In a pro-insurance coverage ruling, the Indiana Supreme Court reversed a lower court’s decision that crime coverage did not exist for a ransomware attack, while finding that fact issues prevented a ruling at this time on one key coverage issue. G&G Oil Co. of Indiana, Inc. v. Contl. W. Ins. Co., 20S-PL-617, 2021 WL 1034982 (Ind. Mar. 18, 2021)
The case concerned an unfortunately all too typical attack on G&G Oil’s computer system: ransomware. Specifically, the attack arose from a “malicious computer code that renders the victim’s computer useless by blocking access to the programs and data.” Id. at *1. After consulting the FBI, G&G Oil paid the requested ransom with four bitcoins worth nearly $35,000 to regain access to its computer system.
G&G Oil’s commercial crime policy provided coverage for loss or damage to “money,” “securities” and “other property” “resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises”:
- To a person (other than a “messenger”) outside those “premises”; or
- To a place outside those “premises”.
The court addressed two coverage issues, including: (1) whether the ransomware attack constitutes “fraudulent” conduct under the terms of the subject policy, and (2) whether the loss ‘resulted directly from the use of a computer.’
Preliminarily, the court considered the insurance company’s argument that since G&G Oil had not purchased coverage for computer hacking and computer virus in a separate part of the policy, G&G Oil’s ransomware claim was “excluded”. However, the Court disagreed, holding that G&G Oil’s refusal to purchase such coverage was not dispositive. The Court concluded that the structure of the policy required that each coverage part had to be “read individually unless otherwise specified.” Id. at *3.
The Indiana Supreme Court found that the policy language was unambiguous. The Court, however, rejected the lower courts’ interpretation of the term ‘fraud’, ruling that the construction was too narrow. Looking to multiple sources, including dictionary definitions, the Court found that the terms “fraudulently cause a transfer” can be reasonably understood from the standpoint of a reasonably intelligent policyholder “as simply ‘to obtain by trick.’” Id. at *4. The Court relied on authority for the rule that the purpose of insurance is to insure.
However, in analyzing the parties’ cross-motions, the court held that neither G&G Oil nor its insurance company were entitled to summary judgment. The court reasoned that not every ransomware attack was fraudulent, finding, for example, that: “if no safeguards were put in place, it is possible a hacker could enter company’s servers unhindered and hold them hostage. There would be no trick there.” Id. at *5. The Court found that the record was incomplete, and remanded the case and left G&G Oil to its proof.
The Court similarly held the insurance company was not entitled to summary judgment because it was unclear whether G&G Oil’s computer systems were accessed and infiltrated by “trick”, particularly since little was on the court record about the initiating events giving rise to the computer hack. In resolving this question in favor of G&G Oil, the non-moving party, the Court held the insurance company was not entitled to summary judgment on its cross-motion. Id.
Next, the Court examined whether G&G Oil’s loss resulted directly from the use of a computer. On the one hand, G&G Oil argued that its loss resulted directly from the use of a computer, which would be covered under the policy. On the other hand, the insurance company argued G&G’s voluntary transfer of bitcoin was an intervening cause that severed the causal chain such that, the loss allegedly did not result “directly” from the use of a computer.
The lower courts agreed with the insurance company, holding that the loss did not result ‘directly from the use of a computer.’ Specifically, the lower court found that the voluntary payment of bitcoin by G&G Oil to satisfy the ransomware demand was an intervening cause of the loss. In reversing the lower courts, the Indiana Supreme Court again looked to multiple sources, including dictionary definitions, and held that G&G Oil’s claim satisfied the definition of “resulting directly from the use of a computer,” in that G&G Oil’s actions (i.e., the transfer of bitcoin) was “nearly the immediate result – without significant deviation – from the use of a computer.” Id. at *6. In so holding, the Court acknowledged G&G Oil’s transfer of bitcoin was voluntary, but “only in the sense G&G Oil consciously made the payment.” Id. The court found that under the facts, the payment “more closely resembled one made under duress,” and was not so remote that the payment broke the causal chain. Id.
The Indiana Supreme Court decision is an important one for all policyholders, particularly given the drastic increase in ransomware attacks in recent years. Policyholders with traditional crime insurance policies should be encouraged by this decision, which is yet another example that policyholders should not accept a coverage denial at face value. Many insurance companies will attempt to apply an improperly narrow interpretation of the scope of insurance protection under their insurance policies.
One must applaud G&G Oil’s perseverance in seeing its insurance claim through coverage denials and pro-insurance company rulings before getting to the Indiana Supreme Court. It is a lesson in persistence for all policyholders. Some organizations will have purchased cyber insurance policies that provide coverage for ransomware. G&G Oil potentially provides coverage for those that did not under their commercial crime policies.