G&G Oil Co. of Indiana v. Continental Western Insurance

Annotate this Case
Download PDF
FILED Mar 31 2020, 8:10 am CLERK Indiana Supreme Court Court of Appeals and Tax Court ATTORNEYS FOR APPELLANT ATTORNEYS FOR APPELLEE George M. Plews Christopher J. Braun John M. Ketcham Josh S. Tatum Plews Shadley Racher & Braun LLP Indianapolis, Indiana Patrick P. Devine Jennifer Kalas Hinshaw & Culbertson LLP Schererville, Indiana Adam P. Joffe Traub, Lieberman, Straus & Shrewsberry, LLP Chicago, Illinois IN THE COURT OF APPEALS OF INDIANA G&G Oil Co. of Indiana, March 31, 2020 Appellant-Plaintiff, Court of Appeals Case No. 19A-PL-1498 v. Appeal from the Marion Superior Court Continental Western Insurance Company, The Honorable Kurt M. Eisgruber, Judge Appellee-Defendant. Trial Court Cause No. 49D06-1807-PL-28267 Mathias, Judge. [1] The Marion Superior Court granted summary judgment to Continental Western Insurance Company (“Continental”) after concluding that the Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020 Page 1 of 11 commercial insurance policy held by G&G Oil Co. of Indiana (“G&G”) did not include coverage for losses suffered as the result of a ransomware attack. G&G appeals and argues that the policy terms unambiguously provide coverage for losses resulting directly from the use of a computer to fraudulently cause a transfer of G&G’s funds. [2] We affirm. Facts and Procedural History [3] Continental issued a multi-peril commercial common policy to G&G for the policy period of June 1, 2017 to June 1, 2018. The policy has several coverage parts, including an “Agricultural Output Coverage Part,” “Commercial General Liability Coverage Part,” and “Commercial Crime and Fidelity Coverage Part.” Appellant’s App. Vol. 2 pp. 16–18. [4] The Commercial Crime Coverage Part includes the following provisions relevant to this appeal: Coverage is provided under the following Insuring Agreements for which a Limit of Insurance is shown in the Declarations and applies to loss that you sustain resulting directly from an “occurrence” taking place during the Policy Period shown in the Declarations . . . *** 6. Computer Fraud Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020 Page 2 of 11 We will pay for loss of or damages to “money”, “securities” and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises”: a. To a person (other than a “messenger”) outside those “premises”; or b. To a place outside those “premises”. Appellant’s App. Vol. 3, pp. 66–67. [5] On November 17, 2017, G&G employees discovered that the company was the victim of a ransomware attack. Employees were unable to access the company’s servers and most of its workstations. The workstations were useless without access to the servers. A hijacker had gained access to G&G’s computer network, encrypted its servers and most workstations, and password protected its drives. The hacker demanded a ransom, and in exchange for payment, agreed to send G&G the passwords and restore its control over its computer servers. [6] The hijacker demanded payment in bitcoin. G&G made the payment demanded, but the hijacker refused to restore G&G’s control over its computer servers and demanded additional bitcoin. Ultimately, G&G paid $34,477.50 for the four bitcoins it sent to the hijacker. After receiving the fourth bitcoin, the hacker gave G&G the passwords enabling it to decrypt its computers and regain access to its servers. Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020 Page 3 of 11 [7] On November 29, 2017, G&G submitted a claim to Continental requesting coverage for the ransomware attack and ensuing losses under the computer fraud provision included in the Commercial Crime Coverage Part of its insurance policy. Continental denied G&G’s claim on January 9, 2018, in part because G&G had not purchased the optional “Computer Virus and Hacking Coverage” offered under the Agricultural Output Coverage Part. Continental also concluded that G&G’s losses did not result directly from the use of a computer to fraudulently cause a transfer of G&G’s funds. [8] On July 17, 2018, G&G filed a complaint in Marion Superior Court seeking a judgment requiring Continental to indemnify G&G for the losses incurred as a result of the ransomware attack. Both parties filed motions for summary judgment, and the trial court heard argument on the motions on March 27, 2019. Continental argued that it was not required to indemnify G&G’s losses because they were not the result of computer fraud. Continental asserted that the ransomware attack was akin to an act of theft rather than fraud. And Continental noted the exclusion in the insurance policy for losses resulting from a computer virus or hacking. G&G argued for a more expansive interpretation of the term “fraud” and claimed that the hijacker’s use of computers caused its losses, thus entitling G&G to coverage under the terms of its insurance policy. [9] On May 30, 2019, the trial court issued its order denying G&G’s motion for summary judgment and granting Continental’s cross-motion for summary judgment. The trial court concluded: Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020 Page 4 of 11 Pursuant to the terms of the Policy, G&G Oil’s loss must be “fraudulently caused.” Here, the hacker inserted himself into G&G Oil’s system. That may have involved some sort of deception, but no more than the burglar inserts himself into a house by picking a lock or climbing through a window or the auto thief who steals a car by accessing a FOB or a key through surreptitious means. G&G Oil may prefer to brand all three as fraudsters, but with good reason, the law labels one a burglar, the other a car thief and the third a hacker. Unlike the fraudster, a hacker, like the burglar or car thief is forthright in his scheme. The hacker deprived G&G Oil of use of its computer system and extracted bitcoin from the Plaintiff as ransom. While devious, tortious and criminal, fraudulent it was not. Appellant’s App. Vol. 2, p. 10. The trial court also concluded that G&G’s losses did not directly result from the use of a computer but from a “voluntary payment to accomplish a necessary result.” Id. G&G Oil now appeals. Standard of Review [10] When our court reviews a summary judgment order, we stand in the shoes of the trial court. See Matter of Supervised Estate of Kent, 99 N.E.3d 634, 637 (Ind. 2018) (citation omitted). Summary judgment is appropriate “if the designated evidentiary matter shows that there is no genuine issue as to any material fact and that the moving party is entitled to a judgment as a matter of law.” Ind. Trial Rule 56(C). The fact that the parties have filed cross-motions for summary judgment does not alter our standard for review, as we consider each motion separately to determine whether the moving party is entitled to judgment as a matter of law. Reed v. Reid, 980 N.E.2d 277, 285 (Ind. 2012). The interpretation Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020 Page 5 of 11 of an insurance policy presents a question of law which is appropriate for summary judgment. Am. Family Ins. Co. v. Globe Am. Cas. Co., 774 N.E.2d 932, 935 (Ind. Ct. App. 2002), trans. denied. Discussion and Decision [11] The parties agree that the facts of this case are undisputed. The sole issue presented in this appeal is whether Continental is required to indemnify G&G for the losses it suffered as a result of the ransomware attack. [12] We review an insurance policy using the same rules of interpretation applied to other contracts; that is, if the language is clear and unambiguous we will apply the plain and ordinary meaning. Adkins v. Vigilant Ins. Co., 927 N.E.2d 385, 389 (Ind. Ct. App. 2010), trans. denied. An insurance policy is ambiguous if a provision is susceptible to more than one interpretation and reasonable persons would differ as to its meaning. Id. An ambiguity does not exist merely because the parties favor different interpretations. Id. If the policy contains ambiguous provisions, they are construed in favor of the insured. United Farm Family Mut. Ins. Co. v. Matheny, 114 N.E.3d 880, 885 (Ind. Ct. App. 2018), trans. denied. “This strict construal against the insurer is driven by the fact that the insurer drafts the policy and foists its terms upon the customer. The insurance companies write the policies; we buy their forms or we do not buy insurance.” Id. (quoting Meridian Mut. Ins. Co. v. Auto-Owners Ins. Co., 698 N.E.3d 770, 773 (Ind. 1998)). Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020 Page 6 of 11 [13] An insurance contract that is unambiguous must be enforced according to its terms, “even those terms that limit an insurer’s liability.” Sheehan Constr. Co. v. Cont’l Cas. Co., 935 N.E.2d 160, 169 (Ind. 2010). The power to interpret insurance contracts “does not extend to changing their terms, and we will not give insurance policies an unreasonable construction to provide added coverage.” Adkins, 927 N.E.2d at 389. In other words, we may not extend coverage beyond that provided by the unambiguous language of the contract. Sheehan Constr. Co., 935 N.E.2d at 169. “[I]nsurers have the right to limit their coverage of risks and, therefore, their liability by imposing exceptions, conditions, and exclusions.” Id. [14] Under its Commercial Crime Coverage Part form, the commercial insurance policy at issue in this case provides:1 Computer Fraud We will pay for loss of or damages to “money”, “securities” and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises”: a. To a person (other than a “messenger”) outside those “premises”; or 1 This coverage form begins with the following statement: “Various provisions in this policy restrict coverage. Read the entire policy carefully to determine rights, duties and what is or is not covered.” Appellant’s App. Vol. 3, p. 66. Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020 Page 7 of 11 b. To a place outside those “premises”. Appellant’s App. Vol. 3, pp. 67. G&G argues that the trial court erred when it concluded that its losses did not result from computer fraud. [15] G&G argues that the terms “fraud” and “fraudulently” were not defined in the policy, and therefore, they must be given their plain and ordinary meanings. G&G observes that while “fraudulently” can mean a “knowing misrepresentation or concealment of a material fact,” it is also defined as “unconscionable dealing.” Appellant’s Br. at 22 (citing Black’s Law Dictionary at 802 (11th ed. 2019)). G&G also directs our attention to a broad definition of fraud in bankruptcy appeal from the United States Court of Appeals for the Seventh Circuit: No learned inquiry into the history of fraud is necessary to establish that it is not limited to misrepresentations and misleading omissions. “Fraud is a generic term, which embraces all the multifarious means which human ingenuity can devise and which are resorted to by one individual to gain an advantage over another by false suggestions or by the suppression of truth. No definite and invariable rule can be laid down as a general proposition defining fraud, and it includes all surprise, trick, cunning, dissembling, and any unfair way by which another is cheated.” McClellan v. Cantrell, 217 F.3d 890, 893 (7th Cir. 2000) (quoting Stapleton v. Holt, 207 Okla. 443, 250 P.2d 451, 453–54 (Okla. 1952)). Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020 Page 8 of 11 [16] G&G argues that the hacker’s ransomware attack was deceptive and unconscionable. And the hacker gained control of G&G’s computers by “misrepresenting his authority to enter and control those machines. He also cheated G&G Oil when he said he would return all of the machines for three Bitcoins.” Appellant’s Br. at 23. G&G also claims that its losses resulted from computer fraud because the hacker engaged in deception when he refused to release the computers after G&G paid the first Bitcoin demand and demanded an additional payment before restoring G&G’s control over its computers. [17] Although Continental encourages us to interpret the policy to allow coverage only for tortious or criminal acts of fraud, it contends that if G&G’s definition is applied, “even the layperson’s definition of ‘fraud’ . . . requires ‘intentional perversion of truth’ and/or ‘an act of deceiving or misrepresenting.’” Appellee’s Br. at 22. Continental agrees that the hacker’s acts were illegal but that he or she did not commit any act that could be classified as “fraud” when the hacker demanded ransom in exchange for the passwords that would allow G&G to regain access to its computer system.2 2 The insurance policy at issue is extensive and contains several different coverage parts. Under the Agricultural Output Coverage Part, G&G had the option of purchasing coverage for losses resulting from computer hacking. Continental argues that this case is easily resolved because G&G was offered but declined to purchase “computer virus and hacking coverage.” Appellee’s Br. at 16. Because the computer virus and hacking coverage forms were not incorporated into the commercial insurance policy at issue, a computer virus or computer hacking exclusion was incorporated into the Agricultural Output Coverage. Id. at 16–17. The structure of the policy itself leads us to conclude that the computer hacking exclusion applies only to the policy provisions in Agricultural Output Coverage Part. The terms of the policy providing coverage for Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020 Page 9 of 11 [18] As the term is commonly understood and defined, fraud is the “intentional perversion of truth in order to induce another to part with something of value or to surrender a legal right.” Fraud, Merriam-Webster Dictionary, https://www.merriam-webster.com/dictionary/fraud (last visited on March 23, 2020) [https://perma.cc/R3JX-PFGH]. Similarly, the American Heritage Dictionary defines fraud as “[a] deception practiced in order to induce another to give up possession of property or surrender a right.” Fraud, American Heritage Dictionary, https://ahdictionary.com/word/search.html?q=Fraud (last visited on March 23, 2020) [https://perma.cc/ZU3B-RZVB]. [19] We also observe that the Court of Appeals for the Ninth Circuit has considered language similar to the policy in this case and concluded that the phrase “fraudulently cause a transfer” requires “the unauthorized transfer of funds.” Pestmaster Servs., Inc. v. Travelers Casualty & Surety Co. of America, 656 Fed. Appx. 332 (9th Cir. 2016). “Because computers are used in almost every business transaction, reading this provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a ‘General Fraud’ Policy.” Id. See also, InComm Holdings, Inc. v. Great American Ins. Co., 2017 WL 1021749 *10 (N.D. Ga. Mar. 16, 2017) (noting that computer fraud at issue in this case are provided for in the Commercial Crime Coverage Part. Therefore, the exclusion for computer hacking does not dispose of the issues in this case as Continental suggests. Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020 Page 10 of 11 “courts repeatedly have denied coverage under similar computer fraud provisions, except in cases of hacking where a computer is used to cause another computer to make an unauthorized, direct transfer of property or money”). [20] Here, the hijacker did not use a computer to fraudulently cause G&G to purchase Bitcoin to pay as ransom. The hijacker did not pervert the truth or engage in deception in order to induce G&G to purchase the Bitcoin. Although the hijacker’s actions were illegal, there was no deception involved in the hijacker’s demands for ransom in exchange for restoring G&G’s access to its computers. For all of these reasons, we conclude that the ransomware attack is not covered under the policy’s computer fraud provision.3 [21] We therefore affirm the trial court’s order granting summary judgment to Continental on G&G’s claim that the insurance policy provides coverage for the losses it incurred as a result of the ransomware attack. [22] Affirmed. Bradford, C.J., and Altice, J., concur. 3 Because this issue is dispositive, we do not address G&G’s argument that trial court erred when it concluded that the company’s losses did not result “directly” from the use of a computer. Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020 Page 11 of 11