The Supreme Court of Ohio recently ruled that a ransomware attack on a medical billing company failed to cause direct physical damage to the company’s computer software as required under its business owners policy. Prior to this ruling, a ransomware attack on a business computer system and resultant claim under an all-risk commercial property insurance policy had not been addressed in Ohio.
EMOI Services LLC suffered a ransomware attack in 2019 after its system was hacked, leaving its files and software encrypted and inaccessible unless EMOI paid approximately $35,000 worth of Bitcoin. EMOI paid the requested ransom, and most, but not all, of its system files returned to normal following a decryption process. The attack and subsequent decryption did not result in any hardware or equipment damage. After Owners Insurance Company denied coverage under the Electronic Equipment Endorsement, EMOI sued the insurer, alleging breach of contract and bad faith denial of coverage.
The policy’s Electronic Equipment Endorsement states, in part, that Owners “will pay for direct physical loss of or damage to ‘media’ which [EMOI] own[s]…we will pay for your costs to research, replace or restore information on ‘media’ which has incurred direct physical loss or damage by a Covered Cause of Loss.” The trial court granted summary judgment in favor of Owners but was reversed by the appellate court, which ruled that the endorsement potentially applied to EMOI’s claim if the company could prove that its software was damaged by the encryption. The appellate panel held that EMOI had potentially suffered physical damage to its software and data when the hacker encrypted its files. The Ohio Supreme Court unanimously overturned the appellate court’s ruling.
Disagreeing with the appellate panel, the justices of the Supreme Court of Ohio instead found that the ransomware attack was not covered under the business owner’s property policy. The high court reasoned that computer software could not experience the “direct physical loss” or “physical damage” that is required for coverage under the policy because it does not have a physical existence. More specifically, although computers and other electronic mechanisms have “physical electronic components that are tangible in nature, the information stored there has no physical presence.”
The policy language at issue unambiguously included computer software within its definition of “media,” but also required such “media” to sustain direct physical loss or damage. EMOI argued that its affected computer software constitutes “media” and further argued that the software could be damaged, despite it being nonphysical.
The Ohio justices rejected EMOI’s argument, stating that the policy requires direct physical loss of or damage to media to provide coverage for the software. The court reasoned that although computer software is included in the definition of “media,” it is only included when the software is “contained on covered media,” meaning when it has a physical existence, like the examples of covered media provided in the policy— “film, magnetic tape, paper tape, disks, drums, and cards.” As such, the Supreme Court of Ohio was not convinced that software could sustain any physical loss or damage without any physical damage to the hardware on which the software was stored.
Similar to this case, many recent COVID-19 coverage decisions have held that there must be tangible physical damage or loss for coverage to exist under property insurance policies. These recent rulings suggest that courts are narrowly construing the requirement of “direct physical loss or damage” under first party property policies. This case is also an important reminder for corporate policyholders to protect themselves against cyber risks by procuring appropriate cyber-specific coverage where necessary instead of relying on other policies for coverage.
For more information, contact Jeffrey J. Vita at JVita@sdvlaw.com or 203.287.2103.
*Special thanks to Andrea Martin, Law Clerk, for contributing to this case alert.