The Court considers whether a business insurance policy covers the costs of a ransomware attack

The Court considers whether a business insurance policy covers the costs of a ransomware attack

Operating in an increasingly digital economy means businesses face a growing threat from cybercriminals looking to hold computer operating systems hostage until a ransom is paid. Businesses that suffer from such crimes have turned to their “all risk” insurance policies for assistance.

Next week, the Supreme Court of Ohio will consider whether a Dayton-area company’s insurance policy, with its three additional “endorsements” to cover its electronic equipment and computers, will pay for the damages from a ransomware attack. Ransomware is malicious software that gains remote access to a computer device or network and encrypts the computer system or files, preventing access. A ransom payment demand is made to regain access.

The parties in the case say many courts around the nation have heard disputes regarding business insurance coverage for ransomware attack claims, but this is the first time the Supreme Court of Ohio will address the issue. It has drawn national interest through groups filing amicus curiae briefs in the case.

Ransomware attacks have been on the rise for a decade, industry analysts report, but the intrusions went into overdrive at the height of the COVID-19 pandemic. In a joint brief from the Ohio Insurance Institute and the American Property Casualty Insurance Association, the groups note that between July 2020 and July 2021, ransomware attacks have increased from about 13,992 per week to 149,157 per week. Business service providers are among the top targets of the attacks, the insurer groups stated.

The insurance industry has developed policies to cover certain cybercrimes, and cybercrime claims are rapidly shifting to ransomware attacks. The insurer groups note that between 2014 and 2019, more than half of all cybercrime insurance claims were for data theft. Only about 13% of the claims were reported for ransomware attacks. In 2020, 54% of all claims were for ransomware or malicious software attacks, the groups noted.

Service Provider Seeks Coverage for Intrusion
EMOI Services, which provides medical billing services and support to medical providers, experienced a ransomware attack in September 2019. EMOI learned a hacker was demanding three bitcoin — at the time worth about $35,000 — to provide a “decryption key” that would allow the company to restore its operations. EMOI agreed to pay the ransom, and within a day, the company was able to partially restore its system to point that it could serve its clients.

EMOI filed a claim with Owners Insurance Company. The company’s IT manager told the Owners Insurance claims adjuster the data was not “physically damaged,” but was inaccessible because the hacker encrypted it. The adjuster denied EMOI’s claim, noting that the policy addressed the “direct physical loss or damage to ‘media,’” and only paid for software repair if the tangible media, such as disk, film, or magnetic tape, was physically damaged.

EMOI filed a breach-of-contract lawsuit in Montgomery County Common Pleas Court, arguing the adjuster didn’t understand that the software was damaged by the attack. In 2021, the trial court granted summary judgment to Owners Insurance, stating the situation was a “data compromise” rather than physical damage to electronic equipment. EMOI’s insurance policy had coverage for a “data compromise,” but that endorsement specifically excluded coverage for extortion, blackmail, or ransom payments, the court concluded.

EMOI appealed to the Second District Court of Appeals, which reversed the trial court’s decision. Owners Insurance appealed to the Supreme Court.

Supreme Court to Consider Policy Terms
Owners Insurance argues the business property insurance policy covers the “direct physical loss of, or damage to, covered property,” which courts have ruled to mean structural damage to tangible property. Separate policies concerning cybercrimes are available, and EMOI chose not to purchase such coverage, the insurer asserts. A traditional property policy covers tangible items, such as computers, and shouldn’t be interpreted to cover interruptions of software use, the insurer claims.

Owners Insurance maintains that EMOI’s losses were like a person forgetting a password to an online bank account. A person’s money isn’t “damaged” when the password isn’t working, but rather the account holder only lost access to the money until access is regained.

EMOI counters this isn’t a case about business insurance in general, but rather the specific additional coverages it bought to protect itself. Its policy from Owners Insurance includes coverage for computer software contained on covered property. EMOI says it’s software was located on servers damaged by the attack.

EMOI argues the loss wasn’t like a misplaced password. Once the company recovered access, it could provide services to clients, but the hacker damaged the software. The cost to fix the damage to the software should be covered by the policy, the company concludes.

Watch Oral Arguments Online
The Court will hear EMOI Services v. Owners Insurance Company and two other appeals on Aug. 2. Arguments begin at 9 a.m. and streamed live online at sc.ohio.gov and on the Ohio Channel, where they are also available for later viewing.

The Court’s Office of Public Information released detailed articles today about each case, available through the case-name links.

Medical Claims
A patient sued his Cincinnati back surgeon after a March 2010 surgery. The patient is one of hundreds who have filed lawsuits against the doctor, who left the country in late 2013. In Elliot v. Durrani et al., the patient argues a four-year deadline for filing his medical claims was extended because the doctor left the country. The doctor responds that the timeframe for filing a medical lawsuit can be extended only for the exceptions stated in the law that sets the deadline. Leaving the state isn’t one of the exceptions listed, so the deadline can’t be extended, the doctor asserts.

Eminent Domain
An electric company is planning to upgrade a 50-year-old electric line in Washington County between two power facilities. A state agency determined that the project was necessary and would serve the public interest. The company needs easements from multiple property owners to rebuild the line, which crosses their properties. In Ohio Power Company v. Burns, the company sued to assert eminent domain to secure the easements from some landowners. The company maintains that to use eminent domain, Ohio law requires the overall project to be necessary. However, each easement for the landowners doesn’t need to be reviewed, the company contends. The landowners argue the easements must be evaluated to assess whether what is being taken is more than is necessary for the public use. Nine groups submitted amicus briefs in the case.