The Supreme Court of Indiana last week agreed to determine whether an oil company was entitled to coverage in connection with a ransomware payment under the fraud provision in its policy.
Previous rulings in the case led to the definition of "fraud" "In the commercial policy issued by a unit of WR Berkley Corp.
In November 2017, employees of Muncie, Indiana-based G&G Oil Co., discovered in Indiana that the company was the victim of a ransomware attack that prevented them from accessing servers and workstations, according to a decision of March 31 in the case of the Indiana Court of Appeals in Indianapolis in G&G Oil Co. in Indiana v Continental Western Insurance Co.
The hacker demanded payment in bitcoin to release G & G's system. The company made the payment, but the hacker refused to restore G & G's control of his computer and demanded additional payments.
G&G eventually paid $ 34.5 million in bitcoins, and the hacker provided the passwords needed to decrypt the computer and regain access to the servers.
The company's insurance provided coverage for computer fraud, but the company had not purchased the "Computer virus coverage and hacking" option, according to the ruling.
Continental denied G & G's ransomware claim in part because the policyholder had not purchased the hack coverage. In addition, the insurer said that the losses were not due to the use of a computer to fraudulently cause a transfer of funds.
G&G sued for coverage in state court. The lower court dismissed the case and the decision was upheld on appeal.
G&G argued that the terms "fraud" and "fraudulent" were not defined in the policy and that "they must be given their usual and ordinary meaning", which includes "Inconsistent trade", which was entitled to coverage, court documents said.
Although Continental agreed that the hacker's actions were illegal, it claimed that the hacker had not committed any act that could be classified as "fraud" when he or she demanded
In the decision in favor of the insurer, the Board of Appeal said used a computer to fraudulently cause G&G to buy Bitcoin to pay as a ransom. The hijacker did not distort the truth or engage in fraud to get G&G to buy Bitcoin.
“Although the hijacker's actions were illegal, there was no deception in the hijacker's ransom claim in exchange for restoring access to computers.
"For all of these reasons, we conclude that the attack on ransomware is not covered by the policy's computer fraud provision," said a unanimous panel of three judges to confirm the lower court's decision.
Lawyers in the case could not be reached for comment.
An amicus card filed in the Supreme Court case on behalf of San Francisco-based United Policyholders, an insurance consumer advocate organization, claims that the Court of Appeal has invoked statelessness. cases incompatible with Indiana's Insurance Interpretation Rules.
It also claimed that ransomware under state rules for interpreting the clear language of insurance Dent was computer fraud covered by the company's coverage.
"The decision of the Court of Appeal was wrongly made and harms the interests of all" criminal insurance "policyholders in Indiana," the amicus application said.