On December 27, 2022, the Supreme Court of Ohio unanimously ruled that a businessowner’s property insurance policy issued by Owners Insurance Co. (Owners) to EMOI Services, LLC (EMOI) did not afford coverage for losses sustained in a ransomware attack because computer software is “entirely intangible” and “cannot experience ‘direct physical loss or physical damage’.” EMOI Servs., LLC. v. Owners Ins. Co., 2022-Ohio-4649 (Ohio 2022). In doing so, the court reversed an attention-getting split decision by the lower appellate court. In this article, we take an in-depth look at the case and discuss its significant implications.
A. The ransomware attack
EMOI is a computer-software company that provides “medical billing services and application services and support” to medical providers. The company obtains necessary information from patients and medical providers for medical services rendered and formulates it into a fillable billing claims form to the third-party payer network. It also sends invoices to patients for balances due. EMOI employees have two computer logins. They first must provide login information to access their work computers. Employees then use a second login to access Medics, an outside software that allows customers to input billing data, scheduling, and other applications offered to them. In addition to Medics, EMOI has its own proprietary software that is the preferred method for customers to enter patient charges, procedure codes, and diagnosis codes.
On September 12, 2019, EMOI suffered a ransomware attack. After paying the $35,000 ransom demand, EMOI received an email with a link to download a program that would decrypt the files. EMOI’s IT manager, Dan Glaser-Garbrick, subsequently testified that following the decryption process, EMOI’s “files would open and functioned the way they were intended.” A few files did not get decrypted, “but they weren’t super critical.”
Soon after the decryption was completed, the encryption program re-ran on the Medics server. Glaser-Garbrick was able to decrypt the files again with the same decryption key previously provided by the hacker. In response to the ransomware attack, EMOI upgraded the Medics software, transitioned from remote access to using VPN software, moved its computer access to a new domain, and changed how it backed up its system. But its system still had a few residual problems: the interface between EMOI’s website and Medics could not communicate, the program that auto-generated remittances did not function due to being moved to the new server, and the automated phone call system remained encrypted.
B. The policy
EMOI’s businessowner’s property policy (the Policy) contained an Electronic Equipment Endorsement, which provided:
When a limit of insurance is shown in the Declarations under ELECTRONIC EQUIPMENT, MEDIA, we will pay for direct physical loss of or damage to “media” which you own, which is leased or rented to you or which is in your care, custody or control while located at the premises described in the Declarations. We will pay for your costs to research, replace or restore information on “media” which has incurred direct physical loss or damage by a Covered Cause of Loss.
Direct physical loss of or damage to Covered Property must be caused by a Covered Cause of Loss.
The Policy’s Businessowners Special Property Coverage Form stated that “covered causes of loss” were “risks of direct physical loss.” The Electronic Equipment Endorsement defined “media” to mean “materials on which information is recorded such as film, magnetic tape, paper tape, disks, drums, and cards,” and stated that “media” included “computer software and reproduction of data contained on covered media.” A Data Compromise Endorsement precluded coverage for “[a]ny threat, extortion or blackmail,” including ransom payments.
II. THE COVERAGE LITIGATION
The morning after the ransomware attack, EMOI tendered a claim to Owners. Owners’ claim representative reviewed the written loss notification and the Policy, spoke with EMOI’s general manager and an Owners’ home officer examiner, and denied coverage on that same day. EMOI then filed suit against Owners, asserting breach of contract and bad faith claims.
Owners subsequently moved for summary judgment, arguing that there was no coverage because no direct physical loss of or damage to “media” had occurred. Owners also contended that in the absence of a breach of contract, there could be no basis for a bad faith claim.
In response, EMOI countered that direct physical loss of or damage to “media” had occurred. Initially, EMOI explained that it was “not seeking merely to recover for lost data,” which it acknowledged was not covered by the Policy. Rather, EMOI stated that it was seeking coverage for damage to its computer software programs (i.e., both the Medics software and EMOI’s own software). EMOI then urged that its computer software programs suffered “physical damage” in the ransomware attack because the hacker “manipulated” the programs, “encrypting” them so as to “prevent EMOI’s use of the software[s] and access to the data.” EMOI did not aver that the data stored on the computer software programs was itself physically damaged. Nor did EMOI allege that the hardware on which the software programs were stored was physically damaged.
A. The trial court’s decision
The trial court sustained Owners’ summary judgment motion, concluding: “Assuming arguendo that [EMOI’s] software was ‘damaged’ while it was encrypted, given the fact that EMOI has all the data it did before the ransomware attack, and that its software is now fully-functional, . . . the ‘media’ is no longer damaged.” The trial court added that it could not “logically conclude that EMOI sustained direct physical loss of or damage to its ‘media’ when EMOI’s computer systems are now fully-functional with all the data it had before the ransomware attack.” Additionally, the trial court stated:
In reality, this is a data compromise situation, rather than a situation involving physical damage to electronic equipment. The hacker gained unauthorized access to EMOI’s computer systems as a result of a vulnerability within the system, and EMOI ultimately had to pay a ransom in order to regain control of their software and data. Unfortunately for EMOI, the Data Compromise endorsement in its insurance policy expressly excludes coverage for costs arising from any threat, extortion or blackmail, including ransom payments. The Data Compromise endorsement also excludes costs arising from correcting any deficiency in its “systems, procedures or physical security that may have contributed to a ‘personal data compromise.”’ In other words, the cost endured by EMOI to upgrade its systems to cure the deficiency that left it vulnerable to attack is expressly excluded under the Data Compromise endorsement.
B. The intermediate appellate court’s decision
A majority of the three-judge panel of the Ohio Second District Court of Appeals reversed the trial court’s decision and remanded for further proceedings. The appellate court first determined that EMOI’s computer software constituted “media” pursuant to the Policy’s definition of that term (i.e., “materials on which information is recorded such as film, magnetic tape, paper tape, disks, drums, and cards,” including “computer software and reproduction of data contained on covered media”). Looking at the “computer software and reproduction of data contained on covered media” provision of the Policy’s “media” definition, the court concluded that “[g]iving [that] provision its plain and ordinary meaning, computer software must be contained on another medium for the provision to apply.” The court then considered Glaser-Garbrick’s deposition testimony:
In his deposition, Glaser-Garbrick described how EMOI’s system was designed. He stated that EMOI had a physical server that operated as a host server for the Medics database; clients communicated with the database via an application installed on their computers. The host server was configured as a virtualization server, which allowed EMOI to run additional virtual servers “on top of it.” . . .
At the time of the ransomware attack, EMOI also had a backup virtual host server, which connected to the other server through a protocol called iSCSI (internet small computer systems interface). Glaser-Garbrick stated that the backup virtual host server functioned as an extra hard drive to save backups. [He] explained that, prior to the ransomware attack, EMOI would run automatic backups every night and a full file copy of the Medics database would be saved on the backup server that was connected to the network.
Glaser-Garbrick did not expressly address whether any components of EMOI’s system constituted “media.” Owners did not provide evidence from an IT specialist to address what constitutes media.
The court concluded that “[v]iewing the evidence in the light most favorable to EMOI, the company’s servers constituted materials on which EMOI’s information was recorded and thus arguably met the policy’s definition of ‘media.’”
Next, the appellate court ruled that the trial court erred by concluding as a matter of law that EMOI’s computer software was not damaged in the ransomware attack, stating:
Glaser-Garbrick . . . testified that portions of the software remained damaged even after decryption. He stated that a program that generated remittances continued not to function after the decryption. In addition, the automated phone call system was contained on one of the virtual hard drives that did not get decrypted because the key did not work. . . . Glaser-Garbrick further stated that, even after he obtained the decryption key, the software was still damaged, as it became encrypted again. Construing the evidence in EMOI’s favor, Glaser-Garbrick’s testimony indicated that the hacker did not simply make EMOI’s software inaccessible, and not all of EMOI’s software was restored following EMOI’s receipt of the decryption key. Genuine issues of material fact thus exist as to whether EMOI’s software was damaged.
The appellate court then turned to the question of whether the alleged damage to EMOI’s software would constitute “direct physical loss of or damage” to covered property. The appellate court seemingly concluded that it could:
When asked during his deposition to describe how encryption worked, Glaser-Garbrick responded, “I’m trying to think about the best way to explain this. It’s a mathematical function that’s been designed so it’s hard to find a solution for it, but if you know the answer to the problem, you would be able to basically undo the encryption.” . . . Glaser-Garbrick agreed that “once you get the code, you can unlock it to read it or use the information that’s being sent.” . . . Glaser-Garbrick indicated that encryption and decryption is often “handled without people realizing it.” . . . Glaser-Garbrick did not describe, in technical terms, how encryption and decryption occurs and the effects on the item being encrypted. No other evidence regarding encryption was offered by the parties. Accordingly, construing the evidence in EMOI’s favor, the evidence supports a conclusion that the encryption damaged EMOI’s software and data, and that the damage was not merely aesthetic or amounted to loss of access or use.
Based on that testimony, the appellate court ruled that there were genuine issues of fact as to coverage under the Electronic Equipment Endorsement. And even though, as noted below, a member of the panel fully agreed with Owners’ coverage decision, the majority held that there were issues of fact as to whether Owners acted in bad faith.
The dissenting member of the court would have affirmed the trial court’s ruling. The dissenting judge stated that because the media on which the software was stored had not sustained physical loss or damage, coverage was not triggered under the Electronic Equipment Endorsement. The judge stated: “I submit that the conclusion I have reached is compelled by the clear, unambiguous endorsement language, which eliminates any factual issues regarding whether EMOI’s loss is a covered loss. Perhaps the endorsement language could have been more precise, but as the Ohio Supreme Court recently reaffirmed, a court cannot ‘creat[e] [a contractual] ambiguity by asking whether the parties could have included different or more express language in their agreement.’” The dissenting judge also stated that Owners made the right coverage call and did not act in bad faith as a matter of law.
C. The Ohio Supreme Court’s decision
Ohio’s Supreme Court unanimously reversed the appellate court’s decision and reinstated the trial court’s grant of summary judgment for Owners. The court stated:
The most natural reading of the phrase “direct physical loss of or damage to” is that EMOI is insured for direct physical loss of its media and insured for direct physical damage to its media. . . . In other words, the adjectives “direct” and “physical” modify both “loss” and “damage.” . . . Similarly, although the term “computer software” is included within the definition of “media,” it is included only insofar as the software is “contained on covered media.”
(Emphases in original.)
The court held that “‘covered media’ means media that has a physical existence.” It further held that the Policy “requires that there must be direct physical loss or physical damage of the covered media containing the computer software for the software to be covered under the policy,” noting that “[t]his interpretation is supported by the language of the electronic-equipment endorsement, which states that ‘direct physical loss of or damage to Covered Property [i.e., media] must be caused by a Covered Cause of Loss [i.e., risk of direct physical loss].’”
The court then put an end to any debate (which both the trial and appellate courts entertained) as to whether EMOI’s software was physically damaged:
Computer software cannot experience “direct physical loss or physical damage” because it does not have a physical existence. Software is essentially nothing more than a set of instructions that a computer follows to perform specific tasks. It is information stored on a computer or other electronic medium. While a computer or other electronic medium has physical electronic components that are tangible in nature, the information stored there has no physical presence. In other words, the information—the software—is entirely intangible. Focusing on what the parties would have intended, we are unpersuaded that the policy covered “physical damage” to computer software (an intangible) without there also being physical damage to the hardware on which the software was stored. (internal citations omitted)
Because the Policy did not cover the loss, the Supreme Court also ruled that Owners did not act in bad faith.
III. TAKEAWAY THOUGHTS
The Ohio Supreme Court’s decision was based on its common sense conclusions that software (as intangible property) cannot suffer physical damage, and that coverage for restoration of information under the Electronic Equipment Endorsement could not be triggered absent the threshold requirement of “direct physical loss or damage” to the media on which the information was stored.
Although claims involving cyber events may be relatively new, this decision is an important reminder that long-standing, fundamental principles of insurance policy construction and law are applicable to cyber claims.