The company sought coverage for its losses under a property policy intended to cover “all risks,” including the destruction or corruption of computer data or software; however, the insurers argued that an exclusion for “Hostile/Warlike Action” precluded coverage. The company maintained that attribution to a nation-state had not been proven, and that in any event, the war exclusion did not apply to this type of action.
In ruling for the pharmaceutical company, the court looked to the “plain meaning” of the exclusion. According to the judge, the company had a reasonable expectation that the exclusion would apply “only to traditional forms of warfare.” Moreover, despite their awareness that cyberattacks were becoming increasingly common, “the Insurers did nothing to change the language of the exemption to reasonably put the Insured on notice that it intended to exclude cyberattacks,” the judge noted, finding the war exclusion precluded only a physical act of warfare, not a malware hack.
While welcome news for this particular insured, the decision of a state trial court judge is hardly precedent setting; other courts may rule differently, and other policies may contain stronger exclusionary wording. In any event, underwriters can be expected to revisit existing language in light of this decision.
The judge ruled that the health insurer was not subject to the Fair Credit Reporting Act (“FCRA”), as the plaintiffs alleged, because the company did not operate as a “credit reporting agency” and the theft of the laptops involved no voluntary disclosure of data by the insurer. The plaintiffs asserted allegations under both state and federal law, but without a viable claim under the FCRA, the judge declined to exercise jurisdiction over the state law claims, at least for the time being. Should the plaintiffs make out a claim under a federal statute, the judge indicated a willingness to reconsider her decision.