Ohio Cybersecurity Court Ruling

The Ohio Supreme Court reversed a lower court ruling and ruled against a local business in a ransomware attack case. EMOI Services, a medical billing company in Kettering, Ohio, was the victim of a ransomware attack in September 2019. The attacker encrypted the company’s data and demanded a ransom of $35,000 for the encryption key. EMOI Services paid the ransom, updated their systems, and were able to get their services back online. After the incident, EMOI filed a claim against their business owner’s insurance policy which included a data compromise endorsement. The insurance company denied the claim responding the policy did not cover “extortion, blackmail, or ransom payments.” Additionally, the insurance provider claimed the policy did not apply to the incident because there was no physical damage to equipment or media.

EMOI sued their insurance provider, Owners Insurance Co., claiming software was damaged in the attack and should be covered by the insurance policy. The Ohio trial court sided with the insurance company, saying EMOI was not entitled to coverage over the attack. EMOI appealed, and the appellate court sided with the medical billing company. The Ohio Second District Court of Appeals ruled that software should be included in the damage of media and should be covered by the policy.

Owners Insurance Co. appealed to the Ohio Supreme Court, and the court overruled the lower court ruling in favor of the insurance company. The Ohio Supreme Court ruled, “Since software is an intangible item that cannot experience direct physical loss or direct physical damage, the endorsement does not apply in this case.” Even though the electronic-equipment endorsement covered media such as disks or cards, the Ohio Supreme Court ruled the information stored on that media was not covered.

Comments from Jack Gerbs, CIO Quanexus, Inc.

I have read the Ohio Supreme Court’s ruling and a few things stood out. First, the policy is defined as a business owners insurance policy. I don’t know if this language would be different if it was a cyber insurance policy. The court made their ruling on the fact that there was no physical damage. This case points out the importance of dealing with a company that understands this new cyber insurance market and why we recommend having an attorney with experience in this area, review cyber policies. As I have mentioned in previous newsletters and blogs, the cyber insurance market is growing very fast and while you are trying to insure against responsible risks it is important to understand the language in your cyber insurance policy.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright