(Article from Insurance Law Alert, April 2020)
For more information, please visit the Insurance Law Alert Resource Center.
Most decisions interpreting the scope of coverage under a Computer Fraud coverage provision have involved incidents of email phishing. In a recent decision, the Indiana Court of Appeals addressed the scope of Computer Fraud coverage available for losses stemming from a ransomware attack, concluding that such coverage was not available. G&G Oil Co. of In. v. Cont’l W. Ins. Co., 2020 WL 1528095 (Ind. Ct. App. Mar. 31, 2020).
G&G was the victim of a ransomware attack that paralyzed its computer servers and workstations. The hacker demanded a ransom in exchange for passwords that would restore G&G’s control over its computer system. After G&G paid the ransom, it submitted a claim to Continental seeking coverage for the attack and ensuing losses. Continental denied coverage, arguing that G&G had not purchased “Computer Virus and Hacking Coverage” and that the Computer Fraud coverage provision did not apply. The court agreed and granted Continental’s summary judgment motion.
The Computer Fraud coverage provision is triggered by loss “resulting directly from the use of any computer to fraudulently cause a transfer of that property.” The court ruled that G&G’s transfer of the ransom payment was not “fraudulent,” even though it was initiated by the hackers’ illegal act. The court stated:
Here, the hijacker did not use a computer to fraudulently cause G&G to purchase Bitcoin to pay as ransom. The hijacker did not pervert the truth or engage in deception in order to induce G&G to purchase the Bitcoin. Although the hijacker’s actions were illegal, there was no deception involved in the hijacker’s demands for ransom in exchange for restoring G&G’s access to its computers.