Indiana Supreme Court Revives Insured’s Case for Ransomware-Related Coverage Under Commercial Crime Policy

Nathan Lovett
Wiley Rein LLP
Contact
LinkedIn
Facebook
X
Send
Embed

The Indiana Supreme Court, applying Indiana law, has held that an insured may be entitled to coverage for a ransom payment under a commercial crime policy if the circumstances of the attack “fraudulently caused” the insured to make the payment. The court also held that the ransom payment resulted “directly” from the use of a computer. G&G Oil Co. of Ind., Inc. v. Continental W. Ins. Co., 2021 WL 1034982 (Ind. Mar. 18, 2021).

In November 2017, the insured, a Midwest-based oil company, experienced a ransomware attack. Given the impact to its computer systems and business operations, the company elected to pay the demand—valued at approximately $35,000—to obtain a decryption key to unlock its systems.

The company sought coverage for its loss under the computer fraud provision of its commercial crime policy. This provision afforded coverage for loss “resulting directly from the use of any computer to fraudulently cause a transfer of money.” The insurer denied coverage because the company had voluntarily transferred the funds, and the threat actor had not transferred the funds directly from the company. In the ensuing coverage action, the trial court ruled in favor of the insurer, holding that (i) the loss was not “fraudulently caused” but was instead the result of theft, and (ii) the payment did not qualify as loss “resulting directly from the use of a computer” and instead “was a voluntary payment to accomplish a necessary result.” The appellate court affirmed.

The Indiana Supreme Court found that the extortion payment did indeed result “directly” from the use of a computer, rejecting the insurer’s argument that the company’s voluntary payment was “an intervening cause that severed the casual chain of events.” The court found that the company’s actions were “nearly the immediate result—without significant deviation—from the use of a computer” and that the payment was “voluntary” only in the sense that the company consciously made the payment. The court held that the payment more closely resembled a payment made under duress, in which case the “‘voluntary’ payment was not so remote that it broke the casual chain.”

However, the court found that further fact investigation was needed to determine whether the ransomware attack “fraudulently caused a transfer of money.” The court noted that this could be met if the threat actor had obtained access to the insured’s systems “by trick.” Despite questions surrounding the method of the intrusion—i.e., whether the threat actor obtained access unhindered through a system vulnerability, or instead through a deceptive phishing scheme—the court decided that “enough is known to raise a reasonable inference the system could have been obtained by trick.” Accordingly, the court found that neither party was entitled to summary judgment and remanded the case for further proceedings.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Wiley Rein LLP | Attorney Advertising

Written by:

Wiley Rein LLP
Wiley Rein LLP
Contact
more
less

Wiley Rein LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide