The Indiana Court of Appeals, applying Indiana law, has held that a ransomware attack did not necessarily constitute a “fraudulent” act, and the corresponding loss did not fall within the scope of the computer fraud coverage part of a multi-peril commercial insurance policy.  G&G Oil Co. of Ind. v. Cont’l Western Ins. Co., 2020 WL 1528095 (Ind. Ct. App. Mar. 31, 2020).  The court rejected the argument that the ransomware attack was a fraud because it was an “unconscionable dealing” and instead found that the hacker did not “pervert the truth” or engage in deception in order to induce ransom payment.

In November 2017, the insured discovered that it was a victim of a ransomware attack.  Employees were unable to access servers or workstations.  The hacker demanded payment in the form of Bitcoin in exchange for the passwords and to restore control.  The company made the payment, and the systems were restored.  The company sought coverage for the losses from the attack under the Computer Fraud provision of its policy’s Commercial Crime Coverage.  The insurer denied the claim on the basis that the company’s losses did not result directly from the use of a computer to fraudulently cause a transfer of funds.  In the ensuing coverage litigation, the trial court granted the insurer’s motion for summary judgment, concluding that the losses did not result from Computer Fraud.  The company appealed.

The appellate court affirmed, determining that a ransomware attack did not constitute Computer Fraud under the policy.   The policy defined “Computer Fraud” as the “loss of …‘money’… resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the ‘premises’ or ‘banking premises’: [t]o a person … outside those ‘premises’; or [t]o a place outside those ‘premises’.”  The company argued that the policy did not define the terms “fraud” or “fraudulently” and therefore, the court should apply the plain meaning of the word, including “unconscionable dealing.”  The insured argued that the ransomware attack was “deceptive and unconscionable” and therefore, constituted a fraud.  The insurer contended that the hacker did not commit any act that would be classified as a fraud, but rather demanded ransom in exchange for the passwords to regain access to the system.  After analyzing the definition of fraud, the court concluded that the attack was not a loss fraudulently caused by the use of a computer.  In the court’s view, the hacker did not obscure the truth in order to induce the insured to purchase the Bitcoin to release the servers and accounts.  While illegal, the court concluded that there was no deception in the attack.  As such, the court held that the loss from the ransomware attack was not covered under the policy’s computer fraud coverage.