The Indiana Court of Appeals recently held that the actions of an “honest thief,” while criminal in nature, do not provide for a recovery via an insurance carrier’s Commercial Crime Coverage Provisions in its General Liability policy.
In G&G Oil Company of Indiana v. Continental Western Insurance Company, 145 N.E.3d 842 (Ind. Ct. App. 2020), reh., denied, the Court of Appeals had the opportunity to review an insurance company’s denial of a claim for payments G&G made to a ransom-wear hijacker, after the computer hijacker had gained control of the Company’s computer servers and systems. Submitting to the ransom demand, G&G paid $34,477.50 in bitcoin in exchange for the passwords to regain control of their computer systems. G&G then submitted a claim to Continental under the Commercial Crime Coverage part of its insurance policy. That portion of the policy had a provision that stated:
Computer Fraud
We will pay for loss of or damages to “money,” “securities” and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premise”
In denying G&G’s Motion for Summary Judgment, and granting Continental’s Cross Motion for Summary Judgment, the Trial Court concluded:
Pursuant to the term of the Policy, G&G Oil’s loss must be “fraudulently caused.” Here, the hacker inserted himself into G&G Oil’s systems. That may have involved some sort of deception, but not more than the burglar inserts himself into a house by picking a lock or climbing through a window or the auto thief who steals a car by accessing a FOB or a key through surreptitious means. G&G Oil may prefer to brand all three as fraudsters, but with good reason, the law labels one a burglar, the other a car thief and the third a hacker. Unlike the fraudster, a hacker, like the burglar or car thief is forthright in his scheme. The hacker deprived G&G Oil of use of its computer system and extracted bitcoin from the Plaintiff as ransom. While devious, tortuous and criminal, fraudulent it was not.
In its review of the trial court’s decision, the Court of Appeals first addressed Indiana law on insurance contracts, noting that the same rules of interpretation are applied to other contracts, and that if the language is clear and unambiguous the Courts will apply the plain meaning of the language used. While an insurance policy is ambiguous if a provision is acceptable to one or more interpretation and reasonable persons would differ as to the meaning, an ambiguity does not exist merely because the parties’ favor different interpretations. Ambiguous provisions are construed against the party drafting them, and in this case the insurer. However, an insurance contract that is unambiguous must be enforced according to its terms, even terms that limit the insurer’s liability. Ultimately, insurers have the right to limit their coverage or risks and therefore their liability, by imposing exceptions, conditions, and exclusions. Applying Indiana law to the language of the policy, the Court noted that the terms “fraud” and “fraudulently” were not defined. Therefore, the Court gave them their plain and ordinary meanings.
G&G argued that the attack was deceptive and unconscionable. They further argued that the hacker gained control of the computers by “misrepresenting his authority to enter and control those machines. The hacker also cheated G&G Oil when he said he would return all of the machines for 3 bitcoins.” Further, G&G claimed that the hacker committed fraud because he engaged in deception, and refused to release the computers after G&G paid the first ransom demand.
In response, Continental agreed the hacker’s acts were illegal, but argued the hacker did not commit any act that could be classified as “fraud.” Instead, Continental argued that fraud is commonly understood as the “intentional perversion of truth in order to induce another to part with something of value or to surrender a legal right.” The Court of Appeals noted prior authority for the Court of Appeals for the 9th Circuit analyzing similar policy language, which concluded that the phrase “fraudulently caused a transfer” requires “the unauthorized transfer of funds.”
In upholding the trial court’s determination, the Court noted that the hijacker did not use a computer to fraudulently cause G&G to purchase bit coin to pay its ransom, nor did the hijacker pervert the truth or engage in deception to induce G&G to pay the ransom. Although the hijackers’ actions were illegal, there was no deception involved in the hijackers’ demands for ransom in exchange for restoring G&G’s access to computers. The Court, therefore, concluded the ransom or attack was not covered under the policy’s computer fraud provisions.
First-party claims for indemnity under the insured’s policy of insurance with the Carrier must be treated with great care, and prudent policy should allow a tie to go to the “runner” on close calls where coverage might exist. However, in cases such as this, where the facts of the claim do not support indemnity via the policy provision and the law, coverage should be denied. If necessary, a declaratory judgment action should be commenced to obtain a judicial determination that the insurer’s decision is correct. In cases such as this, where the insured files a summary judgment motion, carriers should certainly file a cross-claim for summary judgment in order to enforce their rights under the contract.
Given the explosive growth of computer usage in the past decade and the increasing sophistication of both technology, and criminal use of technology to cause various forms of harm to insureds, Carriers need to be especially sensitive to such claims, and well-versed in the law and their policies in dealing with them. Underwriters should take particular care in drafting their policy language.
The attorneys at Garan Lucow Miller stand ready to provide any assistance we can in terms of coverage analysis and litigation, as well as underwriting consultation. While there may be honor among thieves, good counsel can assist Carriers and their insureds in avoiding being the victim of criminal conduct.