(Article from Insurance Law Alert, November 2021)
For more information, please visit the Insurance Law Alert Resource Center.
An Ohio appellate court ruled that a trial court erred in granting an insurer’s summary judgment motion and that issues of fact existed as to whether a ransomware attack on the policyholder’s computer system triggered coverage under a business owner’s policy. EMOI Services, LLC v. Owners Ins. Co., 2021 WL 5144828 (Ohio App. Ct. Nov. 5, 2021).
EMOI, a medical billing service provider, was the victim of a ransomware attack. EMOI ultimately paid the hacker and sought coverage from Owners. The insurer denied coverage, noting that a Data Compromise endorsement explicitly precluded coverage for ransomware payments and that an Electronic Equipment endorsement did not apply because it required “direct physical loss or damage.” A trial court agreed and dismissed the suit. The trial court reasoned that there was no physical loss because even assuming that EMOI’s software was damaged while it was encrypted by the hackers, it became fully functional once the ransom payment was made. The appellate court reversed.
The Electronic Equipment endorsement covered “direct physical loss of or damage to ‘media.’” It defined “media” as “materials on which information is recorded such as film, magnetic tape, paper tape, disks, drums, and cards.” It further stated that “media” includes “computer software and reproduction of data contained on covered media.”
Viewing the evidence in a light most favorable to EMOI, the court ruled that the company’s computer servers may be considered “media” under the policy because they “constituted materials on which EMOI’s information was recorded.” Additionally, the court ruled that EMOI had raised an issue of fact as to whether its software incurred “direct physical damage.” In particular, the court noted that the record established that portions of the software remained unusable even after decryption.
The court rejected Owners’ contention that software and data “have no physical existence and thus are not susceptible to physical loss or damage.” The court emphasized that the policy did not include the term “tangible” in referring to physical loss and deemed that omission significant. It also relied on Nat’l Ink & Stitch, LLC v. State Farm Auto Prop. & Cas. Ins. Co., 435 F. Supp.3d 679 (D. Md. 2020) (discussed in our January 2020 Alert), in which the court ruled that the loss of data and impairment of a computer system resulting from a ransomware attack constituted direct physical loss where the policy listed “data” as a category of covered property and used the term “software” in a coverage provision heading.