Ransomware Did Not Cause Direct Physical Loss, State High Court Says
A business owner’s insurance policy did not provide coverage for software damaged by a ransomware attack because there was no direct physical damage or loss, the Ohio Supreme Court ruled.
“Computer software cannot experience ‘direct physical loss or physical damage’ because it does not have a physical existence,” the high court’s unanimous opinion says.
It was the second time this month that the Ohio Supreme Court decided that a direct physical damage or loss cannot be intangible. On Dec. 12, the high court ruled against an audiology practice that sought coverage for business income lost because of a shutdown ordered by the state to slow the spread of COVID-19.
EMOI Services, based in Kettering, Ohio, provides software to medical offices for scheduling appointments, recordkeeping and billing. In September 2019, a hacker gained access to the company’s computer system, encrypted files and demanded ransom in the amount of three bitcoins, worth about $35,000 at the time.
EMOI hired a vendor and attempted to debug its system, but eventually decided it was more cost effective to pay the ransom. After the payment was made, the hacker provided EMOI with a decryption key that restored access to most of its data. Its automated telephone system remained encrypted, however, because it was connected to a separate server. The company also lost access to some non-critical files.
EMOI filed a claim against its business owners policy with Owners Insurance Co. The insurer denied the claim, contending that there was no “direct physical loss to media” that was covered by the insurance policy. EMOI filed a lawsuit.
The Court of Common Pleas in Montgomery County ruled that there was no coverage available through either the data compromise endorsement orelectronic equipment endorsement in EMOI’s insurance policy. The data compromise endorsement excludes costs caused by extortion or deficient network security, the court said. The electronic equipment endorsement covered only direct physical loss or damage to media, defined as material on which data is recorded such as “film, magnetic tape, paper tape, disks, drums or cards.”
A panel of the Second District of the Court of Appeals reversed in a 2-1 decision, finding that there was the potential for coverage if EMOI could prove that there was actual damage to its software. Owners appealed.
The Supreme Court said in a ruling released on Tuesday that the electronic equipment endorsement in EMOI’s insurance policy was “clear and unambiguous.”
“Since software is an intangible item that cannot experience direct physical loss or direct physical damage, the endorsement does not apply in this case,” the opinion says.
Policyholder attorney K. James Sullivan, with the Calfee law firm in Cleveland, said the Ohio Supreme Court’s rulings in both the EMOI case and the COVID business-interruption ruling earlier this month looked at the direct physical loss issue with a “20th Century lens.”
“I suspect we’re going to see an increasing number of losses to policyholders driven by twenty-first century fact patterns, such as pandemics, harm to computer systems, harm to air quality, etc., so it will be interesting to watch how the Ohio Supreme Court, insurers, and policyholders adapt going forward,” he said in an email. “Based on the underpinnings of these most recent opinions, it seems that insurance policy language needs to catch up to the evolving and emerging risks faced by modern-day Ohio policyholders.”
Sullivan said he will advise his clients to assess the interplay between the risks they face, their current insurance policy language and the state Supreme Court’s “restrictive rulings” to devise an effective risk-management strategy.
The Ohio Insurance Institute and American Property Casualty Insurers Association had filed an amicus brief supporting the insurer. The organizations said the Court of Appeals’ ruling “creates untenable and incongruous new law.”
“It is a matter of common sense that physical property damage is not the same as holding non-physical data hostage for ransom and that data compromise exclusions plainly apply to ransomware attacks,” the amicus brief says.
Policyholders United had a different view. The organization’s amicus brief says numerous courts have ruled that ransomware does cause physical loss or damage.
“Ransomware deliberately and physically alters the computer systems by changing the file extensions of the policyholder’s data set,” the United Policyholder’s brief says.