Ransomware, Incident Response

Ohio court: Non-physical software damage in ransomware attack not covered under insurance

(Minh Nguyen, CC BY-SA 4.0 , via Wikimedia Commons)

The Supreme Court of Ohio ruled that a ransomware attack against a business should not be covered by insurance because the attack did not physically or directly cause harm to the tangible components of the software programs encrypted in the incident.

The decision, which was issued Dec. 27 and overturned a lower appeals court ruling, concerns EMOI Services, a Kettering, Ohio-based company that sells medical billing and record keeping software and was hit with a ransomware attack in 2019. While the specific nature of the contract language may limit its precedent-setting nature, the case offers some insight into how the emergence of ransomware has berthed fresh legal questions around how insurers should treat non-physical damages or loss to software.

After encrypting their systems, the hackers demanded three Bitcoins in ransom payment for the decryptor, which in 2019 amounted to approximately $35,000.  The company ultimately paid the ransom and filed a claim with insurer Owners less than 24 hours after the attack to cover the cost of the ransom payment and recovery. But the claims representative assigned to the case rejected it the same day, determining that “EMOI’s policy did not cover…payment of the ransom and the costs associated with investigating and remediating the attack as well as upgrading its security systems.”

The rejection sparked a lawsuit and countersuit from EMOI Services and Owners respectively, with the software company alleging that the denial of coverage under the electronic equipment clause was done “in bad faith,” arguing that software can be damaged without affecting any physical or tangible devices or instruments.

While Owners won the initial trial, an appeals court overturned that decision, saying the electronic equipment provision may apply if EMOI Services could prove that its software was damaged by the encryption.

But the state Supreme Court upheld the original ruling, saying the specific contract language makes it clear that direct and physical damage or loss to an asset is required for coverage.

“Computer software cannot experience ‘direct physical loss or physical damage’ because it does not have a physical existence,” the seven-member panel wrote. “Software is essentially nothing more than a set of instructions that a computer follows to perform specific tasks.”

A claims representative for Owners had determined that while EMOI Services’ policy covered data compromises and damage to electronic equipment, neither applied in this case because no hardware, equipment or “media” was physically damaged in the attack and the policy excluded coverage for “any threat, extortion or blackmail,” including ransom payment.

The electronic-equipment endorsement defines “media” as “materials on which information is recorded such as film, magnetic tape, paper tape, disks, drums, and cards” and states that “media” includes “computer software and reproduction of data contained on covered media.”

Since none of these items were physically damaged in the attack, Owners determined that the costs of remediation, recovery and new software should not be covered.

“When a limit of insurance is shown in the Declarations under ELECTRONIC EQUIPMENT, MEDIA, we will pay for direct physical loss of or damage to ‘media’ which you own, which is leased or rented to you or which is in your care, custody or control while located at the premises described in the Declarations,” the representative wrote in a letter to EMOI Services denying their claim. “We will pay for your costs to research, replace or restore information on ‘media’ which has incurred direct physical loss or damage by a Covered Cause of Loss. Direct physical loss of or damage to Covered Property must be caused by a Covered Cause of Loss.”

The court was also “unpersuaded” by EMOI Services’ argument that damage to the non-physical aspects of a software program were covered under the policy.

“We find the language in the electronic-equipment endorsement to be clear and unambiguous in its requirement that there be direct physical loss of, or direct physical damage to, electronic equipment or media before the endorsement is applicable,” the seven-member panel wrote in their decision. “Since software is an intangible item that cannot experience direct physical loss or direct physical damage, the endorsement does not apply in this case.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.