By Jon Noyes, Wilson Kehoe Winingham
G&G Oil Company of Indiana purchased a “Commercial Crime Coverage” policy from Continental Western Insurance Company. The policy included a “Computer Fraud” provision, which covered losses “resulting directly from the use of any computer to fraudulently cause a transfer of money.” After purchasing the policy, G&G Oil was the victim of a ransomware attack and paid the ransom. G&G Oil made a claim to Western under the Commercial Crime Coverage policy, but Western denied the claim. The dispute entered litigation, and the Indiana Supreme Court was asked to determine “whether the ransomware attack ‘fraudulently caused a transfer of money’ and whether the loss ‘resulted directly from the use of a computer.’”
G&G Oil argued the term “fraudulently cause a transfer” is ambiguous, but the court disagreed. The court noted that “fraudulently cause a transfer” is understood by laypersons more generically than its legal definition and can be reasonably understood as “to obtain by trick.” Using this definition, the court ordered the parties to conduct more discovery because it could not determine whether the ransomware hackers obtain G&G Oil’s funds by trick. If G&G Oil had no safeguards such that the hackers entered G&G Oil’s servers unhindered, there would be no trick. However, if the hackers resorted to deception, then they fraudulently caused G&G Oil’s transfer of money.
The court also held that G&G’s loss resulted directly from the use of a computer. The court defined “resulting directly from the use of a computer” to mean “immediately or proximately without significant deviation from the use of a computer.” It then reasoned G&G Oil’s payment of the ransom, although “voluntary,” was “nearly the immediate result” from hacker’s use of a computer to ransom its data.
Though certainly G&G Oil’s transfer was voluntary, it was made only after consulting with the FBI and other computer tech services. The designated evidence indicates G&G Oil’s operations were shut down, and without access to its computer files, it is reasonable to assume G&G Oil would have incurred even greater loss to its business and profitability. These payments were “voluntary” only in the sense G&G Oil consciously made the payment. To us, however, the payment more closely resembled one made under duress. Under those circumstances, the “voluntary” payment was not so remote that it broke the causal chain. Therefore, we find that G&G Oil’s losses “resulted directly from the use of a computer.”
The Indiana Supreme Court’s opinion resolves an issue of first impression on how to interpret computer hacking insurance policies as ransomware becomes a more prevalent risk for Indiana businesses. The opinion citation is G&G Oil Co. of Ind. v. Cont’l W. Ins. Co., 165 N.E.3d 82 (Ind. 2021). It can also be found here.
If you would like to submit content or write an article for the Insurance Coverage Section, please email Kara Sikorski at firstname.lastname@example.org.