Policyholders Hit With Ransomware, Then Strike Insurance Coverage Oil in Indiana

• Publication year: 2021

Scott Godes and Andy Detherage ^*

Abstract: The cost of ransomware to businesses is estimated to have doubled since 2019 to $20 billion, according to Coveware. Policyholders turn to their insurance policies to recover losses that average more than $230,000 per incident. In the case discussed, the carrier denied a policyholder's claim as being outside the computer fraud provisions of the commercial crime portion of the policy. Two lower courts sided with the carrier, but the Indiana Supreme Court ruled in favor of coverage. This is a significant win for policyholders seeking coverage for losses under policies not sold as "cyber insurance." The article discusses the decision and the precedents cited in an area of litigation that only promises to expand as ransomware and similar digital crimes proliferate.

In G&G Oil Co. of Indiana, Inc. v. Continental Western Insurance Co., — N.E.3d —, 2021 WL 1034982, 2021 Ind. LEXIS 182 (Ind. Mar. 18, 2021), the Indiana Supreme Court confirmed that "silent cyber"—the insurance industry's term for circumstances when losses due to cyberattacks are covered by policies not marketed as "cyberinsurance"—extends to losses due to ransomware. This article provides an overview of the holding of G&G Oil and why it was decided correctly.

The Ransomware Attack on G&G Oil and Its Efforts to Obtain Coverage

[Page 175]

In late 2017, as G&G Oil stated in a letter to the insurance carrier, Continental Western Insurance Company ("Continental Western"), "It is our belief that the hijacker hacked into our system via a targeted spear-phishing email with a link that led to a payload downloading to our system and propagating through our entire network. . . ." ¹ The spear-phishing email ² contained "a link that led to a payload downloading to [G&G Oil's] system and propagat[ed] [malware] through [the] entire network. ³ This took place through a user SQL service "that is used for [G&G Oil's] accounting software." ⁴

The hackers accessed the network and locked it up so that G&G Oil was unable to use any of its computers. More specifically, on November 17, 2017, "everything" on the computer network "had been encrypted at the hardware level including external hard drives used for backups." ⁵

G&G Oil did what many companies do in that situation: it communicated with the hackers in an effort to pay the demanded ransom and get its computers back to normal. ⁶ The hackers demanded "three (3) bitcoins in order for the passwords to be given to [G&G Oil] to unlock all affected servers and software." ⁷ That offer was a fraudulent inducement for G&G Oil to pay, because the hackers later demanded even more bitcoin to unlock the network fully. ⁸

G&G Oil paid the hacker one initial bitcoin to show its good faith in cooperating with the hackers' demand. ⁹ The hackers sent multiple passwords in response. ¹⁰ The hackers then "stated that [G&G Oil] would have to send the remaining two (2) bitcoin in order to receive all remaining passwords." ¹¹ That statement, however, was false. After G&G Oil sent the final two bitcoin in response to the demand, the hacker sent only some, but not all, of the passwords necessary to unlock the full network. ¹² The hacker required G&G Oil to pay another to provide the full set of passwords. ¹³

G&G Oil sought coverage from Continental. G&G Oil had purchased a broad-form commercial package policy from Continental Western. The policy included commercial crime coverage. ¹⁴ Within the crime coverage part, G&G Oil purchased $100,000 of Computer Fraud coverage, with a $5,000 deductible. ¹⁵ Computer Fraud coverage applies to losses "resulting directly from the use of any computer to fraudulently cause a transfer of" money, securities, or other property to someone else or somewhere off of G&G Oil's premises. ¹⁶ That Computer Fraud coverage, as found within the commercial crime section of the insurance policy, was written on a form with a 2005 copyright. ¹⁷

The Commercial Crime Coverage section of the Policy provided, in part:

[Page 176]

Computer Fraud
We will pay for loss or damage to "money," "securities" and "other property" resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the "premises" or "banking premises":

a. To a person (other than a "messenger") outside those "premises"; or
b. To a place outside those "premises." ¹⁸

Continental denied coverage for the matter. G&G Oil filed suit for breach of contract in Indiana state court. The trial court granted summary judgment to Continental and the Indiana Court of Appeals affirmed. The Indiana Supreme Court granted transfer of the case from the Court of Appeals, and reversed the grant of summary judgment for Continental, remanding for further proceedings.

The Indiana Supreme Court's Holding That Crime Insurance Could Apply to Ransomware Losses Is Correct

First, G&G Oil affirms important rules of interpretation for insurance policies. Although insurance policies are contracts, the Indiana Supreme Court re-affirmed fundamental principles of insurance policy interpretation. That is, there are "specialized rules of construction in recognition of the frequently unequal bargaining power between insurance companies and insureds"; with one of those rules being that "courts construe ambiguous terms against the policy drafter and in favor of the insured." ¹⁹ When "reasonably intelligent policyholders would honestly disagree on the policy language's meaning," the policy language is ambiguous and must be construed against the insurance carrier. ²⁰

Second, G&G Oil found that the phrase "fraudulently cause a transfer" unambiguously can apply to a ransomware situation, explaining that "'fraudulently cause a transfer' can be reasonably understood as simply 'to obtain by trick.'" ²¹ Although the Indiana Supreme Court stated in G&G Oil that not "every ransomware attack is necessarily fraudulent," such as situations in which there were no antivirus "safeguards" that "were put in place" on a network that would allow a hacker to get access without tricking a user first, the court suggested that a ransomware that originated from a spear-phishing attack or other way of duping a user into taking action that starts the process of allowing malware to be downloaded would qualify as "fraudulently caus[ing] a transfer." ²² The Indiana Supreme Court remanded for further factual investigation on the question of whether the ransomware ultimately originated from "a targeted spear-phishing email," a point that the court suggested was not undisputed. ²³

[Page 177]

Third, G&G Oil held "G&G Oil's losses 'resulted directly from the use of a computer.'" ²⁴ The Indiana Supreme Court applied an "immediate[] or proximate[]" cause test, and found that the test was satisfied, even though the "transfer was voluntary," and happened "after consulting with the FBI and other computer tech services." ²⁵

The Indiana Supreme Court's construction of "resulting directly from the use of a computer" was correct, and it was a positive result for insureds to see the lower court decision overturned on this point. The loss was "resulting directly from" the use of a computer. As certain courts have recognized, "[r]esulting directly from" distinguishes between so-called "first-party loss," where the insured loses its own money, and "third-party loss," where the insured pays damages to a third party after an event. In Tooling, Manufacturing & Technologies Association v. Hartford Fire Insurance Co., 693 F.3d 665 (6th Cir. 2012), the Sixth Circuit explained that "the Surety Association revised its standard fidelity-contract form to replace the term 'loss resulting through' with 'directly resulting from . . .'" in order to "combat court cases that found coverage under fidelity policies" for third-party liabilities, rather than a loss of the insured's own funds. ²⁶ Notably, other decisions have found that Computer Fraud coverage applies to third-party liabilities as well, using a proximate cause analysis. ²⁷ Finding that G&G Oil's loss was direct was proper under the Tooling, Manufacturing & Technologies or proximate cause analysis, for example, because it was a loss of G&G's own funds that was proximately caused by computer fraud, and was not a payment of damages to satisfy a third-party liability. ²⁸

In the Indiana Court of Appeals' ruling against coverage, the court relied first on Pestmaster Services, Inc. v. Travelers Casualty & Surety Co. of America, 656 F. App'x 332 (9th Cir. 2016), a decision involving a fraud that could have been accomplished without the...