The Indiana Supreme Court last week agreed to decide whether an oil company was entitled to coverage in connection with a ransomware payment under the computer fraud provision in its policy.

Earlier rulings in the case pivoted on the definition of “fraud” in the commercial policy issued by a unit of W.R. Berkley Corp.

In November 2017, employees of Muncie, Indiana-based G&G Oil Co. of Indiana discovered the company was the victim of a ransomware attack that prevented them from accessing servers and workstations, according to a March 31 ruling in the case by the Indiana Court of Appeals in Indianapolis in G&G Oil Co. of Indiana v. Continental Western Insurance Co.

The hacker demanded payment in bitcoin to release G&G’s system. The company made the payment, but the hacker refused to restore G&G’s control over its computer and demanded additional payments. 

G&G ultimately paid $34.5 million in bitcoins, and the hacker gave the passwords needed to decrypt the computer and regain access to the servers.

The company’s insurance policy provided coverage for computer fraud, but the company had not purchased the optional “computer virus and hacking coverage,” according to the ruling.

Continental denied G&G’s ransomware claim in part because the policyholder had not purchased the hacking coverage. In addition, the insurer said the losses did not result from the use of a computer to fraudulently cause a transfer of funds.

G&G sued for coverage in state court. The lower court dismissed the case and the ruling was upheld on appeal.

G&G argued the terms “fraud” and “fraudulently” were not defined in the policy and that “they must be given their plain and ordinary meanings,” which includes “unconscionable dealing,” which entitled it to coverage, court documents said.

While Continental agreed the hacker’s acts were illegal, it contended that the hacker had not committed any act that could be classified as “fraud” when he or she demanded the ransom.

In ruling in the insurer’s favor, the appeals court said the hacker “did not use a computer to fraudulently cause G&G to purchase Bitcoin to pay as ransom. The hijacker did not pervert the truth or engage in deception in order to induce G&G to purchase the Bitcoin.

“Although the hijacker’s actions were illegal, there was no deception involved in the hijacker’s demand for ransom in exchange for restoring’s access to its computers.

“For all of these reasons, we conclude that the ransomware attack is not covered under the policy’s computer fraud provision,” said a unanimous three-judge panel in affirming the lower court’s ruling.

Attorneys in the case could not be reached for comment.

An amicus brief submitted in the case to the Supreme Court on behalf of San Francisco-based United Policyholders, an insurance consumer advocate organization, argues the court of appeals had relied on out-of-state cases that are inconsistent with Indiana’s rules of interpretation for insurance policies.

It also argued that under the state’s rules of interpreting insurance policies’ plain language, the ransomware incident was computer fraud covered by the company’s coverage.

“The decision from the Court of Appeals was wrongly decided and damages the interests of all ‘crime insurance’ policyholders in Indiana,” the amicus filing said.