Indiana Supreme Court Revives Insured’s Case for Ransomware-Related Coverage Under Commercial Crime Policy

The Indiana Supreme Court, applying Indiana law, has held that an insured may be entitled to coverage for a ransom payment under a commercial crime policy if the circumstances of the attack “fraudulently caused” the insured to make the payment.  The court also held that the ransom payment resulted “directly” from the use of a computer.  G&G Oil Co. of Ind., Inc. v. Continental W. Ins. Co., 2021 WL 1034982 (Ind. Mar. 18, 2021).

In November 2017, the insured, a Midwest-based oil company, experienced a ransomware attack.  Given the impact to its computer systems and business operations, the company elected to pay the demand—valued at approximately $35,000—to obtain a decryption key to unlock its systems.

The company sought coverage for its loss under the computer fraud provision of its commercial crime policy.  This provision afforded coverage for loss “resulting directly from the use of any computer to fraudulently cause a transfer of money.”  The insurer denied coverage because the company had voluntarily transferred the funds, and the threat actor had not transferred the funds directly from the company.  In the ensuing coverage action, the trial court ruled in favor of the insurer, holding that (i) the loss was not “fraudulently caused” but was instead the result of theft, and (ii) the payment did not qualify as loss “resulting directly from the use of a computer” and instead “was a voluntary payment to accomplish a necessary result.”  The appellate court affirmed.

The Indiana Supreme Court found that the extortion payment did indeed result “directly” from the use of a computer, rejecting the insurer’s argument that the company’s voluntary payment was “an intervening cause that severed the casual chain of events.”  The court found that the company’s actions were “nearly the immediate result—without significant deviation—from the use of a computer” and that the payment was “voluntary” only in the sense that the company consciously made the payment.  The court held that the payment more closely resembled a payment made under duress, in which case the “‘voluntary’ payment was not so remote that it broke the casual chain.”

However, the court found that further fact investigation was needed to determine whether the ransomware attack “fraudulently caused a transfer of money.”  The court noted that this could be met if the threat actor had obtained access to the insured’s systems “by trick.”  Despite questions surrounding the method of the intrusion—i.e., whether the threat actor obtained access unhindered through a system vulnerability, or instead through a deceptive phishing scheme—the court decided that “enough is known to raise a reasonable inference the system could have been obtained by trick.”  Accordingly, the court found that neither party was entitled to summary judgment and remanded the case for further proceedings.

Tags

Wiley Executive Summary

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek