G&G Oil Co. of Indiana v. Cont’l W. Ins. Co., 2021 WL 1034982 (Ind. 2021)
It has been estimated that this year a business will fall victim to a ransomware every 11 seconds, causing up to $20 billion in damage.1 The Indiana Supreme Court’s decision in G&G Oil Co. of Indiana v. Cont’l W. Ins. Co. 2021 WL 1034982 (Ind. 2021) will likely lead to insurers seeing a spike in the number of Indiana businesses seeking coverage for those attacks under traditional crime commercial policies that were not intended to provide coverage.
In G&G Oil, a hacker used malicious software to infiltrate an oil company’s computer network, encrypt its servers, and password-protect its drives, rendering them useless. Ultimately, the company paid the hacker a ransom of four bitcoins worth about $35,000 to obtain the passwords needed to regain access to its servers. The company then sought reimbursement under the crime coverage part in its commercial crime policy, which had a “computer fraud” provision that covered losses “resulting directly from the use of any computer to fraudulently cause a transfer of money.” The insurer denied coverage because the company had voluntarily made the payment and thus the hacker did not “transfer funds directly” from the company.
After suit was filed, both the insurer and the company moved for summary judgment on their coverage positions. The trial court denied the company’s motion for summary judgment and entered summary judgment for the insurer, finding that while the hacker’s ransomware attack was “devious, tortious and criminal, fraudulent it was not.” The Court of Appeals affirmed and found that the hacker did not deceive the company and thus did not use a computer to fraudulently cause the company to make the payment.
On transfer, the Indiana Supreme Court held that the company’s loss “resulted directly from the use of a computer,” but more facts were needed to determine whether the ransomware attack “fraudulently caused a transfer of money.” Thus, the Court reversed the trial court’s entry of summary judgment for the insurer, affirmed its denial of the company’s motion for summary judgment, and remanded the case for further proceedings.
The Court found that the company’s loss resulted “directly from the use of a computer” because the company’s transfer of the bitcoin was “nearly the immediate result—without significant deviation—from the use of a computer.” Reversing the lower courts, the Court rejected the insurer’s argument that the company voluntarily transferred the bitcoins to the hacker, which did not “transfer funds directly” from the company. The Court found the payment was “voluntary” only in the sense that the company “consciously made the payment.” Finding that the payment “more closely resembled one made under duress,” the Court found that the payment “was not so remote that it broke the casual chain,” and thus the company’s loss “resulted directly from the use of a computer.”
Based on the designated evidence, however, the Court found that there was a dispute of fact over whether the ransomware attack “fraudulently caused a transfer of money.” Although it agreed with the lower courts that the phrase was unambiguous, the Court found that the lower courts interpreted the phrase too narrowly. The Court looked to its own precedent and dictionaries defining “fraud” to require a “misrepresentation” or “concealment” of fact or to mean an “unconscionable dealing” or an “act of deceiving or misrepresenting.” The Court then turned to a Seventh Circuit case that stated fraud was not limited to misrepresentations but included “all surprise, trick, cunning, dissembling, and any unfair way by which another is cheated.” Finding that these definitions were “not that far apart,” the Court found that the phrase “fraudulently cause a transfer” could be reasonably understood to mean “simply to obtain by trick.” (Internal quotation marks omitted).
Although the insured believed that the hacker took over the computer system through spear-phishing campaigns, the Court rejected the assertion that every ransomware attack is necessarily fraudulent. “For example,” the Court explained, “if no safeguards were put in place, it is possible a hacker could enter a company’s severs unhindered and hold them hostage,” in which case there would be “no trick.” Although “little [was] known about the hack’s initiating event,” the Court found “enough is known to raise a reasonable inference the system could have been obtained by trick.” Thus, the case was remanded to the trial court for further proceedings.
1Morgan, Steve, “2021 Report: Cyberwarfare In The C-Suite.” Cybersecurity Ventures. 21 Jan. 2021. Retrieved from https://cybersecurityventures.com/wp-content/uploads/2021/01/Cyberwarfare-2021-Report.pdf (last visited Apr. 16, 2017)