To print this article, all you need is to be registered or login on Mondaq.com.
The ransom paid in response to a ransomware attack was held not
to be covered under the “Computer Coverage” of an
insurance policy because the attack and the ransom demand did not
amount to “fraud”, as opposed to a mere theft (criminal
and deceptive as it may have been).
G&G Oil Co. of Indiana v. Continental Western
Insurance, 2020 Ind. App. LEXIS 126 (C.A.
Facts + Issues
On 17 November 2017 the Plaintiff insured G&G Oil Co.
discovered that it was the victim of a ransomware attack. A hacker
had gained access to its computer network and encrypted its servers
and workstations, locking the employees out. The hacker demanded a
ransom of 3 bitcoins to provide G&G Oil with the passwords to
allow it to access its system again.
G&G Oil paid the 3 bitcoin ransom but the hacker refused to
provide it with the passwords, demanding an additional bitcoin be
paid. G&G Oil ultimately paid the hacker the additional bitcoin
and the hacker provided it with the passwords. G&G Oil paid a
total of $34,477.50 for the 4 bitcoins.
On 29 November 2017 G&G Oil claimed against its multi-peril
commercial common policy issued by the Defendant Continental
Western Insurance Co. Continental had issued G&G Oil Co.
such a policy that contained a number of parts, including an
“Agricultural Output Coverage Part” and a
“Commercial Crime and Fidelity Coverage Part”. G&G
Oil had not purchased optional “Computer Virus and Hacking
Coverage” available under the Agricultural Output Coverage
Part. The policy contained the following provision:
Coverage is provided under the following Insuring Agreements for
which a Limit of Insurance is shown in the Declarations and applies
to loss that you sustain resulting directly from an
“occurrence” taking place during the Policy Period shown
in the Declarations . . .
The relevant provision in the Commercial Crime and Fidelity
Coverage Part was as follows:
6. Computer Fraud
We will pay for
loss of or damages to “money”, “securities” and
“other property” resulting directly from the use of any
computer to fraudulently cause a transfer of that property from
inside the “premises” or “banking
a. To a person (other than a “messenger”)
outside those “premises”; or
b. To a place outside those “premises”.
The terms “fraud” and “fraudulently” were
not defined in the policy.
The insurer declined the claim and both sides applied for
summary judgment. The insurer argued that the insured had not
purchased the optional Computer Virus and Hacking Coverage and that
the loss did not result from the use of a computer to
“fraudulently” cause a transfer of funds. The insured
took the position that the ransomware attack was analogous to an
act of theft, as opposed to fraud.
The trial judge held for the insurer:
Pursuant to the terms of the Policy, G&G Oil’s loss must
be “fraudulently caused.” Here, the hacker inserted
himself into G&G Oil’s system. That may have involved
some sort of deception, but no more than the burglar inserts
himself into a house by picking a lock or climbing through a window
or the auto thief who steals a car by accessing a FOB or a key
through surreptitious means. G&G Oil may prefer to brand all
three as fraudsters, but with good reason, the law labels one a
burglar, the other a car thief and the third a hacker. Unlike the
fraudster, a hacker, like the burglar or car thief is forthright in
his scheme. The hacker deprived G&G Oil of use of its computer
system and extracted bitcoin from the Plaintiff as ransom. While
devious, tortious and criminal, fraudulent it was not. [footnotes
The trial judge further led that the insured’s losses
resulted from a “voluntary payment to accomplish a necessary
result” and did not directly result from the use of a
The insured appealed. On appeal it argued that the terms
“fraud” and “fraudulently” , being undefined in
the policy, should be interpreted broadly to mean
“unconscionable dealing” in addition to “a
“knowing misrepresentation or concealment of a material
fact,”, relying on a bankruptcy decision. It argued that the
ransomware attack was deceptive and unconscionable. Furthermore,
the insured argued that the hacker had gained access to the
insured’s computer network by “misrepresenting his
authority to enter and control those machines” and also had
cheated the insured by claiming that it would disclose in return
for 3 bitcoins, but then demanded a fourth bitcoin before providing
HELD: For the Defendant insurer; appeal
- The Court summarized the principles
of interpretation for insurance contracts:
P12 We review an insurance policy using the same rules of
interpretation applied to other contracts; that is, if the language
is clear and unambiguous we will apply the plain and ordinary
meaning. Adkins v. Vigilant Ins. Co., 927
N.E.2d 385, 389 (Ind. Ct. App. 2010), trans. denied. An insurance
policy is ambiguous if a provision is susceptible to more than one
interpretation and reasonable persons would differ as to its
meaning. Id. An ambiguity does not exist merely because the parties
favor different interpretations. Id. If the policy contains
ambiguous provisions, they are construed in favor of the insured.
United Farm Family Mut. Ins. Co. v.
Matheny, 114 N.E.3d 880, 885 (Ind. Ct. App. 2018),
trans. denied. “This strict construal against the insurer is
driven by the fact that the insurer drafts the policy and foists
its terms upon the customer. The insurance companies write the
policies; we buy their forms or we do not buy insurance.” Id.
(quoting Meridian Mut. Ins. Co. v. Auto-Owners Ins.
Co., 698 N.E.2d 770, 773 (Ind. 1998)).
P13 An insurance contract that is unambiguous must be enforced
according to its terms, “even those terms that limit an
insurer’s liability.” Sheehan Constr. Co. v.
Cont’l Cas. Co., 935 N.E.2d 160, 169 (Ind. 2010).
The power to interpret insurance contracts “does not extend to
changing their terms, and we will not give insurance policies an
unreasonable construction to provide added coverage.”
Adkins, 927 N.E.2d at 389. In other
words, we may not extend coverage beyond that provided by the
unambiguous language of the contract. Sheehan Constr.
Co., 935 N.E.2d at 169. “[I]nsurers have the
right to limit their coverage of risks and, therefore, their
liability by imposing exceptions, conditions, and exclusions.”
- The Court held that the hacker had not
caused the insured’s losses by “fraud” but by means
of a simple theft, akin to a burglar breaking into physical
premises and stealing property:
P17 Although Continental encourages us to interpret the policy
to allow coverage only for tortious or criminal acts of fraud, it
contends that if G&G Oil’s definition is applied,
“even the layperson’s definition of ‘fraud’ . . .
requires ‘intentional perversion of truth’ and/or ‘an
act of deceiving or misrepresenting.’” Appellant’s Br.
at 22. Continental agrees that the hacker’s acts were illegal
but that he or she did not commit any act that could be classified
as “fraud” when the hacker demanded ransom in exchange
for the passwords that would allow G&G Oil to regain access to
its computer system.
P18 As the term is commonly understood and defined, fraud is the
“intentional perversion of truth in order to induce another to
part with something of value or to surrender a legal right.”
Fraud, Merriam-Webster Dictionary, https://www.merriam-webster.com/dictionary/fraud
(last visited on March 23, 2020) [https://perma.cc/R3JX-PFGH].
Similarly, the American Heritage Dictionary defines fraud as
“[a] deception practiced in order to induce another to give up
possession of property or surrender a right.” Fraud,
American Heritage Dictionary, https://ahdictionary.com/word/search.html?q=Fraud
(last visited on March 23, 2020) [https://perma.cc/ZU3B-RZVB].
P19 We also observe that the Court of Appeals for the Ninth
Circuit has considered language similar to the policy in this case
and concluded that the phrase “fraudulently cause a
transfer” requires “the unauthorized transfer of
funds.” Pestmaster Servs., Inc. v. Travelers
Casualty & Surety Co. of America, 656 Fed. Appx.
332 (9th Cir. 2016). “Because computers are used in almost
every business transaction, reading this provision to cover all
transfers that involve both a computer and fraud at some point in
the transaction would convert this Crime Policy into a ‘General
Fraud’ Policy.” Id. See also, InComm Holdings,
Inc. v. Great American Ins. Co., 2017 U.S. Dist.
LEXIS 38132, 2017 WL 1021749 *10 (N.D. Ga. Mar. 16, 2017) (noting
that “courts repeatedly have denied coverage under similar
computer fraud provisions, except in cases of hacking where a
computer is used to cause another computer to make an unauthorized,
direct transfer of property or money”).
P20 Here, the hijacker did not use a computer to fraudulently
cause G&G Oil to purchase Bitcoin to pay as ransom. The
hijacker did not pervert the truth or engage in deception in order
to induce G&G Oil to purchase the Bitcoin. Although the
hijacker’s actions were illegal, there was no deception
involved in the hijacker’s demands for ransom in exchange for
restoring G&G Oil’s access to its computers. For all of
these reasons, we conclude that the ransomware attack is not
covered under the policy’s computer fraud provision.
There is no “standard form” cyber insurance policy in
Canada or the United States. This case underscores the importance
of carefully reviewing available cyber insurance coverage policy
terms when choosing the appropriate form of such a policy.
Here the insured had declined to purchase the optional Computer
Virus and Hacking Coverage which presumably would have covered the
claim (although its provisions were not quoted in the
decision). Also, the mere fact that a computer system is
somehow involved in the chain of causation for a loss does not, in
and of itself, bring such a loss within computer coverage
provisions in a cyber policy. There are numerous cases where an
insured has been denied computer coverage where one of its
employees has been induced by electronic messages (emails or texts)
to take steps to wire or transfer a fraudster money.
Originally published June 7, 2020.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.