Last July, we told you about a Court of Appeals decision dealing with whether a CGL policy covered a cyberware attack. That court held that there was no coverage. But the Indiana Supreme Court granted transfer and decided that there are issues of fact that must first be resolved.
G&G Oil bought a CGL policy from Continental. Among other things, that policy covered “commercial crime,” which was defined as a loss “resulting directly from the use of any computer to fraudulently cause a transfer of that property.” A ransomware attack locked G&G Oil out of its computer system in November 2017. G&G Oil paid the ransom, and it regained access to its computers.
G&G Oil submitted a claim to Continental, but Continental denied the claim because G&G Oil voluntarily paid the hacker, arguing that the policy only covered the loss if the hacker transferred the funds himself. G&G Oil filed a complaint, and each party moved for summary judgment. The trial court granted Continental’s motion, the Court of Appeals affirmed, and the Supreme Court granted transfer.
On transfer, the Court was tasked with answering two questions: “Whether the ransomware attack constitutes ‘fraudulent’ conduct under the terms of the Continental Policy and whether its loss ‘result[ed] directly from the use of a computer.’” It dealt with the “fraudulent” issue first.
The Court noted that while almost anything is ambiguous “if one were to squint hard enough,” that the term “fraudulently cause a transfer” is unambiguous. It looked to the definition of fraud, and agreed with a Seventh Circuit decision, which held that fraud is not limited to misrepresentations and misleading omissions:
Fraud is a generic term, which embraces all the multifarious means which human ingenuity can devise and which are resorted to by one individual to gain an advantage over another by false suggestions or by the suppression of truth. No definite and invariable rule can be laid down as a general proposition defining fraud, and it includes all surprise, trick, cunning, dissembling, and any unfair way by which another is cheated.
Given this definition and the “emerging area of law” dealing with the interplay between computer fraud coverage and computer hacking, the Court found that “reasonably intelligent policyholders” would agree that “the term ‘fraudulently cause a transfer’ can be reasonably understood as simply ‘to obtain by trick.’”
Given this test, the Court was not persuaded that G&G Oil designated sufficient evidence to show that its money has been obtained by trick.
We do not think every ransomware attack is necessarily fraudulent. For example, if no safeguards were put in place, it is possible a hacker could enter a company’s servers unhindered and hold them hostage. There would be no trick there. G&G Oil’s belief of a spear-phishing campaign does not entitle it to summary judgment.
And Continental also failed to show that it was entitled to summary judgment.
Applying the same in-the-light-most-favorable standard to Continental’s motion, we think—as above—there is a question as to whether G&G Oil’s computer systems were obtained by trick. Though little is known about the hack’s initiating event, enough is known to raise a reasonable inference the system could have been obtained by trick. Resolving this question in G&G Oil’s favor precludes summary judgment for Continental.
Thus, neither party was entitled to summary judgment on this basis.
The Court then turned to whether the ransomware attack “directly” caused G&G Oil’s loss. Again, the Court looked to the definition of “directly,” and concluded that this meant that G&G was required to show “that its loss resulted either ‘immediately or proximately without significant deviation from the use of a computer.’” And the Court found that G&G Oil met this test.
Analyzing G&G Oil’s actions in this case, its transfer of Bitcoin was nearly the immediate result—without significant deviation—from the use of a computer. Though certainly G&G Oil’s transfer was voluntary, it was made only after consulting with the FBI and other computer tech services. The designated evidence indicates G&G Oil’s operations were shut down, and without access to its computer files, it is reasonable to assume G&G Oil would have incurred even greater loss to its business and profitability. These payments were “voluntary” only in the sense G&G Oil consciously made the payment. To us, however, the payment more closely resembled one made under duress. Under those circumstances, the “voluntary” payment was not so remote that it broke the causal chain. Therefore, we find that G&G Oil’s losses “resulted directly from the use of a computer.”
Given these conclusions, the Court remanded the case back to the trial court for further proceedings.
Lessons:
1. The Indiana Supreme Court recognizes that insurance coverage for computer fraud is an “emerging area of law.
2. When interpreting an insurance contract, the Court uses the ordinary meaning of words that also have a specific legal meaning.
3. In an insurance contract, “fraudulently cause a transfer” means “obtained by trick.”
4. Not all ransomware attacks are obtained by trick.
5. A loss is “directly” caused by a covered act if it “immediately or proximately without significant deviation” results from the covered act.