Are Ransomware Payments Covered by Cyberinsurance?

There seems to be a pattern in data breach and other cyberattack cases: After a breach, a company turns to its insurer for coverage. Sometimes they have specialized cyberinsurance, sometimes not. But often, even if they have paid for what they believe to be comprehensive cybersecurity risk insurance, the insurer refuses to pay the claim. Insurers often have many reasons for refusing coverage—failure to notify in a timely fashion, failure to mitigate costs, hacks resulting from employee misconduct or criminal activity or simply that the losses were due to actions of a non-covered party. This is true whether a company is relying on terms in a general casualty or liability policy (GCL) or where, as in the case recently considered by an Ohio appeals court, the insured had purchased specialized cyber liability insurance that covered damage to its electronic assets.

On November 5, 2021 an Ohio appeals court considered an insurance company’s denial of a claim made by a medical billing company that its costs responding to (and ultimately paying a ransom for) a ransomware attack that locked up its access to its billing platform, as well as the costs of restoring the system which contained protected health information (PHI) on its customers’ patients. The Appeals Court reversed the findings of the lower court and allowed—for the time being—the insurance claim to go forward. At issue was whether the ransomware constituted “physical damage” to the electronic media and whether the ransomware attack constituted a covered “data compromise” under the terms of the policy.

Background

EMOI is an Ohio company that helps hospitals complete medical bills. As such, they have a good deal of personal data, financial data and PHI. In September 2019, EMOI was the victim of a ransomware attack wherein the attackers locked up files and demanded ransom. Ultimately, they obtained a “test key” from the hackers which enabled them to unlock a single data file. Once that worked, EMOI paid the ransom, regained control over their data and verified that it was safe. They also filed a claim with their insurer.

EMOI’s policy with Owner’s Insurance covered “data compromise”, which included coverage related to “the compromise of an individual’s ‘personal data’ but excluded from coverage “[a]ny threat, extortion or blackmail.” The policy noted that the exclusion included, but was not limited to, “ransom payments and private security assistance.”

As a general rule, companies may have cyberinsurance that covers the cost of “data breaches”—that is, the unauthorized access to certain kinds of information (typically personal data). Data breach policies cover the cost of investigation, forensics, breach remediation, breach notification and possible litigation as a result. Think of a “breach” as a loss (or a potential loss) of protected data.

Companies may also have coverage for loss of access to data. Sort of like “critical documents insurance” for electronic records. Thus, if there’s a fire, flood, hurricane or another event that destroys documents or records (including electronic records), that may be covered by insurance. Indeed, EMOI had coverage for “direct physical loss or damage to ‘media.’” The policy EMOI had noted that the insurance company:

…will pay for direct physical loss or damage to “media” which you own, which is leased or rented to you or which is in your care, custody or control while located at the premises described in the Declarations. We will pay for your costs to research, replace or restore information on “media” which has incurred direct physical loss or damage by a Covered Cause of Loss. Direct physical loss of or damage to Covered Property must be caused by a Covered Cause of Loss.

Ransomware and Cyberinsurance

So, is a ransomware attack a data breach? Is it a physical loss or damage to electronic media? The carrier, Owner’s Insurance, said no to both questions. The carrier asserted that the data compromise coverage only covered the personal data of EMOI, not data of EMOI’s customers. In their denial letter, Owners told its customer, “Since the data belongs to another party that is not your customer it does not meet the definition of ‘affected individual.'” They also denied the claim; asserting that the data on the ransomed drives was not EMOI’s “personally identifying information.”

The insurer also claimed no responsibility for the cost of restoration, asserting that “[n]o film, magnetic tape, disc, drum, card, etc., [the contractual definition of “covered media”] has been identified as physically damaged in this claim.” But the insurance company went further, asserting that it did not have to pay the claim because “(1) [t]he policy covers only items with a physical existence, i.e., tangible items; (2) “physical loss or damage” does not occur when the insured merely loses access or use; and (3) “physical loss or damage” does not occur when the item can be restored by cleaning.”

The insurance company claimed that the policy did not cover ransomware situations because “the software and data have no physical existence and thus are not susceptible to physical loss or damage” and because “EMOI merely lost access to its data and software due to the ransomware attack, and the data and software were readily restored with the decryption program [for which they paid a ransom to the hacker].”

This is a common argument made by insurance companies when they seek to deny ransomware claims. Recently a Maryland court held that an insurer had to pay a T-shirt printing company’s cost of restoration of software after a ransomware attack and rejected the insurer’s claim that the software itself was not “damaged” and that, therefore, the claim not covered.

Ultimately, the Ohio Court also came to a broader definition of covered media and damage and destruction and permitted the claim to proceed (reversing a lower court’s summary judgment order).

Cyberinsurance Coverage (or Lack Thereof)

However, this reflects a trend in cyberinsurance coverage for insurers—at least initially—to read terms like “loss” or “damage” or “destruction” or “physical damage” narrowly when ransomware claims are filed. This is just one of the potential pitfalls in cyberinsurance policies. For example, as companies move to cloud services, their data on the cloud may not be covered by insurance. To the extent that ransomware payments are considered unlawful, an insurer may not be willing to pay or reimburse such payments. An insurer may conclude that data that is “locked up” by ransomware is not “breached” under a data breach policy, and therefore refuse to pay the costs of remediation or restoration. An insurer may be unwilling to pay the costs of rebuilding a ransomed system when the insured could have (as the insured here did) pay a modest sum for the restoration key—a duty to mitigate damages.

The best approach for companies is to conduct a comprehensive review of the language of their cyberinsurance (and traditional) policies to make sure that the language reflects what coverages the company is likely to need. It’s better to get that settled before you have a claim, rather than afterward.

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark