I just posted an item on my personal blog about a recent decision from the Indiana Court of Appeals. Basically, a company was targeted by a ransomware attack. The company paid up and then filed a claim under its commercial liability policy, which covers “computer fraud.” The insurance company argued that a ransomware attack did not actually meet the legal definition of “fraud.” The courts agreed with the insurance company.
Against my better judgement I agree also. There was no fraud it was a hijacking of data with a fee to release it.
Stinks that is comes to this but I do think the decision is accurate. It reminds me of when my parents house was damaged in a hurricane. The water rose 4ft half way up the wall. In their kitchen the lower cabinets were covered by flood insurance and the upper were covered by homeowners. This was the correct legal decision based on the insurance they possessed. If for. Example the water was 10ft deep all kitchen cabinet would be covered by flood insurance.
The summary is water from the ground is flood water from above is home owners. That is the legal definition. Similar to this case, if it were computer fraud then it would have been covered. So we have to decide if ransomeware is truly fraud.
The definition game, the legal meaning of words is often very subjective. Different courts could and often do render conflicting opinions. Such is life in business.