In data breach and cyber-attack cases, companies often face claim denials from insurers due to various reasons such as failure to provide timely notice, failure to mitigate costs, employee misconduct, or attributing losses to uncovered parties. This pattern applies to both General Casualty or Liability (GCL) policies and specialized cyber liability insurance covering electronic asset damage.
A significant case in Ohio’s Supreme Court, EMOI Servs., L.L.C. v. Owners Ins. Co., highlighted the denial of a ransomware claim based on the absence of “physical harm or damage” to the computers storing the data, as required by the policy’s terms. The court ruled that ransomware causing data inaccessibility did not qualify as “direct physical loss,” leading to coverage denial for the medical billing company.
The case involved EMOI, an Ohio-based medical billing company handling personal and financial data, which fell victim to a ransomware attack in 2019. After paying a ransom and regaining control over their data, EMOI filed a claim with their insurer, Owner’s Insurance, seeking reimbursement for the ransom payment and investigation costs.
However, the insurer denied the claim, asserting that the policy covered only “direct physical loss or damage” to electronic media. The court ruled in favor of the insurer, noting that ransomware’s encryption did not cause “direct physical loss or damage” to the software and database systems but rather led to data compromise.
This trend of insurers narrowly interpreting policy terms in ransomware cases has led to disputes and litigation. Some courts have ruled in favor of claimants, emphasizing that ransomware attacks did cause direct loss, while others upheld denials based on policy language.
To avoid coverage pitfalls, companies should conduct thorough policy reviews, ensuring their cyber insurance language aligns with potential coverage needs and taking note of limitations like coverage for data breach versus loss of data access.