One circumstance feared by businesses is a ransomware attack. The situation has unfortunately become a familiar one. A computer hacker gains access to a business’s information systems, encrypts them, and then locks out the business unless the business pays a substantial fee, often in untraceable bitcoin, for a password to recover the files.
Aside from heightened IT security steps, one other way to protect against this risk is insurance. Because time is of the essence, a business will perhaps pay the ransom relying upon its insurance coverage to reimburse it at a later time. While such protection might be assumed to fall under purchased “computer fraud” coverage, a recent decision by the Indiana Court of Appeals has held otherwise.
In G&G Oil Co. of Indiana v. Continental Western Insurance Company, 19A-PL-1498, the Indiana Court of Appeals affirmed a Marion County Court’s decision that a scenario very similar to the one above was not covered by a G&G’s computer fraud insurance policy.
The policy language at issue read:
- Coverage is provided under the following Insuring Agreements for which a Limit of Insurance is shown in the Declarations and applies to loss that you sustain resulting directly from an “occurrence” taking place during the Policy Period shown in the Declarations . . .
- 6. Computer Fraud
- We will pay for loss of or damages to “money”, “securities” and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises”:
- a. To a person (other than a “messenger”) outside those “premises”; or
- b. To a place outside those “premises”.
G&G employees discovered a ransomware attack and were unable to access the company’s servers and most of its workstations. A hijacker had gained access to G&G’s computer network, encrypted its servers and most workstations, and password protected its drives. The hacker demanded a ransom, and in exchange for payment, agreed to send G&G the passwords and restore its control over its computer servers. G&G paid the hacker four bitcoins – worth $34,477.50 – and the hacker sent a password that decrypted G&G’s systems.
Shortly thereafter, G&G submitted a claim to Continental, the insurance provider, requesting coverage for the attack and the ensuing losses. Continental denied the claim, in part because G&G had not purchased the optional “Computer Virus and Hacking Coverage” offered under the Agricultural Output Coverage Part and argued G&G’s losses did not result directly from the use of a computer to fraudulently cause a transfer of G&G’s funds.
After litigating the matter, the Indiana Court of Appeals sided with Continental. G&G argued “fraud” should be read to include the hacker’s “deceptive” and “unconscionable” attack. G&G also contended the hacker engaged in deception when it upped the ransom from three to four bitcoins.
Continental argued the hacker’s attacks were certainly illegal but they did not fit the definition of fraud. That is, the hacker did not “pervert the truth or engage in deception in order to induce G&G to purchase the Bitcoin.” Rather, as the trial court found, a hacker “is forthright in his scheme” and a hacker’s deception is no different than a burglar picking a lock. This was not to suggest that computer fraud could never occur, though. Looking to other cases, the Court cited that fraud could perhaps be found in “cases of hacking where a computer is used to cause another computer to make an unauthorized, direct transfer of property or money.”
In conclusion, the Court of Appeals found computer fraud to be separate and distinct from a direct ransomware attack. However, had the accessed servers been used to surreptitiously transfer money, such an attack may have ultimately been covered under that policy.
In these recent weeks where the economy is slowing and remote working is likely near an all-time high, it is a good time to review your business’s insurance coverage for computer fraud and hacking and go over that coverage with an attorney to see if you have adequate protection against the risk of hacking.
This article is for information purposes only and is not intended to constitute legal advice.