Although litigation against ransomware groups or individual hackers can be difficult due to the anonymous nature of the attack, new litigation has developed recently targeting both businesses who have been the subject of the attacks and individual hackers.
Emoi Servs., L.L.C. v. Owners Ins. Co. (2022)
Emoi Servs. L.L.C. was a software company who experienced a ransomware attack on September 12, 2019 after a hacker demanded a ransom of 3 bitcoins for a decryption key to access lost files. Emoi filed an insurance claim under their insurance policy with Owners Insurance Co., but the court concluded that the attack didn’t result in “direct physical loss or damage to covered media, and therefore, the policy did not cover EMOI's losses.”.
Woodall v. Octapharma Plasma, Inc. (2024)
Octapharma, a company which operates more than 190 blood plasma donation centers, was the subject of a massive cyberattack that exposed sensitive personal information including Social Security numbers and financial data. They recently agreed to a $2.55M Settlement after being sued for various torts including negligence and a breach of their fiduciary duty for not having the appropriate monitoring and security systems to prevent such an attack.
National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Co. (2020)
National Ink sued their insurer, Casualty Insurance, after being the victim of a ransomware attack and attempting to receive coverage from their general insurance policy. The court held that damage to a computer data/software system was considered “direct physical loss or damage to property” because loss of some functionality should have still been covered.
Surfside Non-Surgical Orthopedics v. Allscripts Healthcare Solutions, Inc. (2018)
In
2018, Allscripts, a Florida company that sold e-prescribing services to
medical providers, was sued for a ransomware attack that prevented
1,500 clients from accessing their client information. The plaintiffs
(Surfside) in the class action complaint accused Allscripts of being
“wanton, willful, and reckless” with respect to protection deficiencies.
Plaintiffs also argued that SamSam, the ransomware that was employed
against Allscripts, had been a well-known threat for about two years
before the suit was filed, and that Allscripts did not adequately
protect against such threats. The Court dismissed Surfside’s claim for
lack of standing to sue.