Ransomware Coverage Without Ransomware Insurance
On March 18, the Indiana Supreme Court ruled that a commercial crime insurance policy may cover a ransomware payment. This ruling adds to the body of insurance law regarding ransomware coverage for policies that do not directly address ransomware.
In G&G Oil Company of Indiana, Inc. v. Continental Western Insurance Company, the policyholder, G&G, suffered a ransomware attack that locked it out of its computers and encrypted its hard drives. After consulting with the FBI and other experts, G&G paid the $35,000 bitcoin ransom, after which it regained access to its computer systems.
G&G sought coverage from its insurer, Continental Western, under its commercial insurance policy, which included “Commercial Crime Coverage.” That section provided:
We will pay for loss or damage to “money”, “securities” and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises”
Continental declined coverage. First, Continental pointed out, G&G had declined computer hacking and computer virus coverage. Second, Continental stated that G&G had voluntarily paid the ransom, which meant that the hacker had not used a computer “to fraudulently cause a transfer of . . . property” within the meaning of the policy.
Litigation ensued, and both sides moved for summary judgment. The trial court granted Continental’s motion, and the Indiana Court of Appeals affirmed.
Indiana’s Supreme Court reversed. First, the court held that G&G’s declination of computer virus and hacking coverage did not bar its claim. Instead, the language of G&G’s “Commercial Crime Coverage” would control.
Second, the court ruled that, although the phrase “fraudulently cause a transfer” is unambiguous, whether the ransomware attack constituted “fraud” was an issue of fact. The court held: “We do not think every ransomware attack is necessarily fraudulent. For example, if no safeguards were put in place, it is possible a hacker could enter a company’s servers unhindered and hold them hostage.” However, the court held, the hackers’ apparent use of a spear-phishing email campaign could constitute a fraudulent act, which would bring G&G’s ransomware attack within the policy’s coverage terms.
Next, the court rejected Continental’s argument that the loss did not result “directly from the use of any computer to fraudulently cause a transfer,” because G&G voluntarily paid the ransom. The court held the payments were not truly “voluntary,” because the ransomware attack was holding its business hostage, and under those circumstances, “the ‘voluntary’ payment was not so remote that it broke the causal chain.”
This case shows the importance of carefully worded policies. Although G&G had turned down cyber coverage, its commercial crime coverage could still provide ransomware protection — a result Continental clearly opposed. By contrast, in RealPage Inc. v. National Union Fire Insurance Company of Pittsburgh, PA, a Texas court held that the policyholder’s commercial crime policy did not cover money lost through a ransomware attack, because the policyholder had placed the lost funds into its vendor’s bank account. But in Target v. Ace Insurance, a Minnesota federal court held that Target’s CGL policy did not cover the cost of replacing bank cards compromised in a data breach, because Target had not shown that the bank cards lost any value within the policy’s “loss of use” clause. In short, any policy including the term “computer” may open the door to data breach or ransomware coverage, and the insurer may not know for certain until after a lengthy, expensive summary judgment battle.
Sean Griffin is an attorney and certified cybersecurity expert (CIPP-US) who advises clients on cybersecurity and litigates cybersecurity/privacy cases in Virginia, Maryland, and the District of Columbia. You can reach him via email at sgriffin@dykema.com or by phone at (202) 906-8703.