Ohio Court of Appeals Ruling Recalls Cyber Coverage Can Be Found in Unexpected Places | Pillsbury – Blog Pulseholder Pulse
As the number and severity of cyberattacks increases, the importance of insurance coverage to offset the resulting losses becomes increasingly important. An opinion issued by the Ohio Court of Appeals is a happy reminder that there may be coverage for cybersecurity losses even if you don’t have specific cyber insurance and policyholders should review their entire insurance portfolio when faced with a cyber loss.
In EMOI Services, LLC c. Owners Ins. Co., the Ohio Court of Appeals overturned a trial court ruling in favor of the insurer, finding that the policyholder’s temporary loss of access to its files and software and, possibly, additional longer-lasting damage resulting from a ransomware attack, was potentially covered by a standard business owner’s insurance policy. The 2019 attack left the insured, EMOI, with encrypted files that its employees and IT staff could not access. Following attempts to circumvent the encryption and after concluding that potential third-party solutions would cost more than the ransom, EMOI paid the ransom to receive a decryption key in order to gain access to its software and files. The decryption key restored most, but not all, of the capabilities of the original software.
EMOI filed a claim with Owners Insurance Co. and requested coverage for its loss. The owners refused coverage and EMOI sued. The dispute between the parties ultimately centered on an electronic equipment endorsement to the police, which provided that owners would “pay for direct physical loss or damage to ‘media'” owned by EMOI. Media has been defined as including “computer software and reproduction of data contained on covered media”. In a motion for summary judgment, the owners argued that no “direct physical loss or damage” had occurred and that because the software was intangible, it was not covered by the endorsement. . EMOI countered that the ransomware encryption caused damage to its software and that the loss it suffered was covered by the endorsement.
The trial court ruled in favor of the insurer, but the decision was reversed on appeal. Relying heavily on the testimony of EMOI’s IT manager, the Court of Appeal found that the hacker’s encryption caused physical loss or damage to EMOI’s files and software “that were not merely aesthetic or amounted to a loss of access or use”. Although the Owners argued that there was no coverage because EMOI’s files and software suffered no “structural” or “material” damage, the court assessed the specific facts and distinguished the cases cited by the Owners, finding that the specific wording of the Owners’ policy “envisaged that EMOI’s software and data reproduction could be physically damaged.”
Although this is not the end of this story, EMOI services is an important reminder that insurance coverage for cybersecurity damage can be found in standard commercial policies, and winning coverage arguments often depend on a policy’s specific terms and definitions, as applied to the specific facts giving rise to a loss. Given the wide variety of policy forms, endorsements, and exclusions for cybersecurity-related coverage, there is no one-size-fits-all approach to evaluating cyberattack or data breach coverage.
When faced with cyber losses, policyholders should review all potentially relevant policies (cyber, corporate, first party, etc.) and should promptly notify all potentially affected insurers. Policyholders should hire an experienced coverage attorney who can consider all factual and legal angles in order to navigate potential avenues of coverage while avoiding obstacles erected by the insurer.