”

National Ink & Stitch stored art, logos, designs, shop management software, embroidery software and other business needs on its computer server. That server was infected with ransomware on Dec. 2, 2016, rendering much of the information stored there in accessible until National Ink & Stitch elected to pay an undisclosed sum. Even when the company agreed to pay, however, hackers demanded more money, in the form of bitcoin, resulting in the loss of art and forcing the National Ink & Stitch to hire an outside security firm to clean up the mess.

Within two weeks, the embroidery shop filed a claim with State Auto, citing language where State Auto agreed to cover “direct physical loss of or damage” to property including stored media files. National Ink & Stitch sought to be reimbursed for a new computer system because its existing technology was not capable of running at full speed, resulting in lower efficiency, and was at risk of being infected again by the same ransomware.

State Auto refuted the claim, according to court filings, disputing whether National Ink & Stitch had actually experienced a “direct physical loss of or damage to” its computer system in a way that would warrant reimbursement.


“In the instant case, State Auto seems to equate ‘physical loss or damage’ to [National Ink & Stitch’s] computer system to require an utter inability to function,” the judge wrote in her opinion. “The Policy language, and the relevant case law, impose no such prerequisite.”

The judge’s decision did not take into account what, if any, technologies National Ink & Stain had employed to fend off ransomware attacks.

This ruling adds only a small piece of clarity to the murky world of cyber-related insurance claims.

In an unrelated case scheduled to go to court, insurance giant AIG will argue it is not responsible for covering nearly $6 million in losses incurred by a client previously victimized by Chinese hackers. That dispute involves the nature of the client’s policy with AIG. In another matter, Zurich Insurance is arguing it should not need to cover losses from the snack giant Mondelez International because the insurer defined the 2017 NotPetya attack on Mondelez as an act of war, rendering it exempt.

The judge’s ruling is available in full below.


[documentcloud url=”” responsive=true]

Latest Podcasts