Indiana Supreme Court Decrypts Computer Crime Coverage
The Indiana Supreme Court recently reversed a trial court’s finding and an affirming intermediate appellate court opinion regarding the interpretation of a policy providing coverage for cyber-crime. In G&G Oil Co. of Indiana, Inc. v. Continental Western Insurance Co., the state high court rejected the lower courts’ narrow interpretation of coverage and impractical view on causation. A copy of the decision can be found here.
Over three years ago, G&G Oil was locked out of its computer systems by a hacker following a social engineering fraud that was allegedly initiated by a targeted spear-phishing email. After consulting with the FBI and other tech services, G&G Oil paid a Bitcoin ransom to regain access to its computer systems and operations.
G&G Oil turned to its insurer, Continental Western Insurance Company, seeking coverage under a policy providing “Computer Crime Coverage.” That provision agreed to cover “loss or damage . . . resulting directly from the use of any computer to fraudulently cause a transfer of that property . . . .” Continental denied the claim because, according to Continental, the Bitcoin was voluntarily transferred and did not result directly from the use of a computer.
G&G Oil filed suit in Indiana state court. The trial court likened the ransomware attack to a burglar climbing through a window rather than fraud and thus concluded that the hacker did not “fraudulently cause a transfer.” The trial court also found that G&G Oil’s “voluntary” Bitcoin payment broke the causal chain of events originating from the use of a computer. The trial court granted summary judgment in favor of Continental and the appellate court affirmed. In March, the Indiana Supreme Court weighed in and reversed on both issues.
First, the Indiana Supreme Court considered the meaning of the phrase “fraudulently cause a transfer.” The court held the phrase was unambiguous, but was construed too narrowly by the lower courts. The court reviewed case law and dictionary definitions regarding the meaning of “fraud,” and concluded that the phrase “can be reasonably understood as simply ‘to obtain by trick.’” The court noted that not every ransomware attack is necessarily fraudulent, such as where there are no safeguards in place and a hacker accesses a company’s servers unhindered—in which case, there is no “trick” involved. Thus, the court concluded neither party was entitled to summary judgment because there were questions of fact surrounding whether access to G&G Oil’s servers was obtained by “trick.”
Second, the court analyzed the meaning of the phrase “resulting directly from the use of any computer.” Relying on dictionary definitions, the court concluded that the phrase meant that the loss must result either “immediately or proximately without significant deviation from the use of a computer.” In applying this standard, the court disagreed with the trial court’s conclusion that “G&G Oil’s voluntary transfer of Bitcoin was an intervening cause that severed the causal chain of events.” The court reasoned that the transfer was only voluntary in the sense that G&G Oil decided to pay the ransom and, instead, more closely resembled a payment “made under duress.” The court held G&G Oil’s transfer of Bitcoin satisfied the standard because it “was nearly the immediate result—without significant deviation—from the use of a computer.”
The Indiana Supreme Court’s decision is a refreshing reminder that coverage grants must be construed broadly in favor of coverage and that context is key when evaluating causation, which should be viewed pragmatically. It is also a reminder that policyholders should carefully evaluate cyber policies, identify coverage gaps caused by imprecise wording and strive to correct those provisions before the inception of coverage. In G&G Oil, Justice David noted that the “interplay between computer fraud coverage and computer hacking is an emerging area of the law.” The uncertainty among courts and the increase in ransomware attacks and other computer-related crimes emphasize the need for policyholders to be proactive in ensuring coverage for cyber events. For properly covered policyholders, G&G Oil gives courts a good road map for evaluating coverage.