Coverage Challenges in Ransomware Claims: Cyber Insurance Policies and Trends in Denials

July 28, 2023

A consistent pattern emerges in data breach and cyber-attack cases when companies turn to their insurers for coverage after such incidents. Whether they possess specialized cyber insurance or not, insurers often decline claims, citing various reasons such as failure to provide timely notice, failure to mitigate costs, employee misconduct or criminal activity leading to the breach, or attributing the losses to a party not covered by the policy. This holds true for both General Casualty or Liability policies (GCL) and specialized cyber liability insurance policies, covering damage to electronic assets.

On December 22, 2022 the Ohio Supreme Court in EMOI Servs., L.L.C. v. Owners Ins. Co. ruled that an Ohio medical billing company’s cyber insurance policy did not cover a ransomware claim for damages because the insured could not demonstrate that there was “physical harm or damage” to the computers which housed the data, as required by the terms of the policy. The electronic policy noted that the coverage included:

“When a limit of insurance is shown in the Declarations under ELECTRONIC EQUIPMENT, MEDIA, we will pay for direct physical loss of or damage to “media” which you own, which is leased or rented to you or which is in your care, custody or control while located at the premises described in the Declarations. We will pay for your costs to research, replace or restore information on “media” which has incurred direct physical loss or damage by a Covered Cause of Loss. Direct physical loss of or damage to Covered Property must be caused by a Covered Cause of Loss.”

The insured argued that since the ransomware made the data inaccessible and unusable, the media suffered damage covered by the policy language. However, the Ohio court disagreed.

EMOI Servs., L.L.C. v. Owners Ins. Co. Case Overview

EMOI is an Ohio-based company assisting hospitals with medical billing, resulting in the handling of personal data, financial data, and Protected Health Information. In September of 2019, EMOI was the victim of a ransomware attack, where the attackers locked up files and demanded ransom. After obtaining a “test key” from the hackers to unlock a single data file, EMOI paid the ransom of three Bitcoin, regained control over their data, verified its safety, and filed a claim with their insurer to reimburse the investigation and recovery costs, including the ransom payment.

EMOI’s policy with Owner’s Insurance covered “Data Compromise” which included coverage related to “the compromise of an individual’s “personal data,” but excluded from coverage “[a]ny threat, extortion or blackmail. The policy noted that the exclusion included, but was not limited to, “ransom payments and private security assistance.”

As a general rule, companies may have cyber insurance that covers the cost of “data breaches” — that is, the unauthorized access to certain kinds of information (typically personal data). Data breach policies cover the cost of investigation, forensics, breach remediation, breach notification, and possible litigation as a result. Think of a “breach” as a loss (or a potential loss) of protected data.

Data Breach Coverage vs. Loss of Access to Data

Companies may also have coverage for loss of access to data. Sort of “critical documents” insurance for electronic records. Thus, if there’s a fire, flood, hurricane or other event that destroys documents or records (including electronic records), that may be covered by insurance. Indeed, EMOI had coverage for “direct physical loss or damage to ‘media.” The question for the Court was whether the ransomware was a “direct physical loss.”

Ultimately, the Court found:

 “The language in the electronic-equipment endorsement to be clear and unambiguous in its requirement that there be direct physical loss of, or direct physical damage to, electronic equipment or media before the endorsement is applicable. Since software is an intangible item that cannot experience direct physical loss or direct physical damage, the endorsement does not apply in this case.”

Coverage Limitations in the Policy

So, the policy that insured against damage or loss to electronic media only covered direct physical damage. Indeed, if someone were to pass a magnet against a hard drive and by doing so wiped all of the data off the machine, it could be argued that the loss of the data was not “physical damage” but only “logical damage” and therefore not covered.  The Supreme Court also adopted the findings of the trial court noting that “the software and database systems were not damaged by the encryption, but that EMOI was prevented from accessing or using those systems because of the encryption. The trial court also noted:

“In reality, this is a data compromise situation, rather than a situation involving physical damage to electronic equipment.”

Because the coverage only included “physical damage,” the Court found that “logical damage” and “electronic damage” of the kind which occurs when a database or media is encrypted or corrupted is not covered by the policy. In fact, the Court noted, “Computer software cannot experience “direct physical loss or physical damage” because it does not have a physical existence.” So, the policy, it appears, covered only things like a fire or flood that destroyed the media on which the software was stored.

Insurance Company Denies Coverage and Common Arguments

So, is a ransomware attack a “data breach?” Is it a physical loss or damage to electronic media? The carrier, Owner’s Insurance, said no to both questions. The carrier asserted that the data compromise coverage only covered personal data of EMOI, not data of EMOI’s customers. In their denial letter, Owners told its customer “Since the data belongs to another party that is not your customer it does not meet the definition of “affected individual”.  They also denied the claim asserting that the data on the ransomed drives was not EMOI’s “personally identifying information.”

The insurer also claimed no responsibility for the cost of restoration, asserting that “[n]o film, magnetic tape, disc, drum, card, etc., [the contractual definition of “covered media”] has been identified as physically damaged in this claim.” But the Insurance Company went further, asserting that it did not have to pay the claim because:

“(1) the policy covers only items with a physical existence, i.e., tangible items; (2) “physical loss or damage” does not occur when the insured merely loses access or use; and (3) “physical loss or damage” does not occur when the item can be restored by cleaning.”

The insurance company claimed that the policy did not cover ransomware situations because “the software and data have no physical existence and thus are not susceptible to physical loss or damage” and because “EMOI merely lost access to its data and software due to the ransomware attack, and the data and software were readily restored with the decryption program [which they paid for from the ransomware hacker].”

Trends in Cyber Insurance Coverage and Pitfalls

This is a common argument made by insurance companies when they seek to deny ransomware claims. Recently a Maryland Court held that an insurer had to pay a T-shirt printing company’s cost of restoration of software after a ransomware attack and rejected the insurer’s claim that the software itself was not “damaged” and therefore the claim not covered.

The Indiana Supreme Court similarly held that a claimant who paid a ransom in a ransomware attack was not entitled to summary judgment on their claim for recovery against their insurer under a policy that covered losses “resulting directly from the use of any computer to fraudulently cause a transfer of money” since the ransomware payment was not “fraudulently made.”

In another case in federal Court in Oregon, the Court rejected a claim by an insurer that a ransomware attack and payment was not the cause of a “direct loss” under a policy which covered claims “for direct loss of Money, Securities or Property sustained by an Insured resulting from Computer Fraud committed by a Third Party.” The Oregon court noted “Both the ransom payment made by Mr. Yoshida and the reimbursement of that amount by Plaintiff were proximately caused by the hacker’s computer violation directed against Plaintiff’s computer system. There was no intervening occurrence between the ransomware attack, the ransom payment, and the reimbursement to Mr. Yoshida, which were all part of an unbroken sequence of events. Plaintiff’s reimbursement of the $107,074.20 ransom payment was a foreseeable result of the attack.”

These cases represent a trend of companies to purchase insurance, pay premiums, and then, when they suffer a ransomware loss, file a claim – only to have the insurer deny the claim and force litigation or arbitration. This reflects a trend in cyber insurance coverage for insurers – at least initially – to read terms like “loss” or “damage” or “destruction” or “physical damage” narrowly when ransomware claims are filed. This is just one of the potential pitfalls in cyber insurance policies. For example, as companies move to cloud services, their data on the cloud may not be covered by insurance. To the extent that ransomware payments are considered unlawful, an insurer may not be willing to pay or reimburse such payments. An insurer may conclude that data that is “locked up” by ransomware is not “breached” under a data breach policy, and therefore refuse to pay the costs of remediation or restoration. An insurer may be unwilling to pay the costs of rebuilding a ransomed system when the insured could have (as the insured here did) pay a modest sum for the restoration key – a duty to mitigate damages.

Comprehensive Policy Review is Essential

The best approach for companies is to conduct a comprehensive review of the language of their cyber (and non cyber) policies to make sure that the language reflects what coverages the company is likely to need. It’s better to get that settled before you have a claim, rather than afterwards.

For further questions or clarification regarding your company’s cyber policy, contact KJK Cyber Security attorney Mark Rasch (MDR@kjk.com; 301.547.6925).