Court of Appeals Holds That Ransomware Attack Did Not “Fraudulently Cause” Insured to Buy Bitcoin to Pay Ransom

Michael R. Giordano

G&G Oil Co. of Indiana v. Cont’l W. Ins. Co., 2020 WL 1528095 (Ind. Ct. App. 2020)

An oil company was a victim of a form of cyber extortion known as ransomware. A hijacker infiltrated the company’s computer network, encrypted its servers, and password-protected its drives. The hijacker demanded a ransom of three bitcoins to give the company the passwords to decrypt its computers and regain access to its servers. After the company paid, the hijacker reneged and demanded another bitcoin. The company complied, spending nearly $35,000 for the four bitcoins that it sent to the hijacker, who ultimately gave the company the passwords to regain access to its servers. The company then sought reimbursement from its insurer.

The company’s commercial crime policy included a “Computer Fraud” provision that covered losses “resulting directly from the use of any computer to fraudulently cause a transfer” of the company’s funds. The insurer denied coverage and argued that the company’s loss was not caused by computer fraud. The company, however, contended that the plain and ordinary meaning of the word “fraud,” which the policy did not define, was not limited to a “knowing misrepresentation or concealment of a  material fact.” Citing a dictionary and a court case, the company argued that fraud also means an “unconscionable dealing” and “any unfair way by which another is cheated.”

According to the company, the hijacker’s ransomware attack was “deceptive and unconscionable.” The hijacker misrepresented his authority to enter and control the company’s computer network, and he “cheated” the company by demanding a fourth bitcoin after falsely stating he would turn over the passwords if the company paid three bitcoins. Thus, the company argued, the hijacker’s ransomware attack was fraudulent. The trial court disagreed with the company and entered summary judgment for the insurer, holding that while the hijacker’s ransomware attack was “devious, tortious and criminal, fraudulent it was not.” The Court of Appeals affirmed.

Rejecting the company’s broad reading of “fraud,” the Court of Appeals cited two dictionaries to show that fraud is commonly understood as a “deception” or “perversion of truth” meant to induce another to surrender a right or to part with something of value. The Court of Appeals also observed that courts have interpreted the phrase “fraudulently cause a transfer” to require “the unauthorized transfer of funds.” A broader interpretation, the courts reasoned, would turn a computer-fraud provision into a general-fraud provision, as computers are used in almost every business transaction. Putting it together, the Court of Appeals held “the hijacker did not use a computer to fraudulently cause [the company] to purchase Bitcoin to pay as ransom” because:

The hijacker did not pervert the truth or engage in deception in order to induce [the company] to purchase the Bitcoin. Although the hijacker’s actions were illegal, there was no deception involved in the hijacker’s demands for ransom in exchange for restoring [the company’s] access to its computers. For all of these reasons, we conclude that the ransomware attack is not covered under the policy’s computer fraud provision.

Not all cyberattacks are the same. While many involve deceit, some do not. This case is unlikely to impact computer-fraud coverage for deceitful attacks, such as phishing and spoofing, but it provides a well-reasoned coverage analysis for ransomware attacks.