The multi-peril policy did not provide coverage for ransom paid to a hacker in order to retrieve its servers. G&G Oil Co. of Ind. v. Cont' W. Ins. Co., 2020 Ind. App. LEXIS 126 (March 31, 2020).
G&G Oil Company held a multi-peril commercial policy from Continental. The Commercial Crime Coverage Part provided,
We will pay for loss of or damages to "money", "securities" and "other property" resulting directly from the use of any computer to fraudulently cause of a transfer of that property from inside the "premises" or "banking premises":
a. To a person outside those "premises"; or
b. To a place outside those "premises".
G&G employees discovered that the company was the victim of a ransomware attack. G&G could not access the company's servers and most of its workstations. The hacker demanded a ransom in bitcoin. In exchange for payment, the hacker agreed to send G&G the passwords and restore its control over its computer servers.
G&G make the payment demanded, but the hacker refused to restore G&G's control over its computer servers and demanded additional bitcoin. Ultimately, G&G paid $34,477.50 for the four bitcoins it sent to the hacker.
G&G submitted a claim. Continental denied the claim because the loss did not result directly from the use of a computer to fraudulently cause a transfer of G&G's funds. G&G filed a complaint and the parties filed motions for summary judgment.
The trial court denied G&G's motion and granted summary judgment to Continental. The loss was not "fraudulently caused." The hacker inserted himself into G&G's system. The hacker deprived G&G of use of its computer system and extracted bitcoin from G&G as ransom. While devious, tortious and criminal, it was not fraudulent.
On appeal, G&G argued that the hacker's ransomware attack was deceptive and unconscionable. Its loses resulted from computer fraud because the hacker engaged in deception when he refused to release the computers after G&G paid the first bitcoin demand and demanded an additional payment before restoring G&G's control over its computers.
The appellate court disagreed. The hacker did not use a computer to fraudulently cause G&G to purchase bitcoin to pay as ransom. The hacker did not pervert the truth or engage in deception on order to induce G&G to purchase the bitcoin. Although the hacker's actions were illegal, there was no deception involved in the demands for ransom in exchange for restoring G&G's access to its computer. For these reasons, the court concluded that the ransomware attack was not covered under the policy's computer fraud provision.