The Indiana Supreme Court became one of the first state high courts to weigh in and issue a decision on whether crime insurance provides coverage for ransomware attacks. The trial court’s ruling in favor of Continental Western Insurance Co.’s motion for summary judgment upheld the denial of G&G Oil Co.’s bid for coverage. The Supreme Court remanded the case because further fact-finding was necessary to uncover the “fraudulent” nature of the hacker’s actions. It was important to determine how the hacking was conducted. Therefore, until this information is uncovered, neither party was entitled to summary judgment.

The case arose out of G&G’s purchase of commercial insurance. The policy contained various coverages, including “Commercial Crime Coverage.” There was a specific provision that provided coverage for “Computer Fraud.” Within the policy period, G&G discovered it was locked out of its computer systems. A ransomware attack, a “malicious computer code that renders the victim’s computer useless by blocking access to the programs and data” had halted G&G’s operations. In conjunction with the FBI, G&G contacted the hackers to negotiate a price to release the server’s blockages. G&G paid the requested ransom with four bitcoins, valued at approximately $35,000.

When G&G submitted the claim to Continental, coverage was denied on the basis that hacking was excluded pursuant to the “Agribusiness Property and Incomes Coverages,” which specifically disclaimed computer hacking and viruses. Additionally, Continental believed the Bitcoin was voluntarily paid to the computer hacker, which meant the Policy’s Commercial Crime provision would not be utilized. G&G filed a complaint seeking judicial enforcement of the Commercial Crime Provision. Continental filed a cross-motion for summary judgment.

The Supreme Court found that while these facts may give rise to fraud, there were still outlying questions. For instance, hacking can occur without fraud, but rather an inadequate security system. Therefore, until additional facts are provided, allegations of hacking were not enough to trigger coverage.

Additionally, the court deemed the Policy phrase, “fraudulent cause transfer” to be ambiguous. “Fraud” can range from a material misrepresentation invoking reliance to an “intentional perversion of truth.” Courts have also discussed the term “fraud” and have found it is generic and is often used in diverse ways. Therefore, the denial of coverage is likely unfounded as the Policy terms and provisions do not provide a fair basis.

This case is addressing this new intersection between computer fraud coverage, hacking and crime. To date, courts have had limited experience addressing each of these issues in the context of crime insurance. The evolving digital environment will likely introduce new issues that can give rise to coverage and expand existing scopes of coverage.

For more information about this article, contact Samantha Rothman at srothman@tresslerllp.com.

The post Hack Attack: Indiana Supreme Court Examines Ransomware Coverage  appeared first on Privacy Risk Report.