In what one justice described as an “emerging area of law,” the Indiana Supreme Court recently issued an opinion that insurance lawyers say provides, for the first time, concrete guidance in Indiana on how far computer fraud insurance can extend against hacks.
The Indiana Supreme Court on March 18 issued its decision in G&G Oil Co. of Indiana, Inc. v. Continental Western Insurance Co., 20S-PL-617. The case was remanded for proceedings in Marion Superior Court, but the plaintiff’s lawyers and attorneys representing policyholders are marking the ruling as a victory.
The underlying issue is common in the digital age: G&G Oil Company of Indiana Inc. suffered a ransomware attack, and the company paid out nearly $35,000 to regain access to its servers. But what was unique about the case was its issue of first impression: whether coverage of “computer fraud” includes coverage of ransom payments to hackers.
While the result is still pending trial court resolution, lawyers representing insureds say the Supreme Court opened the door to more inclusive coverage.
“The big takeaway … is that there may well be coverage for computer-driven, technologically driven thefts that are made under business (insurance) policies,” said George Plews, a partner at Plews Shadley Racher & Braun, which represented G&G Oil. “That’s really important for Indiana businesses.”
Continental Western Insurance Co. had succeeded against G&G Oil’s claim for coverage at the trial court and the Indiana Court of Appeals. The trial court likened G&G Oil’s hacker to a burglar or a car thief, both of whom are “forthright” in their schemes. A “fraudster,” in contrast, is not forthright.
The Court of Appeals applied similar logic, defining fraud as the “intentional perversion of truth in order to induce another to part with something of value or to surrender a legal right.” Here, the COA held, while the hacker acted criminally, he did not pervert the truth to force G&G Oil to pay nearly $35,000 in bitcoins.
Lawyers for Continental declined to comment on the Supreme Court’s decision, noting the case is ongoing. But in its brief opposing transfer, the insurer argued the litigation was a “routine case of the interpretation of an insurance policy … .”
G&G Oil argued the lower appellate court improperly applied a narrow definition of fraud. But according to Continental’s brief, the COA applied longstanding canons of interpretation and simply arrived at a different conclusion than the plaintiff.
The Supreme Court, however, reversed both lower courts and adopted a broader definition of fraud. Justice Steven David said the term could be “reasonably understood as simply ‘to obtain by trick.’”
The justices also analyzed the definition of the phrase “resulting directly from the use of a computer,” a term of G&G Oil’s coverage for money losses due to computer fraud. Continental argued G&G Oil’s payment to the hacker did not satisfy that term, and the trial court likewise found it was a “voluntary payment to accomplish a necessary result.”
The justices, however, rejected the argument that G&G Oil’s intervening steps — consulting with the FBI and other technology services — eliminated the causal connection between the alleged fraud and the eventual payment. The payment was “nearly the immediate result — and without significant deviation — from the use of a computer,” David wrote.
“These payments were ‘voluntary’ only in the sense that G&G Oil consciously made the payment,” the court ruled.
Nicholas Reuhs, a partner at Ice Miller LLP in Indianapolis and leader of the firm’s insurance recovery and counseling practice, said the biggest takeaway of the G&G Oil decision is the court’s analysis of the “resulting directly” language.
“What the court said is, it doesn’t mean the bad guy has to be the one pressing the transfer button,” Reuhs said. “He’s not the one that actually sends the money off, but that’s the standard insurers applied.”
Reuhs represents policyholders and said the court’s March 18 ruling directly impacted one of his cases by prompting the opposing insurance company to reevaluate its coverage position. Meghan Ruesch, a partner at Lewis Wagner LLP, had the same experience but from the opposite perspective representing an insurer.
Ruesch acknowledged the high court’s ruling clarified the meaning of fraud, but she also noted insurance disputes are fact-specific. Indeed, the justices did not enter judgment for either party in G&G Oil but instead remanded for proceedings in light of its decision. In doing so, the court affirmed the denial of summary judgment to G&G Oil but reversed judgment for Continental.
Regardless of which side they represent, the lawyers agreed that the justices’ definitions of “fraud” and “resulting directly” will cause insurance companies to reexamine their policy language.
“I think it is something the insurance industry needs to take a hard look at … to say, ‘Is that what we intended, or do we need to change?’ Or, ‘What we really meant was a direct line of causation, not just that a computer was used,’” Ruesch said.
Insurance companies were already in the process of making their policy language more precise, Plews said. Cyber insurance is still a relatively new concept, and insurers have been continually responding to developments in technology and caselaw.
The G&G Oil case attracted two amici: United Policyholders and the Indiana Food & Fuel Association Inc. Scot Imus, executive director of IFFA, said G&G Oil is a member of his organization, which is why it got involved.
Amy Bach, executive director of United Policyholders — a nonprofit insurance consumer advocacy group — said this case is yet another example of the law trying to catch up with technology. Scott Godes, a partner in Barnes & Thornburg LLP’s Washington, D.C., office who represented United Policyholders, noted the nature of cyberthreats has evolved over time.
For example, hackers 10 years ago were after personally identifiable information or protected health information, which could be sold on the dark web, Godes said. The trend then became stealing credit card numbers, which also could be sold. Now, it’s more common for hackers to use ransomware and similar attacks to force direct payments to hackers.
“With the form of the attacks changing regularly, the question of insurance comes down to: How is insurance keeping up, if at all, with what can be done when insurance policies are not written to cover a particular event?” Godes said.
Justice David referenced this evolution, writing that “the interplay between computer fraud coverage and computer hacking is an emerging area of the law.” Further, “computer hacking can take multiple forms. It can hardly be disputed that today’s digital environment invites evolving degrees of cyber-malfeasance.”
That evolution is part of the reason the justices remanded the case: “We do not think every ransomware attack is necessarily fraudulent. For example, if no safeguards were put in place, it is possible a hacker could enter a company’s servers unhindered and hold them hostage. There would be no trick there. G&G Oil’s belief of a spear-phishing campaign does not entitle it to summary judgment.”
But even with specific questions pending in G&G Oil, Reuhs said the decision raises a more general question for the insurance industry.
“To the extent the Court of Appeals ruled in favor of insurers, and to the extent that I am a commercial insurer who issued a denial letter that relied on the Court of Appeals’ opinion in G&G Oil, is it incumbent on me to reach out and reissue a letter saying, ‘This is no longer good law’?” Reuhs asked, noting he does not know the answer. “It’s an interesting question.”•