COA rules for insurer that declined to cover ransom paid to hacker

A Hoosier oil company that suffered monetary losses after a ransomware attack on its computer system did not convince the Indiana Court of Appeals that its insurance policy included coverage for such attacks.

After its computer network servers and workstations were hijacked and held for ransom in exchange for bitcoins, G&G Oil Co. of Indiana paid a hijacker $34,477.50 to regain control of its systems.

G&G, insured at the time by Continental Western Insurance Company, submitted a claim to Continental requesting coverage for the ransomware attack and ensuing losses under the computer fraud provision included in the Commercial Crime Coverage Part of its insurance policy. But the claim was denied when Continental noted that G&G never purchased the optional computer virus and hacking coverage offered under the agricultural output coverage part of the policy.

The insurance company also concluded that G&G’s losses did not result directly from the use of a computer to fraudulently cause a transfer of G&G’s funds. Prompted to file a complaint in Marion Superior Court, G&G sought judgment requiring Continental to indemnify G&G for the losses incurred as a result of the ransomware attack.

But the trial court denied G&G’s motion for summary judgment, granting it instead to Continental, concluding that “(t)he hacker deprived G&G Oil of use of its computer system and extracted bitcoin from the Plaintiff as ransom. While devious, tortious and criminal, fraudulent it was not.” It also found that G&G’s losses did not directly result from the use of a computer but from a “voluntary payment to accomplish a necessary result.”

In affirming the trial court, the Indiana Court of Appeals similarly concluded that the ransomware was not covered under the policy’s computer fraud provision.

“Here, the hijacker did not use a computer to fraudulently cause G&G to purchase Bitcoin to pay as ransom. The hijacker did not pervert the truth or engage in deception in order to induce G&G to purchase the Bitcoin. Although the hijacker’s actions were illegal, there was no deception involved in the hijacker’s demands for ransom in exchange for restoring G&G’s access to its computers,” Judge Paul D. Mathias wrote for the appellate court.

It therefore affirmed the trial court’s order in G&G Oil Co. of Indiana v. Continental Western Insurance Company, 19A-PL-01498. Because the issue is dispositive, the appellate court declined to address G&G’s argument that trial court erred when it concluded that the company’s losses did not result “directly” from the use of a computer.

Please enable JavaScript to view this content.

Story Continues Below