A recent report from the FBI’s 2020 Internet Crime Report shows that complaints of internet crime rose nearly 70% in 2020 as compared to 2109, with reported losses exceeding $4.2 billion. Cyber extortion and ransomware attacks were among the leading incidents of increased crime. Victims of a ransomware attack may often look to their property policies and crime coverage for potential recovery of any loss. In a recent opinion, the Indiana Supreme Court ruled that a corporate-policyholder victim of a ransomware attack may be entitled to recover its losses under a commercial crime policy that provided coverage for loss or damage resulting directly from the use of any computer to fraudulently cause a transfer of money, securities or other property.
The insurance coverage dispute in C&G Oil Co. of Indiana, Inc. v Continental Western Insurance Co. arose after C&G Oil was locked out of its computer systems when its hard drives were encrypted by ransomware. In order to regain access to its computer servers, C&G was invited to contact a particular person by email and enter a password. After consulting with the FBI and various consultants, C&G contacted the computer hijacker to negotiate the release of its computer servers, who demanded four bitcoins valued at approximately $35,000. C&G paid the requested ransom and then submitted a claim for its loss to Continental under its crime policy.
C&G’s crime policy provided coverage for “loss or damage to ‘money’, ‘securities’ and ‘other property’ resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the ‘premises’ or ‘banking premises’” to a person or a place outside the premises. Continental denied C&G’s claim because it concluded that the hacking incident was excluded from the policy since C&G declined computer hacking and virus coverage in another coverage section of the policy. The insurer also concluded there was no coverage under the crime coverage of the policy because C&G voluntarily transferred the bitcoin to the hacker and, therefore, the hacker did not transfer funds directly from C&G’s computers to an outside location. The trial court and appellate court agreed with Continental’s decision to deny coverage, finding that the transfer of funds was not fraudulently caused, nor did the bitcoin payment qualify as a loss resulting directly from the use of a computer when it was C&G that voluntarily transferred the money. The Indiana Supreme Court disagreed, however, and reversed the decision of the appellate court and sent the case back to the trial court for further proceedings.
The Indiana Supreme Court ruled that the ransomware attack involved fraudulent conduct because it involved deceptive conduct in obtaining money by trick. Interpreting the phrase “fraudulently cause a transfer” from the standpoint of a reasonably intelligent policyholder, as courts are generally required to do, the court concluded that the term can be reasonably understood as to obtain by trick. The court concluded that there was a question as to whether the computer hacker gained access to C&G’s computer system through some form of deception or trick. The court noted, however, that it did not believe every ransomware attack would necessarily involve fraudulent conduct. As an example, the court stated that an incident involving a hacker who gains access to a computer system unhindered without any safeguards in place would not involve trickery.
The court also concluded that C&G’s voluntary transfer of the bitcoin to the hacker did not mean that the loss did not result “directly” from the use of a computer as required by the policy. The court ruled that a loss results “directly from the use of a computer” if there is a causal connection between the loss and computer that is straightforward, immediate or proximate without significant deviation. The court ruled that C&G’s transfer of the bitcoin to the hacker was nearly the immediate result from the use of a computer and without significant deviation. While the transfer of the bitcoin was voluntary only in the sense that C&G consciously made the payment, the court concluded C&G would likely have suffered greater losses had it not made the transfer. It concluded that the payment was more like something done under distress and was not so remote that it broke the causal connection with the computer. Therefore, C&G’s loss resulted directly from the use of a computer.
The C&G Oil decision provides support for policyholders seeking coverage under a crime policy for ransomware attacks even though a loss may arise from the voluntarily act of transferring something or doing something in response to a demand for payment, It is important to note, however, that the court indicated that not every ransomware attack necessarily involves fraudulent conduct. The decision should also serve as a reminder to policyholders to not give up if its insurance claim is initially denied and the denial is later confirmed by a court. The insured’s claim in the C&G Oil case was denied three times – once by the insurer before the lawsuit and two times by the courts – before the insured prevailed at the Indiana Supreme Court.