Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Courts Security

Insurance Policy Does Not Cover Ransomware Attack on Software, Ohio Supreme Court Says (jurist.org) 51

The Ohio Supreme Court has unanimously overruled a judgment of the Ohio Second District Court of Appeals and moved that there must be "direct" physical loss or physical damage in the company's computer software for insurance policy coverage. From a report: In the three-year court proceedings between the greater Dayton medical billing software maker EMOI and its insurance service provider Lansing, Michigan-based Owners Insurance Company, the latter asserted that the insurance contract unambiguously stated only "direct physical loss" or "direct physical damage" to media would be covered under the insurance policy.

The court in its final ruling gave the rationale that a computer might have physical electronic components that are "tangible" in nature but the information stored there has no "physical presence"; thus a ransomware attack on the company software has no coverage under the company's insurance policy. The judgment against EMOI concludes that a software developer can't use its property insurance to cover losses. A district judge had dismissed EMOI's case against Owners, which the developer brought forth just months after the attack. But the appellate court in November 2021 had ruled in favor of EMOI stating that the claimant could sue the insurance company for allegedly treating its claim in bad faith by failing to properly examine "the various types of damage that can occur to media such as software."

This discussion has been archived. No new comments can be posted.

Insurance Policy Does Not Cover Ransomware Attack on Software, Ohio Supreme Court Says

Comments Filter:
  • At first ... (Score:5, Insightful)

    by lowvisioncomputing ( 10234616 ) on Friday December 30, 2022 @12:06PM (#63168290) Homepage Journal

    At first, I thought "but those bits in storage media were damaged by having their state changed, so that's physical damage.

    Then I thought - but the structures holding those bits are undamaged, their state can still be changed just fine, so it's not physical damage.

    Then I thought ... MAKE BETTER BACKUPS, IT'S NOT F*ING ROCKET SCIENCE YOU MORONS.

    • Re:At first ... (Score:5, Insightful)

      by vux984 ( 928602 ) on Friday December 30, 2022 @12:14PM (#63168308)

      Time for a slashdot car analogy:

      Someone should go to the judges homes, disassemble their fancy SUV down to the nuts and bolts, and leave it in a pile in his driveway. When he tries to make an insurance claim and the insurance company advises him that there was no loss or physical damage because all his tangible goods are still present and in working order maybe they'll figure it out.

      • Re:At first ... (Score:5, Insightful)

        by LeeLynx ( 6219816 ) on Friday December 30, 2022 @12:22PM (#63168334)
        I don't think you understand how analogies work, because that is definitely physical damage under any reasonable definition.
        • by Anonymous Coward

          *WHOOSH*

        • by vux984 ( 928602 )

          So is erasing or encrypting a disk!

          • You can yell that all you want, but this is precisely the difference between hardware and software. You don't have to like it, but that is what those words mean.
            • by vux984 ( 928602 )

              Hardware and Software do have many different properties and the distinction is very useful but even so, both exist in the physical world.

              Software or information exists, on disk for example, as a pattern of stored electromagnetic charges. It is not somehow magical or 'abstract', it is rooted in the physical world, and you can physically destroy the information without physically destroying the medium by making *physical* changes to the arrangement of particles/charges on the disk.

              In the same way you can dest

            • by Rhipf ( 525263 )

              They jut didn't get specific enough with the claim. Since the insurance policy seems to need physical damage for the claim to be made they just have to argue that every time you write to a disk (doesn't matter if it is a HDD or a SSD) there is physical damage to the cell that is being written to. After enough writes the media can no longer be written to and therefore the writing that the ransomware did on the drive physically degraded it.
              This argument probably still wouldn't make the claim successful but at

        • Re:At first ... (Score:4, Insightful)

          by mysidia ( 191772 ) on Friday December 30, 2022 @01:04PM (#63168434)

          So is this... The erasure of storage by ransomware is analogous to a saboteur attacking paper records by breaking into a filing cabinet and then dipping the pages in whiteout or using a pencil eraser to destroy all the writing. The paper Is still physically functional after the attack; However, the data which was physically manifested on the paper has been damaged.

          The physical manifestation of Data in this case is magnetic charges which are maintained in small cells on the storage device, and the fact that they are Small does not change the fact that they are Physical.

          One could more reasonably say It's Indirect not Direct, however.. Ransomware causes instructions on a machine which is effectively designed to execute; there is no malfunction of the hardware itself -- the actor that causes it to happen is a Logical attack against code vulnerabilities in software, and not a Physical actor: The physical action that caused the loss was functioning exactly as designed, deployed, and expected. Clearly the intent of such language in an Insurance policy would be to exclude such things as logical mistakes in software causing a failure, Even if the manifestation of that failure is a physical change.

           

          • See above. [slashdot.org]
          • A more direct analogy would be breaking into the file room and substituting encrypted versions of all the files for the originals. If every original page is still there in encrypted form, there's been no physical damage. There is no loss of paper - every sheet is still there. There is no loss of data (if the encryption is reversible, given the key). But without the key it's inaccessible. Paying the ransom to get the key might be more cost-effective than locating and restoring everything from backups. Then,

        • by mspohr ( 589790 )

          Disassembly is not damage. You can still put all the parts back together and it will be fine.
          Car mechanics do this all the time.

        • Re: (Score:2, Funny)

          by NFN_NLN ( 633283 )

          > I don't think you understand how analogies work, because that is definitely physical damage under any reasonable definition.

          "Ouch, he'll realize that mistake in 5 mi.... " [reads follow up posts]

          RIP LeeLynx, died on "that hill" 2022

        • Bonus points if you live in the salt belt. Or own a BMW. Any kind of disassembly will result in physical damage!

      • by mjwx ( 966435 )

        Time for a slashdot car analogy:

        Someone should go to the judges homes, disassemble their fancy SUV down to the nuts and bolts, and leave it in a pile in his driveway. When he tries to make an insurance claim and the insurance company advises him that there was no loss or physical damage because all his tangible goods are still present and in working order maybe they'll figure it out.

        This is more like a person buys a fancy SUV with a nice fancy remote key. Due to a security hole in the lock software, a malicious party changes the lock code so the fancy key doesn't work, then demands money to make the key work again.

        In this scenario we'd sue the manufacturer for making the system so insecure. This is where the analogy stops working, but that being said I can easily see this kind of thing happening with the manufacturers trying to put apps into their cars at a basic level, sadly I see

    • Re:At first ... (Score:5, Insightful)

      by Stephan Schulz ( 948 ) <schulz@eprover.org> on Friday December 30, 2022 @12:32PM (#63168364) Homepage

      At first, I thought "but those bits in storage media were damaged by having their state changed, so that's physical damage.

      Then I thought - but the structures holding those bits are undamaged, their state can still be changed just fine, so it's not physical damage.

      Sure it is. It's a physical change (to the magnetic fields on the storage medium), and it sure is damaging the system and the software - it won't perform its normal function anymore. The fact that you can still use the hardware is irrelevant. If you melt down a car, you can still recreate the chassis from the elements present.

      Then I thought ... MAKE BETTER BACKUPS, IT'S NOT F*ING ROCKET SCIENCE YOU MORONS.

      Sure enough. But some modern ransomware attacks are quite complex, analysing the computer system, checking backup schedules, and trying to also overwrite backups. Unless you have physically disconnected the media from the system (or use write-only media), you are not safe. Also, even if you have backups, it's not trivial, and certainly not cost-free, to bring a complex system back up. At least you lose the work done between the last backup and the restoration.

      • Sure it is. It's a physical change (to the magnetic fields on the storage medium), and it sure is damaging the system and the software - it won't perform its normal function anymore. The fact that you can still use the hardware is irrelevant.

        Based on the court ruling, that fact is entirely relevant. There was no physical damage to the hard drive, and the insurance policy only covered physical damage. If the company wanted insurance to cover ransomware attacks, they should have included it in the policy.

        • Sure it is. It's a physical change (to the magnetic fields on the storage medium), and it sure is damaging the system and the software - it won't perform its normal function anymore. The fact that you can still use the hardware is irrelevant.

          Based on the court ruling, that fact is entirely relevant. There was no physical damage to the hard drive, and the insurance policy only covered physical damage.

          The argument is that there was physical damage to the computer system. That the court does not seem to include software and/or data in that is what makes this ruling questionable.

          If the company wanted insurance to cover ransomware attacks, they should have included it in the policy.

          Actually, their argument was that the insurer should have anticipated this kind of damage and either included it or made it explicit that it was excluded. If you buy an "all round insurance package" for a rental car, and they exclude (say) damage to windows and tires, you could also complain about misleading advertising.

      • First, there was NO physical damage to the hard drive. The fact that bits could still be read from it and written to it proves that it was still mechanically sound. The magnetic domains continued to be fully functional.

        Also, hard drives are dirt cheap. Backing up user data onto external drives is not hard. And they're cheap enough that you can rotate a stack of them, one for every time period (day, week, month, whatever). Stuff that changes a lot, every day, have 100 x 16tb drives hanging around to cover

    • Re:At first ... (Score:5, Informative)

      by Xenx ( 2211586 ) on Friday December 30, 2022 @12:53PM (#63168408)
      Reading the case text it's much more straight forward, though I believe has its own issues. There are two separate endorsements for their insurance. One is a data compromise endorsement, the other is for the physical media itself. The data compromise endorsement, however, specifically precludes coverage for the ransom.
      • This insurance sounds like my dental and vision policies. But better than nothing? The real solution? Crypto must die.
        • This insurance sounds like my dental and vision policies. But better than nothing? The real solution? Crypto must die.

          It's dying. Just taking it's own sweet time to do it because there are so many people who NEED to believe you can get rich quick by doing SFA.

    • >Then I thought ... MAKE BETTER BACKUPS, IT'S NOT F*ING ROCKET SCIENCE YOU MORONS.

      And better test the backup recovery procedure weekly and tune it so it only take a short time relative to the needs of the application.

      I'm my mega corp I've lost data to a wonky laptop - no problem, it's all backed up - only to find that the backup was made but they couldn't recover the data from the backup for 'reasons'.

      Redundant and resilient design is a thing. Perhaps IT departments should do some of that.

    • by gweihir ( 88907 )

      Then I thought ... MAKE BETTER BACKUPS, IT'S NOT F*ING ROCKET SCIENCE YOU MORONS.

      You know, most people struggle to get simple things right. And as more and more people move into IT with the mind-set of it being "just a job" that applies to more and more IT people as well. Of course these people are still very proficient in blaming their screw-up son somebody else. Probably their only real skill.

      Incidentally, I just did backups. With full compare. Found two disks with data defects in the backups, one WD and on Toshiba. Seems end-user hardware is still crap.

      • I know. Back when USB memory sticks dropped to under $30 for 16 gb, I tried to get everyone to back up their own crap. You'd think they'd want to, since their jobs depend on their data. But NO ...

        Boss wouldn't fork out the money either.

        Then he lost his pr0n collection - 6 drive RAID. First one drive failed ... not a problem, right. Then another on failed ... still not a problem, right? The the third one failed ... had to explain to him that it's mathematically impossible to recover. Guess he thought RAI

    • by mjwx ( 966435 )

      At first, I thought "but those bits in storage media were damaged by having their state changed, so that's physical damage.

      Then I thought - but the structures holding those bits are undamaged, their state can still be changed just fine, so it's not physical damage.

      Then I thought ... MAKE BETTER BACKUPS, IT'S NOT F*ING ROCKET SCIENCE YOU MORONS.

      PHB: Backups cost money, just make sure this ransomwear thing doesn't happen.

      Sadly I've seen plenty of businesses in recent years lose a load of data because they didn't think backups were important. The worst of the lot were people who thought redundancy would keep them safe.

      • At first, I thought "but those bits in storage media were damaged by having their state changed, so that's physical damage.

        Then I thought - but the structures holding those bits are undamaged, their state can still be changed just fine, so it's not physical damage.

        Then I thought ... MAKE BETTER BACKUPS, IT'S NOT F*ING ROCKET SCIENCE YOU MORONS.

        PHB: Backups cost money, just make sure this ransomwear thing doesn't happen. Sadly I've seen plenty of businesses in recent years lose a load of data because they didn't think backups were important. The worst of the lot were people who thought redundancy would keep them safe.

        Well, it did - they're now redundant :-)

  • The judgment against EMOI concludes that a software developer can't use its property insurance to cover losses.

    So information is not property?

    Yeah, yeah, in this particular case the insurance policy may have specified "physical property", but it is an example of information not being property...

    • by EvilSS ( 557649 )
      Nope. That is, after all, how we all justify piracy. If something can be infinitely copied then it's not "property" and has no real value.
  • So in other words (Score:5, Informative)

    by EvilSS ( 557649 ) on Friday December 30, 2022 @01:07PM (#63168446)
    Company either too cheap or too dumb to purchase a proper cyber insurance policy and now they are paying the price.
    • by mjwx ( 966435 )

      Company either too cheap or too dumb to purchase a proper cyber insurance policy and now they are paying the price.

      By "insurance policy" you mean proper backups kept on and off site, isolated from the system that could be compromised.

  • by LeeLynx ( 6219816 ) on Friday December 30, 2022 @01:10PM (#63168462)
    From the opinion (emphasis mine):

    In a letter denying the claim, Weaner identified two potentially applicable provisions in the insurance policy: the “Data Compromise” endorsement and the “Electronic Equipment” endorsement. Weaner quoted the language from the data-compromise endorsement that defined “personal data compromise” as well as the language that excluded coverage for “any threat, extortion or blackmail,” including but not limited to “ransom payments.”

    Weaner also explained that the electronic-equipment endorsement did not apply. The electronic-equipment endorsement provides:

    When a limit of insurance is shown in the Declarations under ELECTRONIC EQUIPMENT, MEDIA, we will pay for direct physical loss of or damage to “media” which you own, which is leased or rented to you or which is in your care, custody or control while located at the premises described in the Declarations. We will pay for your costs to research, replace or restore information on “media” which has incurred direct physical loss or damage by a Covered Cause of Loss. Direct physical loss of or damage to Covered Property must be caused by a Covered Cause of Loss.

    The electronic-equipment endorsement defines “media” as “materials on which information is recorded such as film, magnetic tape, paper tape, disks, drums, and cards.” The definition section further states that “media” includes “computer software and reproduction of data contained on covered media.” Weaner denied the claim under the electronic-equipment endorsement on the grounds that there was no “direct physical loss to the ‘media.’ ”

    So the insured tried to recover for ransom payments that were specifically excluded, and for costs of restoring information on media that did not incur physical loss or damage.

    The word 'media' has a definition and standard usage. It's a hell of a stretch to mix and match definitions of covered property and definitions of covered losses in the contract to inject ambiguity into the very, very obvious intent that data is covered property when it is lost or corrupted due to physical damage to media. There's a reason that the dissent at the Appellate level was short and fairly indignant. Contracts mean what they say they mean, you can't just invent coverage out of thin air, especially when it runs counter to the express language of the policy.

    tl;dr: This was very, very stupid, and never should have gone anywhere near this far.

    • So what you're saying is, this decision doesn't say that all ransomeware payments aren't covered by insurance, just those where the policy explicitly excludes them.
      • The decision says that ransomware is not physical damage to the disks. If your insurance policy only covers physical damage, it does not cover ransomware. Your insurance company probably has an additional option for coverage for ransomware.
      • by Anonymous Coward

        To use an analogy, it would be like requesting an RMA on a hard drive that is perfectly functional, and the only symptoms of a problem are "the files I deleted are no longer showing up"

  • I'm not enough of a lawyer to comment on whether or not the Supreme Court's ruling is appropriate or not. But the Appellate Court's statement: ..."the various types of damage that can occur to media such as software" makes it clear that they lack technical understanding of the issue. Software is not a medium. It may be stored on a medium, but that's not the same thing at all.
  • by belmolis ( 702863 ) <billposer.alum@mit@edu> on Friday December 30, 2022 @01:30PM (#63168532) Homepage
    A linguistic note: the court did not "move" anything. Someone asking the court to do something "moves" something. Its request to the court is a "motion". When a court makes a decision, it "holds" or "decides" or "rules". It does not "move".
  • So encrypting data or scrambling data isn't physical damage or loss by insurance terms, but if the ransomware hackers are caught, will they be charged with damaging data? Because I'm pretty sure that's exactly what they were charged with:
    https://www.usnews.com/news/po... [usnews.com]

    A man who authorities say participated in a ransomware campaign that extracted tens of millions of dollars from victims has been charged in the United States, the Justice Department announced Thursday.

    No lawyer for the 33-year-old Vasiliev, of Bradford, Ontario, Canada was listed on the court docket. He faces charges of conspiracy to intentionally damage protected computers and to transmit ransom demands.

    You can't charge someone with something and then turn around and said that said someone's action didn't do that thing so insurance doesn't cover it. Well, I mean, you can, but it's contradictory voids the whole point of, you know, the law.

    • by HiThere ( 15173 ) <charleshixsn@earthlinkLION.net minus cat> on Friday December 30, 2022 @02:06PM (#63168644)

      Read what others have said about the language of the insurance policy. This isn't a general ruling, but a ruling on what very specific language means. And, AFAIKT, it's the correct ruling.

      OTOH, it's a warning that if your insurance policy talks about physical damage rather than just damage, you'd better have your lawyer look it over in the context of this ruling. It's fairly clearly proper, but it addresses points that are easily overlooked.

      • Ahh, thank you. I skimmed the article and missed the part about the insurance company providing another type of insurance for "cyber loss". I guess I'm getting too cynical because now I feel like this is another McDonald's hot coffee lawsuit article (as in the company that loss is clearly in the wrong but they're making a bit publicity stink about it.).
  • Property Insurance, is a bit of a misnomer, but it's allowable since the actual coverage policy states what is and is not covered. When there exists a gap in terms of insurance coverage, the way to mitigate risk is to get a specific policy that underwrites the coverage you want.

    There is specific Cyber Security (Cyber Liability) Insurance for information property and situations just like this.

    Insurance companies, with expertise in these fields, will always want to sell you coverage, but the question is

  • The court in its final ruling gave the rationale that a computer might have physical electronic components that are "tangible" in nature but the information stored there has no "physical presence"

    It's a pattern of electrons. We copyright and patent patterns all the time. Something was lost.

There's no sense in being precise when you don't even know what you're talking about. -- John von Neumann

Working...