A Hacker’s Scheme is “Forthright;” Thus, No Computer Fraud Coverage for Ransomware Attacks
A computer hacker may engage in malicious and criminal conduct, but that doesn’t mean that the conduct is “fraudulent.” In G&G Oil Company v. Continental Western Ins. Co., 2020 Ind. App. LEXIS 126 (Ind. Ct. App. Mr. 31, 2020), the Court of Appeals of Indiana addressed the launch of a ransomware attack on an insured and whether the resulting loss fits within computer fraud coverage. (Hint: it doesn’t.)
In November 2017, G&G Oil Company (G&G) discovered that the company had been victimized by a ransomware attack when employees could not access company servers and workstations. The malware had accessed G&G’s computer network, encrypting “its servers and most workstations, and password protected its drives.” Id. at *2. The attacker thereafter demanded a ransom in bitcoin in exchange for the encryption key to decrypt the data. Id. G&G paid the ransom, but instead of sending the encryption key, the hacker instead demanded additional ransom until the insured paid $34,477.50 in bitcoin. Following payment, the hacker sent the encryption key. Id.
Approximately two weeks later, the insured submitted a claim seeking coverage for the ransomware and resulting loss under the computer fraud coverage of the commercial crime coverage part of its policy. Id at *3. The insurer denied coverage in part because the loss had not resulted directly from the use of a computer to “fraudulently cause” the transfer of G&G’s funds, as required under the computer fraud provisions. Id. Coverage litigation ensued.
The commercial crime coverage part of the policy covered “Computer Fraud,” stating:
We will pay for loss of or damages to “money”, “securities” and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises”:
a. To a person (other than a “messenger”) outside those “premises”; or
b. To a place outside those “premises”.
Id. at *2 (emphasis added).
The insurer argued that it was not required to indemnify the insured’s losses because the losses had not resulted from a fraudulently caused transfer of money. Id. at *3-4. The insured, on the other hand, argued for an expansive meaning of the term “fraud” to encompass the attack, and asserted that the attacker’s use of computers to orchestrate the attack caused the losses. Id. at *4. Ultimately, the trial court agreed with the insurer that the loss had not been “fraudulently caused,” and instead had been caused by a hacker’s criminal, but “forthright,” scheme. The trial court stated:
Here, the hacker inserted himself into G&G Oil’s system. That may have involved some sort of deception, but no more than the burglar inserts himself into a house by picking a lock or climbing through a window or the auto thief who steals a car by accessing a FOB or a key through surreptitious means. G&G Oil may prefer to brand all three as fraudsters, but with good reason, the law labels one a burglar, the other a car thief and the third a hacker. Unlike the fraudster, a hacker, like the burglar or car thief is forthright in his scheme. The hacker deprived G&G Oil of use of its computer system and extracted bitcoin from the Plaintiff as ransom. While devious, tortious and criminal, fraudulent it was not.
Id. at *4-5.
On appeal, the insured argued that because the policy did not define the terms “fraud” and “fraudulently,” the court had to examine the “plain and ordinary meanings” of those terms, which included both a “knowing misrepresentation or concealment of a material fact,” and an “unconscionable dealing.” Id. at *8. The insured argued that “the hacker’s ransomware attack was deceptive and unconscionable,” and that the hacker acquired control of the computers by “misrepresenting his authority to enter and control those machines.” Id. at *8. The insured also contended that the hacker “cheated” it when it demanded additional payments for the encryption key. Id. Thus, according to the insured, the hacker’s conduct was fraudulent.
The insurer agreed that the hacker’s actions were illegal, but contended that the hacker “did not commit any act that could be classified as ‘fraud’ when the hacker demanded ransom in exchange for the passwords that would allow [the insured] to regain access to its computer system.” Id. at *9-10. The Court of Appeals of Indiana agreed.
Rejecting the insured’s expansive reading of the term “fraud,” and wary that a broad construction of the term in the context of computer fraud coverage could “convert this Crime Policy into a ‘General Fraud’ Policy,” the Court of Appeals adopted a much more limited meaning of the term. Id. at *11 (citation omitted). The court examined dictionary definitions for “fraud,” which included the “intentional perversion of truth in order to induce another to part with something of value or to surrender a legal right,” and “[a] deception practiced in order to induce another to give up possession of property or surrender a right.” Id. ay *10-11. Looking to the Ninth Circuit’s decision in Pestmaster Servs., Inc. v. Travelers Casualty & Surety Co. of America, 656 Fed. App’x 332 (9th Cir. 2016), another computer fraud coverage decision, the Court of Appeals further noted that the Ninth Circuit had defined the phrase “fraudulently cause a transfer” to require “the unauthorized transfer of funds.” Id. at *11. Based on these definitions for “fraud” and the phrase “fraudulently caused,” the court concluded that the ransomware attack on the insured could not be converted into a loss fraudulently caused by the use of a computer:
Here, the hijacker did not use a computer to fraudulently cause [the insured] to purchase Bitcoin to pay as ransom. The hijacker did not pervert the truth or engage in deception in order to induce [the insured] to purchase the Bitcoin. Although the hijacker’s actions were illegal, there was no deception involved in the hijacker’s demands for ransom in exchange for restoring [the insured’s] access to its computers.
Id. at *12. As a result, the loss from the ransomware attack was not covered under the policy’s computer fraud coverage. Id.
What this case means
This case is reminiscent of the decision in Apache Corp. v. Great Am. Ins. Co., 662 F. App’x 252 (5th Cir. 2016), in which the Fifth Circuit opined that to “interpret the computer fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would … convert the computer fraud provision to one for general fraud.” Here, the Court of Appeals of Indiana observed that not every cyberattack and not every loss resulting from a cybersecurity incident, is a loss resulting from fraud. That makes sense. This case should not have a significant impact on the coverage pendulum for business email compromises (BECs) involving wire fraud because the underlying facts in those cases generally are very different. This case, however, should be a first step in sketching out the scope of ransomware coverage under a traditional crime, computer fraud policy.