SDV Insights

A Narrow Property Policy Interpretation Finds No Coverage for Encrypted Software as a Result of a Ransomware Attack


The Supreme Court of Ohio recently ruled that a ransomware attack on a medical billing company failed to cause direct physical damage to the company’s computer software as required under its business owners policy. Prior to this ruling, a ransomware attack on a business computer system and resultant claim under an all-risk commercial property insurance policy had not been addressed in Ohio.

EMOI Services LLC suffered a ransomware attack in 2019 after its system was hacked, leaving its files and software encrypted and inaccessible unless EMOI paid approximately $35,000 worth of Bitcoin. EMOI paid the requested ransom, and most, but not all, of its system files returned to normal following a decryption process. The attack and subsequent decryption did not result in any hardware or equipment damage. After Owners Insurance Company denied coverage under the Electronic Equipment Endorsement, EMOI sued the insurer, alleging breach of contract and bad faith denial of coverage.

The policy’s Electronic Equipment Endorsement states, in part, that Owners “will pay for direct physical loss of or damage to ‘media’ which [EMOI] own[s]…we will pay for your costs to research, replace or restore information on ‘media’ which has incurred direct physical loss or damage by a Covered Cause of Loss.” The trial court granted summary judgment in favor of Owners but was reversed by the appellate court, which ruled that the endorsement potentially applied to EMOI’s claim if the company could prove that its software was damaged by the encryption. The appellate panel held that EMOI had potentially suffered physical damage to its software and data when the hacker encrypted its files. The Ohio Supreme Court unanimously overturned the appellate court’s ruling.

Disagreeing with the appellate panel, the justices of the Supreme Court of Ohio instead found that the ransomware attack was not covered under the business owner’s property policy. The high court reasoned that computer software could not experience the “direct physical loss” or “physical damage” that is required for coverage under the policy because it does not have a physical existence. More specifically, although computers and other electronic mechanisms have “physical electronic components that are tangible in nature, the information stored there has no physical presence.”

The policy language at issue unambiguously included computer software within its definition of “media,” but also required such “media” to sustain direct physical loss or damage. EMOI argued that its affected computer software constitutes “media” and further argued that the software could be damaged, despite it being nonphysical.

The Ohio justices rejected EMOI’s argument, stating that the policy requires direct physical loss of or damage to media to provide coverage for the software. The court reasoned that although computer software is included in the definition of “media,” it is only included when the software is “contained on covered media,” meaning when it has a physical existence, like the examples of covered media provided in the policy— “film, magnetic tape, paper tape, disks, drums, and cards.” As such, the Supreme Court of Ohio was not convinced that software could sustain any physical loss or damage without any physical damage to the hardware on which the software was stored.

Similar to this case, many recent COVID-19 coverage decisions have held that there must be tangible physical damage or loss for coverage to exist under property insurance policies. These recent rulings suggest that courts are narrowly construing the requirement of “direct physical loss or damage” under first party property policies. This case is also an important reminder for corporate policyholders to protect themselves against cyber risks by procuring appropriate cyber-specific coverage where necessary instead of relying on other policies for coverage.

For more information, contact Jeffrey J. Vita at JVita@sdvlaw.com or 203.287.2103.

*Special thanks to Andrea Martin, Law Clerk, for contributing to this case alert.






CONTACT US


The email you are sending does not create an attorney-client relationship with SDV. We do not agree to representation until we have performed a check for conflicts of interest and expressly agree to provide services in a particular matter via an engagement letter. The information submitted to us via this website will NOT be treated as confidential or privileged as a lawyer/client communication and our receipt of this information does not prevent us from representing a client related to the subject of your inquiry.

Northeast

35 Nutmeg Drive, Ste 140
Trumbull, CT 06611

203.287.2100

136 Madison Avenue, 6th Fl.
New York, NY 10016

203.287.2100

233 Mount Airy Road
Basking Ridge, NJ 07920

973.446.7300

Southeast

999 Vanderbilt Beach Road, Ste 603
Naples, FL 34108

239.316.7244

West Coast

One BetterWorld Circle, Ste 300
Temecula, CA 92590

951.365.3145

SDV is headquartered in Connecticut, with regional offices located in New York, New Jersey, Florida, and California to better serve our clients nationwide. We have the experience and insight to effectively address your insurance coverage concerns and provide practical solutions to any risk transfer challenges you face.