Ohio Supreme Court rules that ransomware attacks against businesses should not be covered by insurance
The ruling, which was issued on December 27 and overturned a lower court of appeals decision, said EMOI Services, based in Kettering, Ohio, which sells medical billing and records management software, was hit by a ransomware attack in 2019. It’s about Because contract language can limit the precedent-setting nature of the lawsuit, the lawsuit suggests that the advent of ransomware will create new legislation on how insurers should treat non-physical damages and software losses. It provides insight into how you solved your problem.
After encrypting the system, the hackers demanded 3 bitcoins as a ransom for the decryptor. In 2019, that equates to about $35,000. The company eventually paid the ransom and he filed a claim with the owner of the insurance company within 24 hours of the attack to cover the ransom payment and restoration costs. However, the claims officer assigned to the case determined that “EMOI’s policy does not cover costs associated with paying ransoms, investigating and remediating attacks, and upgrading security systems.” dismissed it.
This refusal has resulted in lawsuits and counterclaims from EMOI Services and Owners, respectively. The software company claimed that its denial of compensation under the Electronics Clause was done “in bad faith,” arguing that software could be damaged without affecting physical or tangible devices. Or an instrument.
Owners won the first hearing, but an appeals court overturned that decision, saying that if EMOI Services could prove its software was corrupted by encryption, the Electronic Devices Clause could apply. .
However, the state Supreme Court upheld the original judgment, saying that certain contract terms make it clear that direct and physical damage or loss to property is required for compensation.
“Computer software does not experience ‘direct physical loss or damage’ because it has no physical existence,” wrote the seven-member committee. “Software is essentially just a set of instructions that a computer follows to perform a particular task.”
The owner’s claims representative stated that while EMOI Services’ policy covered data breaches and damage to electronic equipment, no hardware, equipment, or “media” was physically damaged in the attack and The policy is “optional” threats, extortion and extortion, including ransom payment.
The Electronics Recommendation defines “media” as “material on which information is recorded, such as films, magnetic tapes, paper tapes, disks, drums, cards, etc.”, and “media” includes “computer software and data duplication”. reported media. ”
None of these items were physically damaged in the attack, so the owner decided that the cost of repair, restoration, and new software should not be covered.
“In the event that an electronic device or media declaration indicates an insurance limit, the direct physical and We will pay for any loss or damage. or control while at the facility described in the declaration,” the representatives wrote in a letter to EMOI Services, denying their allegations. We will bear the cost of investigating, replacing, or restoring information on lost or damaged Media. Any direct physical loss or damage to the Covered Property must be caused by the Covered Cause of Loss. ”
The court was also “unsatisfied” with EMOI Services’ argument that damage to non-physical aspects of software programs is covered by its policy.
“We have found the language of the approval of electronic equipment to be clear and unequivocal in the requirement that there be direct physical loss or direct physical damage to the electronic equipment or media before approval is applied. ,” wrote the seven-member committee. on their decision. “Software is an intangible item that is not subject to direct physical loss or damage, so authorization does not apply in this case.”
