Ohio Supreme Court Rules Ransomware Attacks on Software are Not Covered Under Insurance Policies
In recent years, ransomware attacks have increased along with the insurance market to protect from them. Although there is coverage offered to protect against ransomware attacks, there are outstanding risks that can impact the insured.
On December 27, 2022, the Supreme Court of Ohio denied insurance coverage for incurred losses after software and data was deemed inaccessible and unusable after a ransomware attack. The Supreme Court made this decision as the ransomware attacks didn’t cause “direct physical damage” to the software and data. Before the recent case on December 27, the Supreme Court of Ohio also ruled a similar outcome in the Neuro-Communication Servs., Inc v. Cincinnati Ins. Co. Case, due to no physical damage to property.
EMOI Services Ransomware Attack
EMOI services, a medical billing software company in Ohio fell victim to a ransomware attack in September of 2019. The attack left all of the company’s data and the computers they were on inaccessible. The method the hackers used was CryptoLocker ransomware, which is when they use encryption tools that are used to lock files. After locking the data, they held the keys for ransom. After the company was unable to restore the data, they ended up paying the $35,000 ransom and filed a claim. The claim was filed for the cost of the ransom payment, the forensic investigation, damages to the insurance company and owners insurance.
What is Classified as “Physical Damage”?
In the EMOI case, the Ohio court ruled that there would have to be proven “direct physical damage” to the data in order to qualify for coverage and compensation, so what is physical damage? Computer software and data are not physical objects, meaning they can’t possibly incur physical damage. In the EMOI case, the data was compromised and inaccessible, however there was no trace of direct physical damage. Cyber insurance coverage is meant to cover disasters like the EMOI case, but due to their coverage plan, they received no help.
It is important to go over the extent of your cyber coverage with your provider to avoid cases like these. If you are unsure of your coverage, contact Professional Liability Insurance Group today.