- Cybersecurity Disclosures Required by the SEC’s Recently Proposed Rules
- The Future is Now: Data Subject Requests in 2023
- FTC Scrutinizes Children’s Privacy Issues Involving Education Technology
- Utah Becomes the Fourth State to Enact a Comprehensive Privacy Law
- Courts Requiring General and Professional Liabilities Policies to Respond to Cyberattacks
- The US and EU Announce a New Trans-Atlantic Data Privacy Framework
- BIPA Claims Following the McDonald Decision
- NY Attorney General Offers Guidance on Dealing with Credential Stuffing
- “Silent Cyber” Continues to Make Noise in State Appellate Courts
- The FBI Warns M&A Participants on the Increasing Ransomware Threat
Legal developments in data, privacy, cybersecurity, and other emerging technology issues
Corporate policyholders, insurers and courts continue to grapple with the question of whether traditional “non-cyber” business insurance policies provide coverage for losses from cyberattacks. The most recent decision addressing this “silent cyber” issue came last month in EMOI Services, LLC v. Owners Insurance Company, 2021 -Ohio- 3942, 2021 WL 5144828 (Ohio App. 2 Dist., Nov. 5, 2021). In EMOI Services, an Ohio Court of Appeals panel reversed a trial court’s grant of summary judgment in favor of an insurer that found no coverage for a ransomware attack under a property insurance policy.
The insured, EMOI Services LLC (“EMOI”), was an Ohio-based medical billing company that suffered losses arising out of a ransomware attack. EMOI’s insurer, Owners Insurance Company, denied coverage under an “Electronic Equipment” endorsement of EMOI’s property policy, arguing in part that because EMOI's software was intangible, it could not satisfy the policy’s requirement that the insured suffer “direct physical loss or damage”. Id. at ¶ 26.
In its decision, the appellate court addressed three issues: First, the appellate court considered whether the insured’s software was “media” under the policy’s broad definition of that term as “materials on which information is recorded.” Id. at ¶ 29. The court concluded that “the company’s servers constituted materials on which EMOI's information was recorded and thus arguably met the policy’s definition of ‘media.’” Id. at ¶ 37.
Second, the appellate court determined that genuine issues of material fact existed as to whether the insured’s software was “damaged” by the hacker’s malicious encryption. The trial court had focused on the fact that, after employing the decryption program, EMOI’s software again became operational. The appellate court nevertheless concluded that the insured’s employees had testified that the database had been damaged and that portions of the software remained damaged even after decryption. Id. at ¶ 42.
Third, the appellate court rejected the insurer’s argument that the damage to EMOI's software could not constitute “direct physical loss of or damage” to covered property. Rather, the appellate court held that, construing the evidence in EMOI's favor, the evidence supported a conclusion that the encryption damaged EMOI's software and data, and that the damage was not merely aesthetic or amounted to loss of access or use. The court distinguished case law cited by the insurer – including recent cases regarding business interruption losses resulting from COVID-19 – because the policy at issue affirmatively provided coverage for an intangible item: software. The appellate court also cited favorably to a federal decision from the District of Maryland that similarly held that data and software “can experience ‘direct physical loss or damage.’” Id. at ¶ 53 (citing Natl. Ink and Stitch, LLC v. State Auto Property and Cas. Ins. Co., 435 F.Supp.3d 679 (D. Md. 2020)).
The EMOI Services decision demonstrates that cyber-related coverage, specifically including coverage for ransomware attacks, may be found in traditional non-cyber policies.
Policyholders should carefully review and consider their property, liability, crime and other “traditional” policies in the event of a cyber-incident, and provide notice under those non-cyber policies to ensure that all avenues for potential coverage are exhausted.
Policyholders that are currently engaged in litigation with their insurers should consider all appellate options in the event of an adverse ruling, as EMOI Services is just one recent example of a lower court’s decision on a “silent cyber” issue being overturned. See, e.g., Landry's, Incorporated v. Insurance Company of the State of Pennsylvania, 4 F.4th 366 (5th Cir. 2021) (Fifth Circuit reversed summary judgment in favor of a general liability insurer and found a duty to defend Landry’s in a data breach lawsuit); G&G Oil Co. of Indiana, Inc. v. Continental Western Insurance Co., 165 N.E.3d 82 (Ind. 2021) (Indiana Supreme Court reversed and remanded a trial court’s ruling in favor of a commercial crime insurer in connection with a ransomware incident).
Finally, policyholders in the midst of renewals should consider any cyber-related exclusions that property, liability or other insurers try to add to existing or new policies in light of recent case. Policyholders should confirm, to the extent possible, that there are no “gaps” in cyber-related coverage because of such exclusions.