CYBER CORNER

The Ohio Supreme Court recently held that an insured whose digital media was corrupted in a cyberattack did not suffer an insurable loss under its property insurance policy. The court concluded that computer software did not possess a “physical existence” necessary to trigger coverage under such a policy.

The insured filed an action alleging breach of contract and bad faith against its insurer following a denial of coverage for a ransomware event. The question presented to the court was whether there had been a “direct physical loss” of media where the only impact to the insured was the failure of the decryption key which had been provided by the threat actors after the payment of ransom. Despite that the policy’s definition of “media” included computer software, the court reasoned that software is an intangible item and therefore not susceptible to direct physical loss or damage. In support of its conclusion, the court cited examples of tangible property from the policy’s definition of covered media. 

A food manufacturing company suffered a ransomware attack during which the hacker gained unauthorized entry into the company’s computer system and encrypted the data using malware. The attack rendered the system unusable. The hacker demanded a ransom payment in cryptocurrency the price of which, according to the payment instructions, would have doubled in seven days. The company’s IT consultants advised that paying for decryption key was the only way to regain access to the system, and the company’s president had to convert his own funds into cryptocurrency and pay the hacker from his personal account four times to fully restore the data. 

The carrier denied coverage for the payments to the hacker and the payments to the IT consultant; arguing that the ransom payment was not a “direct loss,” since the payment came from the president’s personal funds; that the president acted as an employee covered by the employee-approved transfer exclusion; and that the Expense Coverage was not a part of the policy.

The court disagreed with all the carrier’s grounds for denial. First, the court held that direct loss requires a causal relationship arising out of an unbroken sequence of events without which such injury would not have happened. In other words, direct loss needs a proximate, rather than a remote relationship. The court held that all were part of an unbroken sequence of events and the payments were a foreseeable result of the attach because there were no intervening occurrences between the attack and the ransom payment.

The court disagreed that the company’s president was acting as an employee because it was an extraordinary situation requiring an executive decision, such decision could not have been made by an ordinary employee, and a typical employee would not pay $100,000 of their personal money while exercising their ordinary duties. The court criticized the carrier for arguing that the payment was “approved,” by saying that the “[carrier’s] reading [suggests], if someone held a gun to an employee’s head demanding payment, and employee made the payment, the act of paying would have been “approved” by employee.” The court invited the carrier not to confuse duress and coercion with approval.

Finally, the court rejected the argument that prior written consent was needed for IT consultant services because the written consent was mentioned only in the sentence of Computer Violation Expense discussing the cost to reproduce or duplicate destroyed data or computer programs. The sentence that discussed computer restoration expenses was silent on the prior written consent, and the court interpreted it as, at minimum, ambiguous as to whether such consent is needed.