As the number and severity of cyberattacks rise, the importance of insurance coverage to offset resultant loss becomes increasingly important. An opinion issued by the Ohio Court of Appeals is a happy reminder that there may be coverage for cyber-related loss even if you did not buy cyber-specific insurance and that policyholders should review their entire insurance portfolio when confronted by a cyber loss.
In EMOI Services, LLC v. Owners Ins. Co., the Ohio Court of Appeals reversed a trial court ruling in favor of the insurer, holding that the policyholder’s temporary loss of access to its files and software and, perhaps, additional more longstanding damage arising out of a ransomware attack, was potentially covered under a standard business owner’s insurance policy. The 2019 attack left the policyholder, EMOI, with encrypted files that its employees and IT specialists could not access. Following attempts to circumvent the encryption and after concluding that potential third-party solutions would cost more than the ransom, EMOI paid the ransom to receive a decryption key to obtain access to its software and files. The decryption key restored most—but not all—of the original software’s capabilities.
EMOI filed a claim with Owners Insurance Co. and sought coverage for its loss. Owners denied coverage, and EMOI filed suit. The parties’ dispute ultimately centered on an Electronic Equipment endorsement to the policy, which provided that Owners would “pay for direct physical loss of or damage to ‘media’” that EMOI owned. Media was defined as including “computer software and reproduction of data contained on covered media.” On a motion for summary judgment, Owners argued that no “direct physical loss or damage” had occurred and, because software was intangible, it was not covered by the endorsement. EMOI countered that the ransomware encryption caused damage to its software and the loss it suffered was covered by the endorsement.
The trial court ruled in favor of the insurer, but the ruling was reversed on appeal. Relying heavily on the testimony of EMOI’s IT manager, the Court of Appeals found that the hacker’s encryption caused physical loss or damage to EMOI’s files and software “that was not merely aesthetic or amounted to loss of access or use.” Although Owners argued that there was no coverage because EMOI’s files and software did not suffer any “structural” or “tangible” damage, the court evaluated the specific facts and distinguished the cases cited by Owners, holding that the specific language in the Owners’ policy “contemplated that EMOI’s software and reproduction of data was capable of being physically damaged.”
Although not the end of this story, EMOI Services is an important reminder that insurance coverage for cyber-related damages may be found in standard business policies, and successful coverage arguments often hinge on the specific terms and definitions in a policy, as applied to the specific facts giving rise to a loss. Given the wide variance in policy forms, endorsements, and exclusions for cyber-related coverages, there is no one-size-fits-all approach for evaluating coverage for cyberattacks or data breaches.
When confronting cyber losses, policyholders should survey all potentially relevant policies (cyber, business, first-party etc.) and should provide prompt notice to all potentially relevant insurers. Policyholders should engage experienced coverage counsel capable of considering all factual and legal angles with an eye toward navigating potential paths to coverage while avoiding insurer-erected obstacles.