A consistent pattern emerges in data breach and cyber-attack cases when companies turn to their insurers for coverage after such incidents. Whether they possess specialized cyber insurance or not, insurers often decline claims, citing various reasons such as failure to provide timely notice, failure to mitigate costs, employee misconduct or criminal activity leading to the breach, or attributing the losses to a party not covered by the policy. This holds true for both General Casualty or Liability policies (GCL) and specialized cyber liability insurance policies, covering damage to electronic assets.

On December 22, 2022 the Ohio Supreme Court in EMOI Servs., L.L.C. v. Owners Ins. Co. ruled that an Ohio medical billing company’s cyber insurance policy did not cover a ransomware claim for damages because the insured could not demonstrate that there was “physical harm or damage” to the computers which housed the data, as required by the terms of the policy. The electronic policy noted that the coverage included:

“When a limit of insurance is shown in the Declarations under ELECTRONIC EQUIPMENT, MEDIA, we will pay for direct physical loss of or damage to “media” which you own, which is leased or rented to you or which is in your care, custody or control while located at the premises described in the Declarations. We will pay for your costs to research, replace or restore information on “media” which has incurred direct physical loss or damage by a Covered Cause of Loss. Direct physical loss of or damage to Covered Property must be caused by a Covered Cause of Loss.”

The insured argued that since the ransomware made the data inaccessible and unusable, the media suffered damage covered by the policy language. However, the Ohio court disagreed.

EMOI Servs., L.L.C. v. Owners Ins. Co. Case Overview

EMOI is an Ohio-based company assisting hospitals with medical billing, resulting in the handling of personal data, financial data, and Protected Health Information. In September of 2019, EMOI was the victim of a ransomware attack, where the attackers locked up files and demanded ransom. After obtaining a “test key” from the hackers to unlock a single data file,…