G&G Oil Co. of Indiana v. Continental Western Insurance ( 2020 )


Menu:
  •                                                                                FILED
    Mar 31 2020, 8:10 am
    CLERK
    Indiana Supreme Court
    Court of Appeals
    and Tax Court
    ATTORNEYS FOR APPELLANT                                    ATTORNEYS FOR APPELLEE
    George M. Plews                                            Patrick P. Devine
    Christopher J. Braun                                       Jennifer Kalas
    John M. Ketcham                                            Hinshaw & Culbertson LLP
    Josh S. Tatum                                              Schererville, Indiana
    Plews Shadley Racher & Braun LLP                           Adam P. Joffe
    Indianapolis, Indiana                                      Traub, Lieberman, Straus &
    Shrewsberry, LLP
    Chicago, Illinois
    IN THE
    COURT OF APPEALS OF INDIANA
    G&G Oil Co. of Indiana,                                    March 31, 2020
    Appellant-Plaintiff,                                       Court of Appeals Case No.
    19A-PL-1498
    v.                                                 Appeal from the Marion Superior
    Court
    Continental Western Insurance                              The Honorable Kurt M. Eisgruber,
    Company,                                                   Judge
    Appellee-Defendant.                                        Trial Court Cause No.
    49D06-1807-PL-28267
    Mathias, Judge.
    [1]   The Marion Superior Court granted summary judgment to Continental
    Western Insurance Company (“Continental”) after concluding that the
    Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020                           Page 1 of 11
    commercial insurance policy held by G&G Oil Co. of Indiana (“G&G”) did
    not include coverage for losses suffered as the result of a ransomware attack.
    G&G appeals and argues that the policy terms unambiguously provide
    coverage for losses resulting directly from the use of a computer to fraudulently
    cause a transfer of G&G’s funds.
    [2]   We affirm.
    Facts and Procedural History
    [3]   Continental issued a multi-peril commercial common policy to G&G for the
    policy period of June 1, 2017 to June 1, 2018. The policy has several coverage
    parts, including an “Agricultural Output Coverage Part,” “Commercial General
    Liability Coverage Part,” and “Commercial Crime and Fidelity Coverage
    Part.” Appellant’s App. Vol. 2 pp. 16–18.
    [4]   The Commercial Crime Coverage Part includes the following provisions
    relevant to this appeal:
    Coverage is provided under the following Insuring Agreements
    for which a Limit of Insurance is shown in the Declarations and
    applies to loss that you sustain resulting directly from an
    “occurrence” taking place during the Policy Period shown in the
    Declarations . . .
    ***
    6. Computer Fraud
    Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020        Page 2 of 11
    We will pay for loss of or damages to “money”,
    “securities” and “other property” resulting directly from
    the use of any computer to fraudulently cause a transfer of
    that property from inside the “premises” or “banking
    premises”:
    a. To a person (other than a “messenger”) outside those
    “premises”; or
    b. To a place outside those “premises”.
    Appellant’s App. Vol. 3, pp. 66–67.
    [5]   On November 17, 2017, G&G employees discovered that the company was the
    victim of a ransomware attack. Employees were unable to access the company’s
    servers and most of its workstations. The workstations were useless without
    access to the servers. A hijacker had gained access to G&G’s computer
    network, encrypted its servers and most workstations, and password protected
    its drives. The hacker demanded a ransom, and in exchange for payment,
    agreed to send G&G the passwords and restore its control over its computer
    servers.
    [6]   The hijacker demanded payment in bitcoin. G&G made the payment
    demanded, but the hijacker refused to restore G&G’s control over its computer
    servers and demanded additional bitcoin. Ultimately, G&G paid $34,477.50 for
    the four bitcoins it sent to the hijacker. After receiving the fourth bitcoin, the
    hacker gave G&G the passwords enabling it to decrypt its computers and regain
    access to its servers.
    Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020          Page 3 of 11
    [7]   On November 29, 2017, G&G submitted a claim to Continental requesting
    coverage for the ransomware attack and ensuing losses under the computer
    fraud provision included in the Commercial Crime Coverage Part of its
    insurance policy. Continental denied G&G’s claim on January 9, 2018, in part
    because G&G had not purchased the optional “Computer Virus and Hacking
    Coverage” offered under the Agricultural Output Coverage Part. Continental
    also concluded that G&G’s losses did not result directly from the use of a
    computer to fraudulently cause a transfer of G&G’s funds.
    [8]   On July 17, 2018, G&G filed a complaint in Marion Superior Court seeking a
    judgment requiring Continental to indemnify G&G for the losses incurred as a
    result of the ransomware attack. Both parties filed motions for summary
    judgment, and the trial court heard argument on the motions on March 27,
    2019. Continental argued that it was not required to indemnify G&G’s losses
    because they were not the result of computer fraud. Continental asserted that
    the ransomware attack was akin to an act of theft rather than fraud. And
    Continental noted the exclusion in the insurance policy for losses resulting from
    a computer virus or hacking. G&G argued for a more expansive interpretation
    of the term “fraud” and claimed that the hijacker’s use of computers caused its
    losses, thus entitling G&G to coverage under the terms of its insurance policy.
    [9]   On May 30, 2019, the trial court issued its order denying G&G’s motion for
    summary judgment and granting Continental’s cross-motion for summary
    judgment. The trial court concluded:
    Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020      Page 4 of 11
    Pursuant to the terms of the Policy, G&G Oil’s loss must be
    “fraudulently caused.” Here, the hacker inserted himself into
    G&G Oil’s system. That may have involved some sort of
    deception, but no more than the burglar inserts himself into a
    house by picking a lock or climbing through a window or the
    auto thief who steals a car by accessing a FOB or a key through
    surreptitious means. G&G Oil may prefer to brand all three as
    fraudsters, but with good reason, the law labels one a burglar, the
    other a car thief and the third a hacker. Unlike the fraudster, a
    hacker, like the burglar or car thief is forthright in his scheme.
    The hacker deprived G&G Oil of use of its computer system and
    extracted bitcoin from the Plaintiff as ransom. While devious,
    tortious and criminal, fraudulent it was not.
    Appellant’s App. Vol. 2, p. 10. The trial court also concluded that G&G’s losses
    did not directly result from the use of a computer but from a “voluntary
    payment to accomplish a necessary result.”
    Id. G&G Oil
    now appeals.
    Standard of Review
    [10]   When our court reviews a summary judgment order, we stand in the shoes of
    the trial court. See Matter of Supervised Estate of Kent, 
    99 N.E.3d 634
    , 637 (Ind.
    2018) (citation omitted). Summary judgment is appropriate “if the designated
    evidentiary matter shows that there is no genuine issue as to any material fact
    and that the moving party is entitled to a judgment as a matter of law.” Ind.
    Trial Rule 56(C). The fact that the parties have filed cross-motions for summary
    judgment does not alter our standard for review, as we consider each motion
    separately to determine whether the moving party is entitled to judgment as a
    matter of law. Reed v. Reid, 
    980 N.E.2d 277
    , 285 (Ind. 2012). The interpretation
    Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020          Page 5 of 11
    of an insurance policy presents a question of law which is appropriate for
    summary judgment. Am. Family Ins. Co. v. Globe Am. Cas. Co., 
    774 N.E.2d 932
    ,
    935 (Ind. Ct. App. 2002), trans. denied.
    Discussion and Decision
    [11]   The parties agree that the facts of this case are undisputed. The sole issue
    presented in this appeal is whether Continental is required to indemnify G&G
    for the losses it suffered as a result of the ransomware attack.
    [12]   We review an insurance policy using the same rules of interpretation applied to
    other contracts; that is, if the language is clear and unambiguous we will apply
    the plain and ordinary meaning. Adkins v. Vigilant Ins. Co., 
    927 N.E.2d 385
    , 389
    (Ind. Ct. App. 2010), trans. denied. An insurance policy is ambiguous if a
    provision is susceptible to more than one interpretation and reasonable persons
    would differ as to its meaning.
    Id. An ambiguity
    does not exist merely because
    the parties favor different interpretations.
    Id. If the
    policy contains ambiguous
    provisions, they are construed in favor of the insured. United Farm Family Mut.
    Ins. Co. v. Matheny, 
    114 N.E.3d 880
    , 885 (Ind. Ct. App. 2018), trans. denied.
    “This strict construal against the insurer is driven by the fact that the insurer
    drafts the policy and foists its terms upon the customer. The insurance
    companies write the policies; we buy their forms or we do not buy insurance.”
    Id. (quoting Meridian
    Mut. Ins. Co. v. Auto-Owners Ins. Co., 
    698 N.E.3d 770
    , 773
    (Ind. 1998)).
    Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020         Page 6 of 11
    [13]   An insurance contract that is unambiguous must be enforced according to its
    terms, “even those terms that limit an insurer’s liability.” Sheehan Constr. Co. v.
    Cont’l Cas. Co., 
    935 N.E.2d 160
    , 169 (Ind. 2010). The power to interpret
    insurance contracts “does not extend to changing their terms, and we will not
    give insurance policies an unreasonable construction to provide added
    coverage.” 
    Adkins, 927 N.E.2d at 389
    . In other words, we may not extend
    coverage beyond that provided by the unambiguous language of the contract.
    Sheehan Constr. 
    Co., 935 N.E.2d at 169
    . “[I]nsurers have the right to limit their
    coverage of risks and, therefore, their liability by imposing exceptions,
    conditions, and exclusions.”
    Id. [14] Under
    its Commercial Crime Coverage Part form, the commercial insurance
    policy at issue in this case provides:1
    Computer Fraud
    We will pay for loss of or damages to “money”, “securities” and
    “other property” resulting directly from the use of any computer
    to fraudulently cause a transfer of that property from inside the
    “premises” or “banking premises”:
    a. To a person (other than a “messenger”) outside those
    “premises”; or
    1
    This coverage form begins with the following statement: “Various provisions in this policy restrict coverage.
    Read the entire policy carefully to determine rights, duties and what is or is not covered.” Appellant’s App.
    Vol. 3, p. 66.
    Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020                               Page 7 of 11
    b. To a place outside those “premises”.
    Appellant’s App. Vol. 3, pp. 67. G&G argues that the trial court erred when it
    concluded that its losses did not result from computer fraud.
    [15]   G&G argues that the terms “fraud” and “fraudulently” were not defined in the
    policy, and therefore, they must be given their plain and ordinary meanings.
    G&G observes that while “fraudulently” can mean a “knowing
    misrepresentation or concealment of a material fact,” it is also defined as
    “unconscionable dealing.” Appellant’s Br. at 22 (citing Black’s Law Dictionary
    at 802 (11th ed. 2019)). G&G also directs our attention to a broad definition of
    fraud in bankruptcy appeal from the United States Court of Appeals for the
    Seventh Circuit:
    No learned inquiry into the history of fraud is necessary to
    establish that it is not limited to misrepresentations and
    misleading omissions. “Fraud is a generic term, which embraces
    all the multifarious means which human ingenuity can devise
    and which are resorted to by one individual to gain an advantage
    over another by false suggestions or by the suppression of truth.
    No definite and invariable rule can be laid down as a general
    proposition defining fraud, and it includes all surprise, trick,
    cunning, dissembling, and any unfair way by which another is
    cheated.”
    McClellan v. Cantrell, 
    217 F.3d 890
    , 893 (7th Cir. 2000) (quoting Stapleton v. Holt,
    
    207 Okla. 443
    , 
    250 P.2d 451
    , 453–54 (Okla. 1952)).
    Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020         Page 8 of 11
    [16]   G&G argues that the hacker’s ransomware attack was deceptive and
    unconscionable. And the hacker gained control of G&G’s computers by
    “misrepresenting his authority to enter and control those machines. He also
    cheated G&G Oil when he said he would return all of the machines for three
    Bitcoins.” Appellant’s Br. at 23. G&G also claims that its losses resulted from
    computer fraud because the hacker engaged in deception when he refused to
    release the computers after G&G paid the first Bitcoin demand and demanded
    an additional payment before restoring G&G’s control over its computers.
    [17]   Although Continental encourages us to interpret the policy to allow coverage
    only for tortious or criminal acts of fraud, it contends that if G&G’s definition is
    applied, “even the layperson’s definition of ‘fraud’ . . . requires ‘intentional
    perversion of truth’ and/or ‘an act of deceiving or misrepresenting.’” Appellee’s
    Br. at 22. Continental agrees that the hacker’s acts were illegal but that he or she
    did not commit any act that could be classified as “fraud” when the hacker
    demanded ransom in exchange for the passwords that would allow G&G to
    regain access to its computer system.2
    2
    The insurance policy at issue is extensive and contains several different coverage parts. Under the
    Agricultural Output Coverage Part, G&G had the option of purchasing coverage for losses resulting from
    computer hacking. Continental argues that this case is easily resolved because G&G was offered but declined
    to purchase “computer virus and hacking coverage.” Appellee’s Br. at 16. Because the computer virus and
    hacking coverage forms were not incorporated into the commercial insurance policy at issue, a computer
    virus or computer hacking exclusion was incorporated into the Agricultural Output Coverage.
    Id. at 16–17.
           The structure of the policy itself leads us to conclude that the computer hacking exclusion applies only to the
    policy provisions in Agricultural Output Coverage Part. The terms of the policy providing coverage for
    Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020                                 Page 9 of 11
    [18]   As the term is commonly understood and defined, fraud is the “intentional
    perversion of truth in order to induce another to part with something of value or
    to surrender a legal right.” Fraud, Merriam-Webster Dictionary,
    https://www.merriam-webster.com/dictionary/fraud (last visited on March
    23, 2020) [https://perma.cc/R3JX-PFGH]. Similarly, the American Heritage
    Dictionary defines fraud as “[a] deception practiced in order to induce another
    to give up possession of property or surrender a right.” Fraud, American
    Heritage Dictionary, https://ahdictionary.com/word/search.html?q=Fraud
    (last visited on March 23, 2020) [https://perma.cc/ZU3B-RZVB].
    [19]   We also observe that the Court of Appeals for the Ninth Circuit has considered
    language similar to the policy in this case and concluded that the phrase
    “fraudulently cause a transfer” requires “the unauthorized transfer of funds.”
    Pestmaster Servs., Inc. v. Travelers Casualty & Surety Co. of America, 
    656 Fed. Appx. 332
    (9th Cir. 2016). “Because computers are used in almost every business
    transaction, reading this provision to cover all transfers that involve both a
    computer and fraud at some point in the transaction would convert this Crime
    Policy into a ‘General Fraud’ Policy.”
    Id. See also,
    InComm Holdings, Inc. v. Great
    American Ins. Co., 
    2017 WL 1021749
    *10 (N.D. Ga. Mar. 16, 2017) (noting that
    computer fraud at issue in this case are provided for in the Commercial Crime Coverage Part. Therefore, the
    exclusion for computer hacking does not dispose of the issues in this case as Continental suggests.
    Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020                             Page 10 of 11
    “courts repeatedly have denied coverage under similar computer fraud
    provisions, except in cases of hacking where a computer is used to cause
    another computer to make an unauthorized, direct transfer of property or
    money”).
    [20]   Here, the hijacker did not use a computer to fraudulently cause G&G to
    purchase Bitcoin to pay as ransom. The hijacker did not pervert the truth or
    engage in deception in order to induce G&G to purchase the Bitcoin. Although
    the hijacker’s actions were illegal, there was no deception involved in the
    hijacker’s demands for ransom in exchange for restoring G&G’s access to its
    computers. For all of these reasons, we conclude that the ransomware attack is
    not covered under the policy’s computer fraud provision.3
    [21]   We therefore affirm the trial court’s order granting summary judgment to
    Continental on G&G’s claim that the insurance policy provides coverage for
    the losses it incurred as a result of the ransomware attack.
    [22]   Affirmed.
    Bradford, C.J., and Altice, J., concur.
    3
    Because this issue is dispositive, we do not address G&G’s argument that trial court erred when it
    concluded that the company’s losses did not result “directly” from the use of a computer.
    Court of Appeals of Indiana | Opinion 19A-PL-1498 | March 31, 2020                              Page 11 of 11