September 20, 2021

Volume XI, Number 263

Advertisement

September 17, 2021

Subscribe to Latest Legal News and Analysis

Indiana Supreme Court Decrypts Computer Crime Coverage

The Indiana Supreme Court recently reversed a trial court’s finding and an affirming intermediate appellate court opinion regarding the interpretation of a policy providing coverage for cyber-crime. In G&G Oil Co. of Indiana, Inc. v. Continental Western Insurance Co., the state high court rejected the lower courts’ narrow interpretation of coverage and impractical view on causation. A copy of the decision can be found here.

Over three years ago, G&G Oil was locked out of its computer systems by a hacker following a social engineering fraud that was allegedly initiated by a targeted spear-phishing email. After consulting with the FBI and other tech services, G&G Oil paid a Bitcoin ransom to regain access to its computer systems and operations.

G&G Oil turned to its insurer, Continental Western Insurance Company, seeking coverage under a policy providing “Computer Crime Coverage.” That provision agreed to cover “loss or damage . . . resulting directly from the use of any computer to fraudulently cause a transfer of that property . . . .” Continental denied the claim because, according to Continental, the Bitcoin was voluntarily transferred and did not result directly from the use of a computer.

G&G Oil filed suit in Indiana state court. The trial court likened the ransomware attack to a burglar climbing through a window rather than fraud and thus concluded that the hacker did not “fraudulently cause a transfer.” The trial court also found that G&G Oil’s “voluntary” Bitcoin payment broke the causal chain of events originating from the use of a computer. The trial court granted summary judgment in favor of Continental and the appellate court affirmed. In March, the Indiana Supreme Court weighed in and reversed on both issues.

First, the Indiana Supreme Court considered the meaning of the phrase “fraudulently cause a transfer.” The court held the phrase was unambiguous, but was construed too narrowly by the lower courts. The court reviewed case law and dictionary definitions regarding the meaning of “fraud,” and concluded that the phrase “can be reasonably understood as simply ‘to obtain by trick.’” The court noted that not every ransomware attack is necessarily fraudulent, such as where there are no safeguards in place and a hacker accesses a company’s servers unhindered—in which case, there is no “trick” involved. Thus, the court concluded neither party was entitled to summary judgment because there were questions of fact surrounding whether access to G&G Oil’s servers was obtained by “trick.”

Second, the court analyzed the meaning of the phrase “resulting directly from the use of any computer.” Relying on dictionary definitions, the court concluded that the phrase meant that the loss must result either “immediately or proximately without significant deviation from the use of a computer.” In applying this standard, the court disagreed with the trial court’s conclusion that “G&G Oil’s voluntary transfer of Bitcoin was an intervening cause that severed the causal chain of events.” The court reasoned that the transfer was only voluntary in the sense that G&G Oil decided to pay the ransom and, instead, more closely resembled a payment “made under duress.” The court held G&G Oil’s transfer of Bitcoin satisfied the standard because it “was nearly the immediate result—without significant deviation—from the use of a computer.”

The Indiana Supreme Court’s decision is a refreshing reminder that coverage grants must be construed broadly in favor of coverage and that context is key when evaluating causation, which should be viewed pragmatically. It is also a reminder that policyholders should carefully evaluate cyber policies, identify coverage gaps caused by imprecise wording and strive to correct those provisions before the inception of coverage. In G&G Oil, Justice David noted that the “interplay between computer fraud coverage and computer hacking is an emerging area of the law.” The uncertainty among courts and the increase in ransomware attacks and other computer-related crimes emphasize the need for policyholders to be proactive in ensuring coverage for cyber events. For properly covered policyholders, G&G Oil gives courts a good road map for evaluating coverage.

Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XI, Number 145
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Kevin V. Small Insurance Attorney Hunton Andrews Kurth New York, NY
Associate

Kevin counsels clients on the recovery of insurance proceeds and on risk management and insurance strategy.

Kevin represents clients in complex coverage disputes involving claims under various types of policies, including first-party property, cyber, D&O, E&O, general liability, product liability, and transactional liability.

Prior to law school, Kevin worked for the world’s leading risk management and insurance broking firm. In this role, he advised Fortune 500 clients on structuring sophisticated risk management programs, brokered the insurance components of such...

212-309-1226
Casey Coffey Insurance Lawyer Hunton AK
Associate

Casey’s practice focuses on complex insurance litigation and advising policyholders in insurance coverage matters.

As an associate on the insurance coverage team, Casey represents commercial policyholders in all types of insurance matters from property coverage to bad faith claims. She is also a contributor to the firm’s Insurance Recovery Blog.

During law school, Casey interned for Justice Labarga on the Florida Supreme Court and the Honorable Dave Lee Brannon of the Southern District of Florida. She also served on...

305 536 2707
Advertisement
Advertisement
Advertisement