G&G Oil Co. of Indiana v. Continental Western Insurance ( 2020 )

                                                                               FILED
Mar 31 2020, 8:10 am
CLERK
Indiana Supreme Court
Court of Appeals
and Tax Court
ATTORNEYS FOR APPELLANT                                    ATTORNEYS FOR APPELLEE
George M. Plews                                            Patrick P. Devine
Christopher J. Braun                                       Jennifer Kalas
John M. Ketcham                                            Hinshaw & Culbertson LLP
Josh S. Tatum                                              Schererville, Indiana
Plews Shadley Racher & Braun LLP                           Adam P. Joffe
Indianapolis, Indiana                                      Traub, Lieberman, Straus &
Shrewsberry, LLP
Chicago, Illinois
IN THE
COURT OF APPEALS OF INDIANA
G&G Oil Co. of Indiana,                                    March 31, 2020
Appellant-Plaintiff,                                       Court of Appeals Case No.
19A-PL-1498
v.                                                 Appeal from the Marion Superior
Court
Continental Western Insurance                              The Honorable Kurt M. Eisgruber,
Company,                                                   Judge
Appellee-Defendant.                                        Trial Court Cause No.
49D06-1807-PL-28267
Mathias, Judge.
[1]   The Marion Superior Court granted summary judgment to Continental
Western Insurance Company (“Continental”) after concluding that the
Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020                           Page 1 of 11
commercial insurance policy held by G&G Oil Co. of Indiana (“G&G”) did
not include coverage for losses suffered as the result of a ransomware attack.
G&G appeals and argues that the policy terms unambiguously provide
coverage for losses resulting directly from the use of a computer to fraudulently
cause a transfer of G&G’s funds.
[2]   We affirm.
Facts and Procedural History
[3]   Continental issued a multi-peril commercial common policy to G&G for the
policy period of June 1, 2017 to June 1, 2018. The policy has several coverage
parts, including an “Agricultural Output Coverage Part,” “Commercial General
Liability Coverage Part,” and “Commercial Crime and Fidelity Coverage
Part.” Appellant’s App. Vol. 2 pp. 16–18.
[4]   The Commercial Crime Coverage Part includes the following provisions
relevant to this appeal:
Coverage is provided under the following Insuring Agreements
for which a Limit of Insurance is shown in the Declarations and
applies to loss that you sustain resulting directly from an
“occurrence” taking place during the Policy Period shown in the
Declarations . . .
***
6. Computer Fraud
Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020        Page 2 of 11
We will pay for loss of or damages to “money”,
“securities” and “other property” resulting directly from
the use of any computer to fraudulently cause a transfer of
that property from inside the “premises” or “banking
premises”:
a. To a person (other than a “messenger”) outside those
“premises”; or
b. To a place outside those “premises”.
Appellant’s App. Vol. 3, pp. 66–67.
[5]   On November 17, 2017, G&G employees discovered that the company was the
victim of a ransomware attack. Employees were unable to access the company’s
servers and most of its workstations. The workstations were useless without
access to the servers. A hijacker had gained access to G&G’s computer
network, encrypted its servers and most workstations, and password protected
its drives. The hacker demanded a ransom, and in exchange for payment,
agreed to send G&G the passwords and restore its control over its computer
servers.
[6]   The hijacker demanded payment in bitcoin. G&G made the payment
demanded, but the hijacker refused to restore G&G’s control over its computer
servers and demanded additional bitcoin. Ultimately, G&G paid $34,477.50 for
the four bitcoins it sent to the hijacker. After receiving the fourth bitcoin, the
hacker gave G&G the passwords enabling it to decrypt its computers and regain
access to its servers.
Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020          Page 3 of 11
[7]   On November 29, 2017, G&G submitted a claim to Continental requesting
coverage for the ransomware attack and ensuing losses under the computer
fraud provision included in the Commercial Crime Coverage Part of its
insurance policy. Continental denied G&G’s claim on January 9, 2018, in part
because G&G had not purchased the optional “Computer Virus and Hacking
Coverage” offered under the Agricultural Output Coverage Part. Continental
also concluded that G&G’s losses did not result directly from the use of a
computer to fraudulently cause a transfer of G&G’s funds.
[8]   On July 17, 2018, G&G filed a complaint in Marion Superior Court seeking a
judgment requiring Continental to indemnify G&G for the losses incurred as a
result of the ransomware attack. Both parties filed motions for summary
judgment, and the trial court heard argument on the motions on March 27,
2019. Continental argued that it was not required to indemnify G&G’s losses
because they were not the result of computer fraud. Continental asserted that
the ransomware attack was akin to an act of theft rather than fraud. And
Continental noted the exclusion in the insurance policy for losses resulting from
a computer virus or hacking. G&G argued for a more expansive interpretation
of the term “fraud” and claimed that the hijacker’s use of computers caused its
losses, thus entitling G&G to coverage under the terms of its insurance policy.
[9]   On May 30, 2019, the trial court issued its order denying G&G’s motion for
summary judgment and granting Continental’s cross-motion for summary
judgment. The trial court concluded:
Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020      Page 4 of 11
Pursuant to the terms of the Policy, G&G Oil’s loss must be
“fraudulently caused.” Here, the hacker inserted himself into
G&G Oil’s system. That may have involved some sort of
deception, but no more than the burglar inserts himself into a
house by picking a lock or climbing through a window or the
auto thief who steals a car by accessing a FOB or a key through
surreptitious means. G&G Oil may prefer to brand all three as
fraudsters, but with good reason, the law labels one a burglar, the
other a car thief and the third a hacker. Unlike the fraudster, a
hacker, like the burglar or car thief is forthright in his scheme.
The hacker deprived G&G Oil of use of its computer system and
extracted bitcoin from the Plaintiff as ransom. While devious,
tortious and criminal, fraudulent it was not.
Appellant’s App. Vol. 2, p. 10. The trial court also concluded that G&G’s losses
did not directly result from the use of a computer but from a “voluntary
payment to accomplish a necessary result.”

now appeals.
Standard of Review
[10]   When our court reviews a summary judgment order, we stand in the shoes of
the trial court. See Matter of Supervised Estate of Kent, 

, 637 (Ind.
2018) (citation omitted). Summary judgment is appropriate “if the designated
evidentiary matter shows that there is no genuine issue as to any material fact
and that the moving party is entitled to a judgment as a matter of law.” Ind.
Trial Rule 56(C). The fact that the parties have filed cross-motions for summary
judgment does not alter our standard for review, as we consider each motion
separately to determine whether the moving party is entitled to judgment as a
matter of law. Reed v. Reid, 

, 285 (Ind. 2012). The interpretation
Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020          Page 5 of 11
of an insurance policy presents a question of law which is appropriate for
summary judgment. Am. Family Ins. Co. v. Globe Am. Cas. Co., 

,
935 (Ind. Ct. App. 2002), trans. denied.
Discussion and Decision
[11]   The parties agree that the facts of this case are undisputed. The sole issue
presented in this appeal is whether Continental is required to indemnify G&G
for the losses it suffered as a result of the ransomware attack.
[12]   We review an insurance policy using the same rules of interpretation applied to
other contracts; that is, if the language is clear and unambiguous we will apply
the plain and ordinary meaning. Adkins v. Vigilant Ins. Co., 

, 389
(Ind. Ct. App. 2010), trans. denied. An insurance policy is ambiguous if a
provision is susceptible to more than one interpretation and reasonable persons
would differ as to its meaning.

does not exist merely because
the parties favor different interpretations.

policy contains ambiguous
provisions, they are construed in favor of the insured. United Farm Family Mut.
Ins. Co. v. Matheny, 

, 885 (Ind. Ct. App. 2018), trans. denied.
“This strict construal against the insurer is driven by the fact that the insurer
drafts the policy and foists its terms upon the customer. The insurance
companies write the policies; we buy their forms or we do not buy insurance.”

Mut. Ins. Co. v. Auto-Owners Ins. Co., 

, 773
(Ind. 1998)).
Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020         Page 6 of 11
[13]   An insurance contract that is unambiguous must be enforced according to its
terms, “even those terms that limit an insurer’s liability.” Sheehan Constr. Co. v.
Cont’l Cas. Co., 

, 169 (Ind. 2010). The power to interpret
insurance contracts “does not extend to changing their terms, and we will not
give insurance policies an unreasonable construction to provide added
coverage.” 

. In other words, we may not extend
coverage beyond that provided by the unambiguous language of the contract.
Sheehan Constr. 

. “[I]nsurers have the right to limit their
coverage of risks and, therefore, their liability by imposing exceptions,
conditions, and exclusions.”

its Commercial Crime Coverage Part form, the commercial insurance
policy at issue in this case provides:1
Computer Fraud
We will pay for loss of or damages to “money”, “securities” and
“other property” resulting directly from the use of any computer
to fraudulently cause a transfer of that property from inside the
“premises” or “banking premises”:
a. To a person (other than a “messenger”) outside those
“premises”; or
1
This coverage form begins with the following statement: “Various provisions in this policy restrict coverage.
Read the entire policy carefully to determine rights, duties and what is or is not covered.” Appellant’s App.
Vol. 3, p. 66.
Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020                               Page 7 of 11
b. To a place outside those “premises”.
Appellant’s App. Vol. 3, pp. 67. G&G argues that the trial court erred when it
concluded that its losses did not result from computer fraud.
[15]   G&G argues that the terms “fraud” and “fraudulently” were not defined in the
policy, and therefore, they must be given their plain and ordinary meanings.
G&G observes that while “fraudulently” can mean a “knowing
misrepresentation or concealment of a material fact,” it is also defined as
“unconscionable dealing.” Appellant’s Br. at 22 (citing Black’s Law Dictionary
at 802 (11th ed. 2019)). G&G also directs our attention to a broad definition of
fraud in bankruptcy appeal from the United States Court of Appeals for the
Seventh Circuit:
No learned inquiry into the history of fraud is necessary to
establish that it is not limited to misrepresentations and
misleading omissions. “Fraud is a generic term, which embraces
all the multifarious means which human ingenuity can devise
and which are resorted to by one individual to gain an advantage
over another by false suggestions or by the suppression of truth.
No definite and invariable rule can be laid down as a general
proposition defining fraud, and it includes all surprise, trick,
cunning, dissembling, and any unfair way by which another is
cheated.”
McClellan v. Cantrell, 

, 893 (7th Cir. 2000) (quoting Stapleton v. Holt,

, 

, 453–54 (Okla. 1952)).
Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020         Page 8 of 11
[16]   G&G argues that the hacker’s ransomware attack was deceptive and
unconscionable. And the hacker gained control of G&G’s computers by
“misrepresenting his authority to enter and control those machines. He also
cheated G&G Oil when he said he would return all of the machines for three
Bitcoins.” Appellant’s Br. at 23. G&G also claims that its losses resulted from
computer fraud because the hacker engaged in deception when he refused to
release the computers after G&G paid the first Bitcoin demand and demanded
an additional payment before restoring G&G’s control over its computers.
[17]   Although Continental encourages us to interpret the policy to allow coverage
only for tortious or criminal acts of fraud, it contends that if G&G’s definition is
applied, “even the layperson’s definition of ‘fraud’ . . . requires ‘intentional
perversion of truth’ and/or ‘an act of deceiving or misrepresenting.’” Appellee’s
Br. at 22. Continental agrees that the hacker’s acts were illegal but that he or she
did not commit any act that could be classified as “fraud” when the hacker
demanded ransom in exchange for the passwords that would allow G&G to
regain access to its computer system.2
2
The insurance policy at issue is extensive and contains several different coverage parts. Under the
Agricultural Output Coverage Part, G&G had the option of purchasing coverage for losses resulting from
computer hacking. Continental argues that this case is easily resolved because G&G was offered but declined
to purchase “computer virus and hacking coverage.” Appellee’s Br. at 16. Because the computer virus and
hacking coverage forms were not incorporated into the commercial insurance policy at issue, a computer
virus or computer hacking exclusion was incorporated into the Agricultural Output Coverage.

       The structure of the policy itself leads us to conclude that the computer hacking exclusion applies only to the
policy provisions in Agricultural Output Coverage Part. The terms of the policy providing coverage for
Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020                                 Page 9 of 11
[18]   As the term is commonly understood and defined, fraud is the “intentional
perversion of truth in order to induce another to part with something of value or
to surrender a legal right.” Fraud, Merriam-Webster Dictionary,
https://www.merriam-webster.com/dictionary/fraud (last visited on March
23, 2020) [https://perma.cc/R3JX-PFGH]. Similarly, the American Heritage
Dictionary defines fraud as “[a] deception practiced in order to induce another
to give up possession of property or surrender a right.” Fraud, American
Heritage Dictionary, https://ahdictionary.com/word/search.html?q=Fraud
(last visited on March 23, 2020) [https://perma.cc/ZU3B-RZVB].
[19]   We also observe that the Court of Appeals for the Ninth Circuit has considered
language similar to the policy in this case and concluded that the phrase
“fraudulently cause a transfer” requires “the unauthorized transfer of funds.”
Pestmaster Servs., Inc. v. Travelers Casualty & Surety Co. of America, 

(9th Cir. 2016). “Because computers are used in almost every business
transaction, reading this provision to cover all transfers that involve both a
computer and fraud at some point in the transaction would convert this Crime
Policy into a ‘General Fraud’ Policy.”

InComm Holdings, Inc. v. Great
American Ins. Co., 

*10 (N.D. Ga. Mar. 16, 2017) (noting that
computer fraud at issue in this case are provided for in the Commercial Crime Coverage Part. Therefore, the
exclusion for computer hacking does not dispose of the issues in this case as Continental suggests.
Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020                             Page 10 of 11
“courts repeatedly have denied coverage under similar computer fraud
provisions, except in cases of hacking where a computer is used to cause
another computer to make an unauthorized, direct transfer of property or
money”).
[20]   Here, the hijacker did not use a computer to fraudulently cause G&G to
purchase Bitcoin to pay as ransom. The hijacker did not pervert the truth or
engage in deception in order to induce G&G to purchase the Bitcoin. Although
the hijacker’s actions were illegal, there was no deception involved in the
hijacker’s demands for ransom in exchange for restoring G&G’s access to its
computers. For all of these reasons, we conclude that the ransomware attack is
not covered under the policy’s computer fraud provision.3
[21]   We therefore affirm the trial court’s order granting summary judgment to
Continental on G&G’s claim that the insurance policy provides coverage for
the losses it incurred as a result of the ransomware attack.
[22]   Affirmed.
Bradford, C.J., and Altice, J., concur.
3
Because this issue is dispositive, we do not address G&G’s argument that trial court erred when it
concluded that the company’s losses did not result “directly” from the use of a computer.
Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020                              Page 11 of 11