Beware the Honest Hacker: Indiana Supreme Court Finds That Bitcoin Payment Is Not Necessarily Covered Loss Under Commercial Crime Policy Because Not Every Ransomware Attack Involves Fraud

In G&G Oil Company of Indiana Inc. v. Continental Western Insurance Co., the Indiana Supreme Court considered the emerging area of computer crime coverage.

G&G Oil was insured under a multi-peril commercial common insurance policy by Continental that provided commercial crime coverage. Specifically, the policy provided the following coverage provision:

We will pay for loss or damage to "money," "securities" and "other property" resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the "premises" or "banking premises":

1. To a person (other than a "messenger") outside those "premises"; or
2. To a place outside those "premises."

On November 17, 2017, G&G Oil discovered it was locked out of its computer systems due to ransomware, and the company's operations were halted as a result. To regain access to its computer systems, G&G Oil believed it would have to contact the person or entity responsible for the attack. After consulting with the FBI and certain computer tech services, G&G Oil transferred payment in the form of Bitcoin (valued at nearly $35,000) to the hackers believed to be responsible and regained access to its computer systems.

G&G Oil submitted an insurance claim to Continental, which denied coverage under the policy, concluding that computer hacking was "specifically excluded" from the policy when G&G Oil declined computer hacking and computer virus coverage in the "agribusiness property and income coverages" section of the policy. Moreover, the claim was denied as Continental believed the payment of Bitcoin was voluntarily transferred by G&G Oil. As a result, G&G Oil filed suit against Continental.

The trial court granted Continental's motion for summary judgment after first finding that G&G Oil's loss was not "fraudulently caused" but was instead the result of theft. Second, the trial court determined that G&G Oil's payment to the hacker was a "voluntary payment to accomplish a necessary result" after finding that the payment of Bitcoin was an intervening cause that severed the causal chain of events that would constitute a loss "resulting directly from the use of a computer." In a unanimous opinion, the court of appeals affirmed the trial court's decision determining that "the hijacker did not use a computer to fraudulently cause G&G to purchase Bitcoin to pay as ransom" and "[t]he hijacker did not pervert the truth or engage in deception in order to induce G&G to purchase the Bitcoin."

In reviewing the matter, the Indiana Supreme Court interpreted the phrase "fraudulently cause a transfer" and determined it to be unambiguous. In doing so, the court analyzed multiple sources including dictionary definitions and recent federal cases. The court stated that computer fraud coverage and computer hacking is "an emerging area of the law" and that the term "fraudulently cause a transfer" can be reasonably understood simply as "to obtain by trick," but not every ransomware attack is necessarily fraudulent. The court used the example that "if no safeguards were put in place, it is possible a hacker could enter a company's servers unhindered and hold them hostage. There would be no trick there." Based on this principle, the court determined that G&G Oil was not entitled to summary judgment based on its mere belief that its computer systems were obtained by trick, as such belief was not enough to eliminate any other reasonable inference. Conversely, the court determined that the trial court had too narrowly defined the phrase "fraudulently cause a transfer" as there was not enough known on the record to conclude that G&G Oil's computer systems were not obtained by trick.

The court also determined that the trial court improperly found that G&G Oil's payment of Bitcoin constituted an intervening cause that severed the causal chain of events to deem the payment voluntary rather than "resulting directly from the use of a computer" as provided under the policy. The court's determination was based on the fact that G&G Oil's Bitcoin payment was at least made under duress, given that the company's operations were shut down at the time of the transfer.