United States: Can There Be Coverage For A Ransomware Attack Under The Computer Fraud Provision Of A Commercial Crime Endorsement?

THE INDIANA SUPREME COURT WEIGHS IN

With the proliferation of computer crime these days, cyber insurance has become a must for businesses.  There are many different types of cyber coverage available on the market, and the coverage that an insured purchases will have an impact on whether a particular cyber loss is covered.  Recently, in G&G Oil Company of Indiana, Inc. v. Continental Western Insurance Company,¹ the Indiana Supreme Court analyzed whether a ransomware attack on a company was covered under the Computer Fraud section of the Commercial Crime Coverage Part of the insured's policy.  This article examines this decision and its ramifications.

THE DECISION IN G&G

In G&G, the plaintiff-insured, G&G Oil Company, had purchased an insurance policy covering the period from June 1, 2017 to June 1, 2018 from the defendant, Continental Western Insurance Company.² The policy contained a “Commercial Crime Coverage Part,” which included a “Computer Fraud” section providing the following coverage:

…Computer Fraud
We will pay for loss or damage to “money”, “securities” and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises”:
a. To a person (other than a “messenger”) outside those “premises”; or
b. To a place outside those “premises”.³

Although G&G could have purchased computer virus and computer hacking coverage from Continental, it declined to do so.⁴

On November 17, 2017, G&G found that it had been locked out of its computer systems.⁵  Its hard drives were encrypted, and one computer screen contained the message: “[t]o decrypt contact [email user]. Enter password.”⁶ G&G consulted the FBI and other experts, and contacted the hackers to regain access to its servers.⁷ It was able to do so after paying the requested ransom in bitcoin totaling nearly $35,000.⁸

G&G submitted a claim to Continental, which denied coverage on the ground that computer hacking was excluded under the policy because G&G had not purchased the computer hacking and computer virus coverage.⁹ Continental also determined there was no coverage because G&G voluntarily transferred the bitcoin to the computer hacker and, thus, the hacker did not “transfer funds directly” from G&G.¹⁰

Following the disclaimer, G&G sued Continental seeking coverage under the Commercial Crime Coverage Part.¹¹  Both G&G and Continental moved for summary judgment, and the trial court held in favor of the insurer, finding that G&G's loss was not “fraudulently caused” but, instead, was the result of theft.  Additionally, the trial court concluded that G&G's payment of bitcoin to the hacker was a “voluntary payment to accomplish a necessary result,” and therefore “did not qualify as a loss ‘resulting directly from the use of a computer'” as required under the policy.¹²

On appeal, the Indiana Court of Appeals affirmed, holding that the hacker “did not use a computer to fraudulently cause G&G to purchase Bitcoin to pay as ransom” and also “did not pervert the truth or engage in deception to induce G&G to purchase the Bitcoin.”¹³ Because the Court of Appeals determined that there was no fraudulent transfer of property, it did not address the question of whether G&G's losses resulted directly from the use of a computer.¹⁴

The Indiana Supreme Court granted G&G's motion to transfer the case, thereby vacating the opinion of the Court of Appeals.¹⁵ After finding that G&G's failure to purchase computer hacking and computer virus coverage was not dispositive, the court examined judicial interpretations and dictionary definitions of the word “fraud,” and held that the phrase “fraudulently cause a transfer” was unambiguous and could be reasonably understood as simply “to obtain by trick.”¹⁶  Addressing G&G's motion for summary judgment first, the Supreme Court held that G&G's theory that the hacker had gained access to its computer system by trick, i.e., through a spear-phishing campaign, was not supported by sufficient evidence that would entitle G&G to summary judgment.¹⁷ However, the court also concluded that Continental was not entitled to summary judgment either, because there was a question of whether access to G&G's computer network had been obtained by trick:

Though little is known about the hack's initiating event, enough is known to raise a reasonable inference the system could have been obtained by trick. Resolving this question in G&G Oil's favor precludes summary judgment for Continental.¹⁸

The court then turned to the question of whether G&G's loss “resulted directly from the use of a computer,” noting that if G&G's loss was not the direct result of the use of a computer, Continental would be entitled to summary judgment.¹⁹   It began its analysis by referring to various dictionaries to ascertain the meaning of the word “directly,” which it concluded means “in a straightforward manner.”²⁰ Using this definition, the court held that G&G was required to show that its loss resulted either “immediately or proximately without significant deviation from the use of a computer,” and concluded that G&G had done so:²¹

Analyzing G&G Oil's actions in this case, its transfer of Bitcoin was nearly the immediate result—without significant deviation—from the use of a computer. . . . These payments were “voluntary” only in the sense G&G Oil consciously made the payment. To us, however, the payment more closely resembled one made under duress. Under those circumstances, the “voluntary” payment was not so remote that it broke the causal chain.  Therefore, we find that G&G Oil's losses “resulted directly from the use of a computer.”²²

CONCLUSION

In G&G, the Indiana Supreme Court held that there was a possibility of coverage under a Commercial Crime Coverage Part for a loss due to a ransomware attack on the insured even though the insured had declined to purchase available computer hacking and computer virus coverage. If the insurer had intended for loss or damage from ransomware attacks to be covered only under computer hacking and computer virus coverage, it should have written an exclusion into the Commercial Crime Coverage Part for any loss caused by a computer virus or the infiltration into the insured's computer network by a third party.

Further, according to the court, if the insured could show that the perpetrator of the ransomware attack had obtained access to the insured's computer systems “by trick,” there could be coverage under a provision obligating the insurer to pay for “loss or damage resulting directly from the use of any computer to fraudulently cause a transfer of covered property.”  Such provisions are typically intended to provide coverage for the loss of money or valuable property caused by an imposter who masquerades as a person with authority to approve or direct a transfer of such property and who tricks an employee of the insured into transferring the property to an unauthorized account.²³

Footnotes

1 G&G Oil Co. of Indiana v. Cont'l W. Ins. Co., 165 N.E.3d 82 (Ind. 2021)

2 G&G Oil Co. of Indiana v. Cont'l W. Ins. Co., 165 N.E.3d 82, 85 (Ind. 2021)

3 Id.

4 Id.  at 86.

5 Id. at 85.

6 Id.

7 Id.

8 Id.

9 Id. at 86.

10 Id.

11 Id.

12 Id.

13 Id.

14 Id.

15 Id.

16 Id.  at 87-89.

17 Id.

18 Id.

19 Id.  at 90.

20 Id.

21 Id.

22 Id.

23 E.g., Cincinnati Ins. Co. v. Norfolk Truck Ctr., Inc. 430 F. Supp. 3d 116 (E.D. Va. 2019).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.