The insurance policy phrase ”direct physical loss of or damage to” has been prominent in the news the past few years thanks to the spate of business interruption cases stemming from the pandemic, but one state high court recently had occasion to examine that policy language in a different context: cybersecurity.
The Ohio Supreme Court late last month reinstated a trial court’s judgment in favor of an insurance company, finding it was not required to cover losses that resulted from a company’s ransomware attack because there was no “direct physical loss of or damage to” computer-software systems.
EMOI Services LLC, a computer-software company that uses software to provide medical offices with service and support for setting appointments, record keeping, and billing, was the target of a ransomware attack in September 2019. The unknown “hacker” illegally accessed EMOI’s software system and when a file was opened, a ransom note appeared notifying the user that the files were encrypted and unavailable but that the files could be restored to normal by a decryption key.
The catch: the hacker would provide the information in exchange for the payment of three bitcoins, which was approximately $35,000 at the time, according to the state high court’s opinion filed Dec. 27.
EMOI decided to pay the ransom. Upon payment, EMOI received an email from the hacker with a link to download a program that would decrypt the files. None of the company’s hardware or equipment was damaged in the process and EMOI upgraded its system to protect from future attacks.
EMOI sought a claim under a business owners insurance policy issued by Owners Insurance Co., but Owners denied the claim, finding that neither its “Data Compromise” endorsement, nor the “Electronic Equipment” endorsement applied, the opinion said.
The “Electronic Equipment” endorsement provides: “‘[W]e will pay for direct physical loss of or damage to ‘media’ which you own, which is leased or rented to you or which is in your care, custody or control while located at the premises described in the Declarations. We will pay for your cost to research, replace or restore information on ‘media’ which has incurred direct physical loss or damage by a Covered Cause of Loss. Direct physical loss of or damage to Covered Property must be caused by a Covered Cause of Loss,’” the opinion cited.
Media is defined as “‘materials on which information is recorded such as film, magnetic tape, paper tape, disks, drums, and cards,’” and that “‘media’” includes “‘computer software and reproduction of data contained on covered media,’” according to the opinion.
“In this case, the policy was essentially a common ‘all-risk’ type business property insurance that then also had some additional endorsements, including the electronic equipment endorsement and data compromise endorsements referenced in the decision. A key point here, however, was that this business property policy was not and was not intended to be a ‘cyber’ policy; it was intended as indicated by its policy language, to cover physical items and structures from physical damages,” explained Erin B. Moore of Green & Green Lawyers on behalf of Owners. “Cyber insurance policies are specialized policies generally based on different risks and thus different underwriting (and premiums) and expressly cover some of the types of claims that are not covered by a business property policy, such as hacking or ransom claims. The differences between these types of policies and their respective coverages I expect will be the source of future litigation.”
EMOI filed a lawsuit against Owners, alleging the insurance company wrongly denied coverage under the electronic-equipment endorsement. In seeking summary judgment on EMOI’s claims, Owners maintained that “‘no coverage, payment or indemnity is owed,’” the opinion said.
The trial court granted summary judgment to Owners, finding: “‘In reality, this is a data compromise situation, rather than a situation involving physical damage to electronic equipment,’ and ‘[u]nfortunately for EMOI, the Data Compromise endorsement in its insurance policy expressly excludes coverage for costs arising from any threat, extortion or blackmail, including ransom payments,’” the opinion said.
On appeal, Ohio’s Second District Court of Appeals reversed the trial court’s judgment. The court concluded that the language of the electronic equipment endorsement “potentially applied to EMOI’s claim if EMOI could prove that its media, i.e., its software, was in fact damaged by the encryption,” the opinion said.
The Ohio Supreme Court disagreed.
“We find the language in the electronic-equipment endorsement to be clear and unambiguous in its requirement that there be direct physical loss of, or direct physical damage to, electronic equipment or media before the endorsement is applicable. Since software is an intangible item that cannot experience direct physical loss or direct physical damage, the endorsement does not apply in this case,” Justice Melody J. Stewart wrote on behalf of the unanimous court.
The state high court rejected EMOI’s argument that computer software is “media” under the electronic equipment endorsement.
The Ohio Supreme Court looked to a similar case, Ward General Insurance Services v. Employers Fire Insurance, in which the California Fourth District Court of Appeal considered the phrase “‘direct physical loss of or damage to’” to require direct physical damage, as “opposed to indirect or nonphysical damage, to covered property,” the opinion cited.
The Ohio high court also looked to a recent COVID-19-related ruling by the U.S. Court of Appeals for the Sixth Circuit in Santo’s Italian Cafe v. Acuity Insurance, which considered identical language as containing a requirement of “direct physical loss” or “direct physical” damage to covered property. Additionally, about two weeks before the court issued its opinion in the present case, it also issued another pandemic-related ruling in Neuro-Communications Services v. Cincinnati Insurance.
“Both cases, in my opinion, properly read, interpreted and applied the ‘direct physical loss or damage’ language in their respective contexts,” Moore said on behalf of Owners. “I also believe that it was necessary to construe the same phrase consistently between the two types of claims. The same words should mean the same thing. I was especially pleased the EMOI decision was unanimous, however, since the Neuro-Communications decision was not.”
Messages seeking comment from EMOI’s attorneys, John A. Smalley and Kenneth J. Ignozzi, both partners at Dyer, Garofalo, Mann & Schultz, were not immediately returned.