Arabic Arabic Chinese (Simplified) Chinese (Simplified) Dutch Dutch English English French French German German Italian Italian Portuguese Portuguese Russian Russian Spanish Spanish
| (844) 627-8267

Damage Sustained by Software During Ransomware Attack Does Not Constitute Physical Damage Under Ohio Property Policy | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

The Ohio Supreme Court recently ruled that software encrypted by a ransomware attack has not sustained “direct physical damage” necessary to trigger coverage under an Electronic Equipment endorsement in a businessowners property policy.

The recent case arose from a 2019 ransomware attack experienced by EMOI Services LLC (the policyholder). EMOI paid the 3-bitcoin ransom demand (approximately $35,000 at the then-current exchange rate) and successfully restored most of its files with the decryption tool provided by the threat actor. EMOI also upgraded its software systems and took other steps to protect its environment against future attacks.

EMOI sought coverage under its businessowners property policy (which included a Data Compromise endorsement and an Electronic Equipment endorsement) for the ransom payment, as well as costs EMOI incurred to investigate the incident, remediate its environment, and upgrade its systems. EMOI’s insurer, Owners Insurance Company, denied coverage because, among other reasons, there was no “direct physical loss of or damage to ‘media’” as defined in the policy. EMOI sued Owners in Ohio state court alleging that Owners acted in bad faith and breached the insurance policy by denying coverage under the Electronic Equipment endorsement. The trial court granted Owners’ summary judgment motion, explaining that EMOI’s systems were not physically damaged by encryption. On appeal, the Ohio Second District Court reversed the grant of summary judgment, finding genuine issues of material fact as to whether there was actual damage to the software.

Owners appealed to the Ohio Supreme Court. Owners argued, among other things, that coverage is not available under the Electronic Equipment endorsement because the coverage grant requires direct physical loss or damage to electronic equipment or “media.” EMOI, in response, argued that computer software qualifies as “media,” which that policy defines as “materials on which information is recorded such as film, magnetic tape, paper tape, disks, drums, and cards” and “computer software and reproduction of data contained on covered media.”

The Ohio Supreme Court rejected EMOI’s argument and held that software cannot sustain direct physical loss or damage because it is an intangible item that does not have a physical existence. Although a computer or other electronic medium has physical electronic components that are tangible in nature, the information stored therein does not have a physical presence capable of sustaining physical loss or damage. The Ohio Supreme Court further noted that the policy’s definition of “media” includes software only to the extent it is contained on covered media, i.e., media with a physical existence; thus, there must be a direct physical loss or damage to the covered media containing the computer software for the software to be covered under the policy. Given the absence of “direct physical loss or damage” to “media,” the Ohio Supreme Court reinstated the trial court’s grant of summary judgment and dismissed the case.

The EMOI ruling follows recent COVID-19 coverage rulings in which courts have generally held that coverage is not available under property policies in the absence of physical damage or loss to tangible property. With an increase in cyber-related losses, rulings such as the EMOI case provide clarity as to whether non-cyber policies that require physical loss or damage may cover cyber-related risks. The EMOI court answered this question in the negative.


Click Here For The Original Source.

National Cyber Security