Skip to content

Menu

LexBlog, Inc. logo
CommunitySub-MenuPublishersChannelsProductsSub-MenuBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAboutContactResourcesSubscribeSupport
Join
Search
Close

Indiana Supreme Court Revives Insured’s Case for Ransomware-Related Coverage Under Commercial Crime Policy

2020-LexBlog-Cyber-Insurance-iStock-962094400
By Nathan Lovett on April 2, 2021
Email this postTweet this postLike this postShare this post on LinkedIn

The Indiana Supreme Court, applying Indiana law, has held that an insured may be entitled to coverage for a ransom payment under a commercial crime policy if the circumstances of the attack “fraudulently caused” the insured to make the payment.  The court also held that the ransom payment resulted “directly” from the use of a computer.  G&G Oil Co. of Ind., Inc. v. Continental W. Ins. Co., 2021 WL 1034982 (Ind. Mar. 18, 2021).

In November 2017, the insured, a Midwest-based oil company, experienced a ransomware attack.  Given the impact to its computer systems and business operations, the company elected to pay the demand—valued at approximately $35,000—to obtain a decryption key to unlock its systems.

The company sought coverage for its loss under the computer fraud provision of its commercial crime policy.  This provision afforded coverage for loss “resulting directly from the use of any computer to fraudulently cause a transfer of money.”  The insurer denied coverage because the company had voluntarily transferred the funds, and the threat actor had not transferred the funds directly from the company.  In the ensuing coverage action, the trial court ruled in favor of the insurer, holding that (i) the loss was not “fraudulently caused” but was instead the result of theft, and (ii) the payment did not qualify as loss “resulting directly from the use of a computer” and instead “was a voluntary payment to accomplish a necessary result.”  The appellate court affirmed.

The Indiana Supreme Court found that the extortion payment did indeed result “directly” from the use of a computer, rejecting the insurer’s argument that the company’s voluntary payment was “an intervening cause that severed the casual chain of events.”  The court found that the company’s actions were “nearly the immediate result—without significant deviation—from the use of a computer” and that the payment was “voluntary” only in the sense that the company consciously made the payment.  The court held that the payment more closely resembled a payment made under duress, in which case the “‘voluntary’ payment was not so remote that it broke the casual chain.”

However, the court found that further fact investigation was needed to determine whether the ransomware attack “fraudulently caused a transfer of money.”  The court noted that this could be met if the threat actor had obtained access to the insured’s systems “by trick.”  Despite questions surrounding the method of the intrusion—i.e., whether the threat actor obtained access unhindered through a system vulnerability, or instead through a deceptive phishing scheme—the court decided that “enough is known to raise a reasonable inference the system could have been obtained by trick.”  Accordingly, the court found that neither party was entitled to summary judgment and remanded the case for further proceedings.

Photo of Nathan Lovett Nathan Lovett

Nate represents insurers in connection with coverage issues and disputes arising under professional liability and general liability insurance policies. Nate, a certified Legal Lean Sigma Institute (LLSI) White Belt, uses the LLSI process and project management tools to continually improve the value proposition…

Nate represents insurers in connection with coverage issues and disputes arising under professional liability and general liability insurance policies. Nate, a certified Legal Lean Sigma Institute (LLSI) White Belt, uses the LLSI process and project management tools to continually improve the value proposition the firm delivers to its clients.

Read more about Nathan LovettEmail
Show more Show less
  • Posted in:
    Corporate & Commercial, Insurance
  • Blog:
    Wiley Executive Summary
  • Organization:
    Wiley Rein LLP
  • Article: View Original Source

LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • The FTI Award Journal
  • International Dispute Resolution
  • China Law Update Blog
  • Law of The Ledger
  • Antitrust Law Blog
Copyright © 2022, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo