The ransom paid in response to a ransomware attack was held not to be covered under the “Computer Coverage” of an insurance policy because the attack and the ransom demand did not amount to “fraud”, as opposed to a mere theft (criminal and deceptive as it may have been).
G&G Oil Co. of Indiana v. Continental Western Insurance, 2020 Ind. App. LEXIS 126 (C.A. Indiana)
Facts + Issues
On 17 November 2017 the Plaintiff insured G&G Oil Co. discovered that it was the victim of a ransomware attack. A hacker had gained access to its computer network and encrypted its servers and workstations, locking the employees out. The hacker demanded a ransom of 3 bitcoins to provide G&G Oil with the passwords to allow it to access its system again.
G&G Oil paid the 3 bitcoin ransom but the hacker refused to provide it with the passwords, demanding an additional bitcoin be paid. G&G Oil ultimately paid the hacker the additional bitcoin and the hacker provided it with the passwords. G&G Oil paid a total of $34,477.50 for the 4 bitcoins.
On 29 November 2017 G&G Oil claimed against its multi-peril commercial common policy issued by the Defendant Continental Western Insurance Co. Continental had issued G&G Oil Co. such a policy that contained a number of parts, including an “Agricultural Output Coverage Part” and a “Commercial Crime and Fidelity Coverage Part”. G&G Oil had not purchased optional “Computer Virus and Hacking Coverage” available under the Agricultural Output Coverage Part. The policy contained the following provision:
Coverage is provided under the following Insuring Agreements for which a Limit of Insurance is shown in the Declarations and applies to loss that you sustain resulting directly from an "occurrence" taking place during the Policy Period shown in the Declarations . . .
The relevant provision in the Commercial Crime and Fidelity Coverage Part was as follows:
6. Computer Fraud
We will pay for loss of or damages to "money", "securities" and "other property" resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the "premises" or "banking premises":
a. To a person (other than a "messenger") outside those "premises"; or
b. To a place outside those "premises".
The terms “fraud” and “fraudulently” were not defined in the policy.
The insurer declined the claim and both sides applied for summary judgment. The insurer argued that the insured had not purchased the optional Computer Virus and Hacking Coverage and that the loss did not result from the use of a computer to “fraudulently” cause a transfer of funds. The insured took the position that the ransomware attack was analogous to an act of theft, as opposed to fraud.
The trial judge held for the insurer:
Pursuant to the terms of the Policy, G&G Oil's loss must be "fraudulently caused." Here, the hacker inserted himself into G&G Oil's system. That may have involved some sort of deception, but no more than the burglar inserts himself into a house by picking a lock or climbing through a window or the auto thief who steals a car by accessing a FOB or a key through surreptitious means. G&G Oil may prefer to brand all three as fraudsters, but with good reason, the law labels one a burglar, the other a car thief and the third a hacker. Unlike the fraudster, a hacker, like the burglar or car thief is forthright in his scheme. The hacker deprived G&G Oil of use of its computer system and extracted bitcoin from the Plaintiff as ransom. While devious, tortious and criminal, fraudulent it was not. [footnotes omitted]
The trial judge further led that the insured’s losses resulted from a “voluntary payment to accomplish a necessary result” and did not directly result from the use of a computer.
The insured appealed. On appeal it argued that the terms “fraud” and “fraudulently” , being undefined in the policy, should be interpreted broadly to mean “unconscionable dealing” in addition to “a "knowing misrepresentation or concealment of a material fact,", relying on a bankruptcy decision. It argued that the ransomware attack was deceptive and unconscionable. Furthermore, the insured argued that the hacker had gained access to the insured’s computer network by "misrepresenting his authority to enter and control those machines” and also had cheated the insured by claiming that it would disclose in return for 3 bitcoins, but then demanded a fourth bitcoin before providing the passwords.
HELD: For the Defendant insurer; appeal dismissed’;
- The Court summarized the principles of interpretation for insurance contracts:
P12 We review an insurance policy using the same rules of interpretation applied to other contracts; that is, if the language is clear and unambiguous we will apply the plain and ordinary meaning. Adkins v. Vigilant Ins. Co., 927 N.E.2d 385, 389 (Ind. Ct. App. 2010), trans. denied. An insurance policy is ambiguous if a provision is susceptible to more than one interpretation and reasonable persons would differ as to its meaning. Id. An ambiguity does not exist merely because the parties favor different interpretations. Id. If the policy contains ambiguous provisions, they are construed in favor of the insured. United Farm Family Mut. Ins. Co. v. Matheny, 114 N.E.3d 880, 885 (Ind. Ct. App. 2018), trans. denied. "This strict construal against the insurer is driven by the fact that the insurer drafts the policy and foists its terms upon the customer. The insurance companies write the policies; we buy their forms or we do not buy insurance." Id. (quoting Meridian Mut. Ins. Co. v. Auto-Owners Ins. Co., 698 N.E.2d 770, 773 (Ind. 1998)).
P13 An insurance contract that is unambiguous must be enforced according to its terms, "even those terms that limit an insurer's liability." Sheehan Constr. Co. v. Cont'l Cas. Co., 935 N.E.2d 160, 169 (Ind. 2010). The power to interpret insurance contracts "does not extend to changing their terms, and we will not give insurance policies an unreasonable construction to provide added coverage." Adkins, 927 N.E.2d at 389. In other words, we may not extend coverage beyond that provided by the unambiguous language of the contract. Sheehan Constr. Co., 935 N.E.2d at 169. "[I]nsurers have the right to limit their coverage of risks and, therefore, their liability by imposing exceptions, conditions, and exclusions." Id.
- The Court held that the hacker had not caused the insured’s losses by “fraud” but by means of a simple theft, akin to a burglar breaking into physical premises and stealing property:
P17 Although Continental encourages us to interpret the policy to allow coverage only for tortious or criminal acts of fraud, it contends that if G&G Oil's definition is applied, "even the layperson's definition of 'fraud' . . . requires 'intentional perversion of truth' and/or 'an act of deceiving or misrepresenting.'" Appellant's Br. at 22. Continental agrees that the hacker's acts were illegal but that he or she did not commit any act that could be classified as "fraud" when the hacker demanded ransom in exchange for the passwords that would allow G&G Oil to regain access to its computer system.
P18 As the term is commonly understood and defined, fraud is the "intentional perversion of truth in order to induce another to part with something of value or to surrender a legal right." Fraud, Merriam-Webster Dictionary, https://www.merriam-webster.com/dictionary/fraud (last visited on March 23, 2020) [https://perma.cc/R3JX-PFGH]. Similarly, the American Heritage Dictionary defines fraud as "[a] deception practiced in order to induce another to give up possession of property or surrender a right." Fraud, American Heritage Dictionary, https://ahdictionary.com/word/search.html?q=Fraud (last visited on March 23, 2020) [https://perma.cc/ZU3B-RZVB].
P19 We also observe that the Court of Appeals for the Ninth Circuit has considered language similar to the policy in this case and concluded that the phrase "fraudulently cause a transfer" requires "the unauthorized transfer of funds." Pestmaster Servs., Inc. v. Travelers Casualty & Surety Co. of America, 656 Fed. Appx. 332 (9th Cir. 2016). "Because computers are used in almost every business transaction, reading this provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a 'General Fraud' Policy." Id. See also, InComm Holdings, Inc. v. Great American Ins. Co., 2017 U.S. Dist. LEXIS 38132, 2017 WL 1021749 *10 (N.D. Ga. Mar. 16, 2017) (noting that "courts repeatedly have denied coverage under similar computer fraud provisions, except in cases of hacking where a computer is used to cause another computer to make an unauthorized, direct transfer of property or money").
P20 Here, the hijacker did not use a computer to fraudulently cause G&G Oil to purchase Bitcoin to pay as ransom. The hijacker did not pervert the truth or engage in deception in order to induce G&G Oil to purchase the Bitcoin. Although the hijacker's actions were illegal, there was no deception involved in the hijacker's demands for ransom in exchange for restoring G&G Oil's access to its computers. For all of these reasons, we conclude that the ransomware attack is not covered under the policy's computer fraud provision.
There is no “standard form” cyber insurance policy in Canada or the United States. This case underscores the importance of carefully reviewing available cyber insurance coverage policy terms when choosing the appropriate form of such a policy. Here the insured had declined to purchase the optional Computer Virus and Hacking Coverage which presumably would have covered the claim (although its provisions were not quoted in the decision). Also, the mere fact that a computer system is somehow involved in the chain of causation for a loss does not, in and of itself, bring such a loss within computer coverage provisions in a cyber policy. There are numerous cases where an insured has been denied computer coverage where one of its employees has been induced by electronic messages (emails or texts) to take steps to wire or transfer a fraudster money.