The Indiana Supreme Court, in a case of first impression, has rejected an insurance company’s denial of coverage for a policyholder’s losses incurred in regaining access to its computers after a ransomware attack. In a unanimous 5-0 decision, the Court overruled the appellate and trial courts which found for the insurer and allowed the policyholder to pursue its claim in the trial court.
“This is a particularly important case because Indiana businesses need the protection of their insurance to meet the challenges of new technology-based theft,” said George Plews, one of the lawyers for the policyholder. “We believe this may be the first case in the country to address coverage for a ransomware attack.”
The policyholder, G&G Oil Company, supplies fuels, lubricants, and related services to customers throughout the Midwest. G&G was the victim of a ransomware attack. One morning it found itself locked out of its computers. A hacker had gained access to G&G’s computer system, scrambled the contents, and denied access. The hackers got control of G&G’s computers access despite a firewall by means of a “phishing” email – an email purporting to come from a known or safe source, but when clicked downloads malicious code. Through negotiations with the thief, G&G regained access to its system by paying a ransom, some $35,000, in Bitcoin.
G&G submitted its claim to its insurer, Continental Western Insurance Company. In its “Computer Fraud” coverage, Continental agreed to pay for loss of money resulting directly from the use of any computer to fraudulently cause a transfer of money.
Continental denied the request on two primary grounds. First, the insurer maintained that the transfer was not fraudulently caused because in making the demand for payment the hacker had not “misrepresented” himself. Continental ignored the misrepresentation required to first gain access to the system. The Supreme Court rejected the insurer’s argument that the term was restricted to a misrepresentation or concealment. The Court held that the term “’fraudulently cause a transfer’ can be reasonably understood as simply to obtain by trick.”
Continental also claimed G&G’s loss did not result “directly” from the use of a computer because G&G “voluntarily” made the payment to the hackers and the payment did not involve the use of a computer. The Bitcoin payments were not “voluntary” because they were made under duress. The Court held the loss here followed proximately from the use of a computer because there was no break in the causal connection between the use of a computer and the payments.
“Although the subject matter of this case is new,” John Ketcham, another lawyer for G&G said, “it finally was resolved by well settled principles of Indiana insurance law.”
The groundbreaking case drew attention from amicus curiae. United Policyholders, an insurance consumer advocacy organization, and the Indiana Food and Fuel Association, representing convenience stores, filed briefs supporting G&G.
“Hoosier retail businesses face tremendous challenges protecting their assets, customers and employees, and hopefully this case will provide a means to meet some of those challenges,” said Chris Braun, who also serves as general counsel to the IFFA.
G&G is represented by George Plews, John Ketcham, Chris Braun, and Josh Tatum of Plews Shadley Racher & Braun. United Policyholders is represented by Andy Detherage and Scott Godes of Barnes & Thornburg, and the IFFA by Tom O’Gara of Taft Stettinius & Hollister.