In a unanimous decision, the Ohio Supreme Court found that appellee EMOI Services, LLC’s (“EMOI”) businessowners insurance policy does not cover losses resulting from a ransomware attack on EMOI’s computer software systems.
EMOI, a computer software company, was the target of a ransomware attack in September 2019 where a hacker gained access to EMOI’s computer systems and encrypted files. As a result of the attack, when a file was opened, a ransom note appeared notifying the user that the files were encrypted and therefore unavailable, but also notifying the user that the files could be restored if the user purchased a decryption key from the hacker for three bitcoins. After analyzing the situation, EMOI paid the ransom, and the majority of its system files were returned to normal. EMOI did not suffer any hardware or equipment damage from the ransomware attack.
At the time of the ransomware attack, EMOI was insured under a businessowners insurance policy issued by Owners Insurance Co. (“Owners”). EMOI submitted notice of a claim to Owners immediately following the attack. Owners determined that EMOI’s policy did not cover the losses it incurred and denied the claim the same day it received notice.
In December 2019, EMOI sued Owners, alleging that Owners breached its contractual obligations under the insurance policy and denied coverage in bad faith. Owners answered the complaint by denying EMOI’s legal claims and counterclaimed for a declaratory judgment that it owed EMOI no coverage, payment, or indemnity under the policy. Owners later moved for summary judgment both on EMOI’s claims and its own counterclaim for declaratory judgment. The trial court granted summary judgment to Owners and held that EMOI was not entitled to any coverage for the ransomware attack.
EMOI appealed the trial court’s grant of summary judgment, and the Ohio Second District Court of Appeals reversed in EMOI’s favor. The appellate court held that the language of the electronic-equipment endorsement potentially applied to EMOI’s claim if EMOI could prove that the encryption damaged its media, i.e., its software. The appellate court further held that genuine issues of material fact existed regarding whether the software suffered actual damage. The Second District also noted that EMOI submitted expert testimony suggesting that Owners did not thoroughly review EMOI’s claim regarding damage to the software before Owners denied the claim, which the Second District concluded raised genuine issues of material fact about whether Owners complied with its duty of good faith in denying EMOI’s claim. The Second District, therefore, reversed the trial court’s grant of summary judgment to Owners on the claim for breach of contract and the claim for bad faith denial of coverage.
Owners appealed to the Ohio Supreme Court. The Supreme Court overruled the judgment of the Second District and held that the ransomware attack caused no direct physical loss of, or damage to, the software—as required under the policy to trigger coverage. The Supreme Court’s decision turned on the legal interpretation of the language in the insurance policy, which the Court concluded was clear and unambiguous in its requirement that there be direct physical loss of, or direct physical damage to, electronic equipment or media. Because software is an intangible item that does not have a physical existence and cannot experience direct physical loss or damage, the Ohio Supreme Court held that Owners properly denied EMOI’s claim for coverage.
The Ohio Supreme Court was not persuaded by EMOI’s argument that computer software is “media” under the policy and that the policy still contemplates that software can be damaged, despite that it is nonphysical. Instead, the Court held that “covered media” as used in the policy is limited to media that has a physical existence.
As a result, the Ohio Supreme Court reversed the Second District and reinstated the trial court’s grant of summary judgment for Owners.