Typically, comprehensive cyber insurance policies, rather than commercial crime policies, respond to claims of data breach and other cybercrimes. With the rise in hacking and ransomware attacks worldwide, businesses that may have chosen not to purchase cyber insurance may find themselves without coverage in the event of a cyberattack.
A recent decision by the Indiana Supreme court rejected a policyholder’s attempt to force a cyber claim into coverage under a commercial crime policy as a matter of law. In G&G Oil Co. of Ind. v. Cont’l W. Ins. Co.,[1] G&G Oil (“G&G”) was subjected to a ransomware attack that left its computer servers and drives encrypted and inaccessible. In order to obtain a decryption passcode that would allow G&G to regain access to its servers, G&G paid an approximate $35,000 ransom to the hacker in Bitcoin. Following the incident, G&G filed a claim with its insurer, Continental Western Insurance Company (“Continental”), seeking to recover the ransom it had paid.
Although G&G had specifically declined to purchase computer hacking and computer virus coverage, it sought coverage under the “computer fraud” section of its commercial crime policy. That clause provided:
Computer Fraud
We will pay for loss or damage to “money”, “securities” and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises”:
- To a person (other than a “messenger”) outside those “premises”; or
- To a place outside those “premises”.
Continental denied the claim because G&G had declined to purchase the computer hacking coverage. More importantly, however, Continental also argued that the ransom payment did not fall within the computer fraud coverage because it did not result directly from the use of a computer and because the money was voluntarily paid and not fraudulently transferred.
The trial court sided with Continental, finding that G&G Oil’s payment to the hacker did not qualify as a loss “resulting directly from the use of a computer” under the Policy and instead “was a voluntary payment to accomplish a necessary result.”[2] The Court of Appeals affirmed the decision in a unanimous opinion, finding that “the hijacker did not use a computer to fraudulently cause G&G to purchase Bitcoin to pay as ransom” and that “the hijacker did not pervert the truth or engage in deception in order to induce G&G to purchase Bitcoin.”[3]
On appeal, the Indiana Supreme Court addressed whether the ransomware attack constitutes “fraudulent conduct” under the policy, and whether the loss resulted directly from the use of a computer. While the lower courts’ decisions were reversed, the high court did not conclude that there was coverage available. Rather, it held that neither party was entitled to summary judgment based on the facts.
First, the Supreme Court recognized that G&G had failed to purchase the coverage that may very well have applied to the ransomware attack. However, it did not find that dispositive because each part of the policy must be read individually.
Next, the Supreme Court considered the language of the computer fraud coverage. It found the phase “fraudulently cause a transfer” to be unambiguous, but construed too narrowly by the lower courts. The Court recognized that the “interplay between computer fraud coverage and computer hacking is an emerging area of the law,” and concluded that computer hacking can take multiple forms. The term “fraudulently cause a transfer” meant “to obtain by trick.” The Court decided that not every ransomware attack is fraudulent. For example, if no safeguards were put in place, a hacker could enter servers and hold them hostage without any trick. There was a question as to whether access to G&G’s computer systems were obtained by trick, and little was known about the hack itself.
Next, the Court examined whether the loss “resulted directly from the use of a computer.” Continental had argued, and the lower courts had agreed, that G&G’s voluntary transfer of Bitcoin was an intervening cause that severed the causal chain of events from the computer to the loss. The Court concluded that although G&G’s transfer was voluntary, it was made only after consulting with the FBI and other computer tech services. The payment was made under duress, essentially, and therefore it was not so remote that it broke the causal chain.
The G&G Oil decision does not mean that commercial crime policies will necessarily afford coverage for cyberattacks, or that commercial crime insurance is a replacement for cyber insurance. In the future, as this area of the law becomes further developed, we expect that courts may also consider the fact that cyber policyholders often undergo a thorough vetting process of their cybersecurity defenses. This process may help to identify and address potential vulnerabilities before policies are issued, and to allow insurers more of an understanding of the risks involved. By contrast, the underwriting process for traditional crime insurance policies may not include a cybersecurity focused examination of the potential insured.
What is
certain from the G&G Oil case is
that Indiana courts will interpret policy language based on the terms used, and
will evaluate each claim on the specific facts involved.
[1] 165 N.E.3d 82 (Ind. 2021)
[2] G&G Oil Co. of Indiana v. Continental Western Ins. Co., No. 49D06-1807-PL-028267, 2019 WL 12023254, at *3 (Ind.Super. May 30, 2019)
[3] G&G Oil Co. of Indiana v. Cont’l W. Ins. Co., 145 N.E.3d 842, 847 (Ind. Ct. App.), reh’g denied (June 4, 2020), transfer granted, opinion vacated, 157 N.E.3d 527 (Ind. 2020), and vacated sub nom. G&G Oil Co. of Indiana v. Cont’l W. Ins. Co., 165 N.E.3d 82 (Ind. 2021).