Neither an insurer nor a claimant was entitled to summary judgment in a dispute over coverage of a ransomware attack, the Indiana Supreme Court has ruled, sending the case back to the trial court.
For a one-year period beginning June 1, 2017, G&G Oil Co. of Indiana was covered under a commercial insurance policy from Continental Western Insurance Co. The police included “Commercial Crime Coverage,” which provided that Continental would “pay for loss or damage to ‘money’, ‘securities’ and ‘other property’ resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the ‘premises’ or ‘banking premises’” to a person or place outside those premises.
Thus, after G&G Oil paid nearly $35,000 to release its servers from a ransomware attack in November 2017, it submitted a claim for coverage with Continental. But Continental denied coverage, finding, among other things, that the $35,000 in Bitcoin was voluntarily transferred to the hacker, so the hacker did not “transfer funds directly” from G&G Oil
G&G Oil responded with a lawsuit in the Marion Superior Court, and both parties moved for summary judgment. The trial court ruled in favor of the insurer, and the Indiana Court of Appeals affirmed.
After granting transfer, the Indiana Supreme Court issued a partial reversal, overturning the judgment in favor of Continental but affirming the denial of G&G Oil’s motion for summary judgment
Focusing on the policy language “fraudulently cause a transfer,” Justice Steven David first wrote for the unanimous court that the phrase was unambiguous. He pointed to various definitions of “fraud” in both dictionaries and caselaw, including “knowing misrepresentation,” “material misrepresentation” and “intentional perversion of truth,” among others.
“Ultimately, we do not think reasonably intelligent policyholders would disagree over this term’s definition,” David wrote. “… The definitions from caselaw and dictionaries are not that far apart, and the term ‘fraudulently cause a transfer’ can be reasonably understood as simply ‘to obtain by trick.’”
Applying that definition to the parties’ cross-motions, the court determined neither party was entitled to summary judgment.
“Resolving all questions and construing this evidence in the light most favorable to Continental … we cannot say with confidence G&G Oil has designated reliable evidence to entitle it to summary judgment,” David wrote for the court. “We do not think every ransomware attack is necessarily fraudulent.
“For example, if no safeguards were put in place, it is possible a hacker could enter a company’s servers unhindered and hold them hostage,” the justice continued. “There would be no trick there. G&G Oil’s belief of a spear-phishing campaign does not entitle it to summary judgment.”
Likewise as to Continental, the justices reversed based on the finding that “there is a question as to whether G&G Oil’s computer systems were obtain by trick.”
“Though little is known about the hack’s initiating event, enough is known to raise a reasonable inference the system could have been obtained by trick. Resolving this question in G&G Oil’s favor precludes summary judgment for Continental,” David wrote.
The high court also grappled with a second question: whether G&G Oil’s loss “resulted directly from the use of a computer.” The justices ultimately answered that question negatively, thus defeating summary judgment for the insurer.
“In order to obtain coverage under this provision, G&G Oil must demonstrate that its loss resulted either ‘immediately or proximately without significant deviation from the use of a computer,’’’ David wrote. “We think that G&G Oil has satisfied that definition.
“Analyzing G&G Oil’s actions in this case, its transfer of Bitcoin was nearly the immediate result — without significant deviation — from the use of a computer,” the court concluded. “… Under those circumstances, the ‘voluntary’ payment was not so remote that it broke the causal chain. Therefore, we find that G&G Oil’s losses ‘resulted directly from the use of a computer.’”
The court remanded the case, G&G Oil Co. of Indiana, Inc. v. Continental Western Insurance Co., 20S-PL-617, for further proceedings.