In the latest issue of The Wright Toolbox:
- You Might Have Cyber Coverage You Didn’t Know You Had – read now
- Ban The Box Took Effect In Maryland On February 29, 2020 – read now
You Might Have Cyber Coverage You Didn’t Know You Had
You have been reading and hearing all about cyberattacks for years and business consultants and insurance agents are all saying you need cyber coverage insurance. But you said “a cyberattack will never happen to me,” so you didn’t get the policy. Well, a new case from the Maryland federal court has held that a traditional business owner’s insurance policy with a computer coverage endorsement actually covered damage caused by a ransomware cyberattack. Wait, does that make you a visionary? No, get the cyber coverage, but there might be coverage in more traditional policies for cyberattacks than previously thought. Here are some stats on cyberattacks: More than half of all small businesses have suffered a breach within the last year and 4 in 10 have experienced multiple incidents. The consequences of cyberattacks continue to grow with digital incidents now costing businesses of all sizes $200,000 on average. Sixty percent of small business go out of business within six months of being victimized. At the same time, 66% of senior decision-makers at small businesses still believe they are unlikely to be targeted by online criminals. Similarly, 6 in 10 have no digital defense plan in place whatsoever.
The recent case involved National Ink & Stitch, LLC which filed suit in Maryland Federal Court against its businessowners’ insurance policy carrier seeking coverage for damage alleged to have been sustained to its computer system in a ransomware attack. National Ink was an embroidery and screen printing business. It stored art, logos, and designs for its business on its computer server. The server also held graphic arts software, shop management software, embroidery software, and webstore management software. National Ink’s computer server and networked computers experienced a ransomware attack, which prevented it from accessing all of the art files and other data contained on the server, and all of its software. The attacker demanded payment in bitcoin to release access to the software and data. Although National Ink made the requested payment, the attacker demanded further payment and refused to release the software and data. National Ink then employed a security company to replace and reinstall its software, and to install protective software on its computer system.
Ultimately, although the computers became somewhat functional again, the art files formerly stored on the server could not be accessed and will need to be recreated. In addition, the installation of protective software slowed the system and resulted in a loss of efficiency. The computer experts also testified that there are likely dormant remnants of the ransomware virus in the system, that could “re-infect the entire system.” The options to eliminate the risk of further infection were to “wipe” the entire system and reinstall all of the software and information, or to purchase an entirely new server and components. National Ink presented a claim to its insurance company for the cost of replacing its computer system as a result of the ransomware attack. However, the claim was denied. The insurance company disputed whether there was a “direct physical loss of or damage to” the computer system.
The policy language provided in relevant part that the policy will “pay for direct physical loss of or damage to Covered Property at the premises described in the Declarations caused by or resulting from any Covered Cause of Loss.” The Businessowners policy had a computer coverage endorsement that defined “Covered Property” as including “Electronic Media and Records (Including Software),” and defined “Electronic Media and Records” to include among other things “electronic data processing, recording or storage media such as films, tapes, discs, drums or cells and data stored on such media.”
The Court applied traditional contract interpretation principles in analyzing the policy language. The insurer contended that because National Ink only lost data, an intangible asset, and could still use its computer system to operate its business, it did not experience “direct physical loss.” National Ink, countered that the policy’s language contemplates computer data and software as being property subject to “direct physical loss,” and that its computer system itself sustained damage in the form of impaired functioning. The Court held that National Ink could recover based on either: (1) the loss of data and software in its computer system, and/or (2) the loss of functionality to the computer system itself. The Court observed that loss of use, loss of reliability, or impaired functionality demonstrate the required damage to a computer system, consistent with the “physical loss or damage to” language in the policy. The Court stated “in many instances, a computer will suffer ‘damage’ without becoming completely inoperable.” Because National Ink was left with a slower system, which was harboring a dormant virus, and was unable to access significant portions of software and stored data, it sustained physical loss or damage covered by the policy.
With respect to the issue of the loss of data, the Court noted that the Policy expressly lists “data” as an example of covered property under the definition of “Electronic Media and Records (Including Software).” The policy also includes “data stored on such media” as a separate subcategory of Covered Property and the phrase “Including Software” describing covered property. Thus, the Court concluded that the plain language of the policy contemplates that data and software are covered and can experience “direct physical loss or damage.”
The takeaways here are: (1) get cyber coverage and (2) if you experience a cyberattack you need to check your more traditional policies to see if you might be able to get some additional coverage for any damage you sustain.
Ban The Box Took Effect In Maryland On February 29, 2020
During the 2019 legislative session, the Maryland General Assembly passed Senate Bill 839 prohibiting employers with 15 or more employees from asking candidates about their criminal backgrounds on their employment applications. While Governor Hogan vetoed the legislation in May 2019, the legislature overrode the veto on January 30, 2020, which makes the law effective February 29, 2020.
The legislation, known commonly as “Ban the Box” prohibits employers from asking employees questions about their criminal backgrounds on their employment applications. However, unlike other similar statutes, including a Baltimore City ordinance, employers are permitted to ask questions about applicants’ criminal histories during the first, in-person interview. Furthermore, the law does not apply to employers who provide “programs, services or direct care to minors or to vulnerable adults,” or prohibit an employer from making inquiries that are required by federal or state law.
Violations of the law can result in civil penalties up to a $300 fine per offense. While this may seem like a small penalty, each applicant who submits a non-compliant form constitutes a separate offense.
While some form of this law was already in effect in Baltimore City, Prince George’s County, and Montgomery County, it now applies statewide. Given the short time between the veto override and the effective date, it’s important that employers in Maryland immediately review their employment applications to ensure that their application forms are compliant. If you have questions about this law, including whether it applies to your business, please contact our Employment & Labor Law practice group.