Page 49 - FDCC_InsightsSpecialIssue_Published
P. 49
Data Privacy Law
Has The Ohio Supreme Court Opened A New Battlefield in the
Cyber Coverage Wars?
Michael F. Aylward
By Michael F. Aylward
The Ohio Supreme Court has ruled in EMOI Services, L.L.C. v. Owners Ins. Co., 2022 WL 17905839 (Ohio Dec. 27, 2022) that a property insurance policy did not cover a ransomware claim in which malware was attached to the insured’s computer, encrypting access to stored files and data. Although EMOI had argued that the hack was covered by the policy’s electronic equipment endorsement which insured “costs to research, replace or restore information on ‘media’ which has incurred direct physical loss or damage,” the court declared that “software is an intangible item that cannot experience direct physical loss or direct physical damage” and that “[c]omputer software cannot experience “direct physical loss or physical damage” because it does not have a physical existence.”
Emoi is the first salvo in a new front of the on-going struggle over so-called “silent cyber,” that is to say policyholder efforts to obtain commercial property coverage under policies that do not expressly include provisions insuring cyber losses. To date, most of these cases have involved phishing claims in which the issue is whether the insured’s mistaken transmission of funds to fraudsters involve the use of computers so as to trigger a policy’s computer fraud coverage, See G&G Oil Company of Indiana, Inc. v. Continental Western Ins. Co., 165 N.E.3d 82 (Ind. 2021) (finding a sufficient causal connection between spear-fishing incident and the resulting loss to satisfy the requirement “that it had resulted directly from the use of a computer”) and City of Unalaska v. Nat’l Union Fire Ins. Co., 2022 U.S. Dist. LEXIS 51387 (D. Alaska March 18, 2022)(a reasonable person would understand “use of a computer” to extent to a broad range of activities, including e-mails, and not just computer hacking as AIG had argued).
Computer fraud insurance covers the theft of money or securities through the use of a computer. It has been around for quite a while and pre-date the modern surge of cyber-crime. More importantly, this first party coverage form does not require proof of direct physical loss. By contrast, the claims at issue in EMOI were for the loss of access to data due to a ransomware attack rather than the cost of the ransom paid. Also, unlike the computer crime fraud wordings at issue in these other cases, the electronic equipment endorsement in the Owners Insurance policy required that there be direct physical loss to the insured’s property.
39
FDCC ANNUAL INSIGHTS 2023