Ohio Supreme Court Rules Insurance Policy Does Not Cover Ransomware Attack on Software

December 29, 2022

Ransomware insurance coverage has become increasingly popular in recent years as the threat of ransomware attacks has continued to grow. However, despite the widespread adoption of this type of insurance, there are still significant problems with its coverage that can leave policyholders vulnerable and out of luck when it comes to recovering from a ransomware attack. In this article, we will examine several specific cases where ransomware claims were denied by insurance companies or courts and explore the broader issues that these cases highlight.

On Dec. 27, 2022, the Ohio Supreme Court affirmed the denial of insurance coverage for losses incurred when data and software became unusable as a result of a ransomware attack. The Ohio high court held that, while the ransomware attack had made the software and data unusable and inaccessible, it did not constitute “direct physical damage” to the data and software, and therefore was not covered by insurance. This is similar to the decision by the Ohio Supreme Court last month in Neuro-Communication Servs., Inc. v. Cincinnati Ins. Co. that business interruption and loss claims resulting from the COVID virus and responses thereto were not covered since there was no “physical damage” to property.

The Ransomware Attack

Kettering, Ohio medical billing software company EMOI Services was hit by a ransomware attack in September of 2019 which left all of its computers, and the data in them, inaccessible. EMOI had been the victim of a CryptoLocker ransomware, where hackers used the same encryption tools normally used to lock files to prevent unauthorized access to data against them — with the hackers holding the keys and holding them for ransom. After attempting to restore the data and systems, the billing company gave in and paid the modest ransom of $35,000 and filed a claim for damages against their insurance company, Owner’s Insurance, not only for the cost of the ransom payment but also for the cost of the forensic investigation and restoration of the data.

The Policy Terms

Like many companies, EMOI had a number of insurance policies with different coverages and exclusions against which it attempted to file a claim. For example, its General Casualty and Liability insurance policy had an endorsement covering both “Electronic Equipment” and “Data Compromise.” However, the data compromise language had a specific exclusion that excluded from its coverage for “personal data compromise” losses for “any threat, extortion or blackmail,” including but not limited to “ransom payments.”

The electronic-equipment endorsement in the policy provided that the insurance company would pay for “direct physical loss” of or damage to “media” which you own and that the insurer:

“Will pay for your costs to research, replace or restore information on “media” which has incurred direct physical loss or damage by a Covered Cause of Loss.”

What is “Physical Damage?”

The Ohio high court ruled that the insured would have to demonstrate that there was “direct physical damage” to the medium (e.g., hard drive, etc.) in order to have coverage for the restoration of the data on that media. Since the ransomware hackers did not physically damage the electronic media, the Court held, there was no coverage. In fact, the Court went further, noting that:

“Computer software cannot experience “direct physical loss or physical damage” because it does not have a physical existence.”

Ransomware, like other forms of cyber-crime, often creates ambiguous fact patterns which may not be clearly defined by cyber policies. For example, data “loss” insurance may be read to exclude coverage where a copy of the data has been made by a hacker, but the “original” data remains on a drive. Data which is on an encrypted hard drive which is unrecoverable may not be considered to be “damaged” or “destroyed” simply because the data is inaccessible. When a hacker demands a payment in order to unlock data, is the payment covered by a policy which covers losses resulting from “theft” or “fraud”? Courts have disagreed.

Nat’l Ink & Stitch, LLC v. State Auto Prop. & Cas. Ins. Co.

In Nat’l Ink & Stitch, LLC v. State Auto Prop. & Cas. Ins. Co., an insurance company refused to pay a ransomware claim for loss of access to data and software because there was no “physical damage” to the data and software. The Maryland federal court rejected the insurer’s claim, noting that the “data” stored on covered media which was subject to the ransomware was “Covered Property” under the coverage, as was the “Software,” and that “the plain language of the Policy contemplates that data and software are covered and can experience “direct physical loss or damage.”

Yoshida Foods Int’l, LLC v. Fed. Ins. Co

Earlier this month, a federal court in Oregon rejected an insurer’s assertion that ransomware costs were not covered by a policy which provided coverage for a “direct loss of Money, Securities or Property sustained by an Insured resulting from Computer Fraud committed by a Third Party.” The insurer claimed that the ransom payment was not a “direct loss” to the insured and that “there was no permanent loss of Money, Securities, or Property that directly resulted from a Computer Violation.” The federal court disagreed, noting that:

“Both the ransom payment made by [the CEO] and the reimbursement of that amount by Plaintiff were proximately caused by the hacker’s computer violation directed against Plaintiff’s computer system. There was no intervening occurrence between the ransomware attack, the ransom payment…”

G&G Oil Co. of Indiana v. Cont’l W. Ins. Co.

Insurer was not required to pay for ransomware losses under a policy which covered “computer fraud” but excluded losses resulting from a computer virus or hacking. The Court affirmed the Insurer’s denial of the claim noting:

“The hijacker did not use a computer to fraudulently cause G&G to purchase Bitcoin to pay as ransom. The hijacker did not pervert the truth or engage in deception in order to induce G&G to purchase the Bitcoin. Although the hijacker’s actions were illegal, there was no deception involved in the hijacker’s demands for ransom in exchange for restoring G&G’s access to its computers. For all of these reasons, we conclude that the ransomware attack is not covered under the policy’s computer fraud provision.”

Recommendations for Insured

Ransomware causes various kinds of losses to a company. It results first in interruption of the ordinary business processes of the company, and can delay providing goods or services, or billing for such goods and services, resulting in economic losses. It can cost tens of thousands or millions to forensically investigate the ransomware attack and to restore data and services. Ransomware attacks may, or may not, be “data breaches” or “breaches of PII” and as such, data breach insurance may not cover ransomware claims. With more laws prohibiting the payment or ransom (or policies suggesting that it may be unlawful), insurers may take the position that the costs associated with the payment or ransom itself are not covered, and that losses resulting from NOT paying ransom (failure to mitigate damages) might alternatively not be covered. Reputational costs, investigative costs, costs of third-party claims by the ransomware victim and even things like FTC or other investigations or class actions may or may not be covered.

Companies need to examine their existing insurance policies to ensure that they have coverage for all of the possible damages and losses resulting from ransomware, and not take for granted that terms like “damage” and “loss” and “harm” mean the same thing in the context of ransomware. It is better to understand what coverages you have and do not have before a claim is filed rather than litigating the terms of a policy afterward.

For further questions or clarifications regarding the content of this article, please contact KJK Cyber Security & Data Breach attorney Mark Rasch (MDR@kjk.com; 301.547.6925).