ContractsProf Blog

Ahh, the joys of cryptocurrency!  It makes so many unsavory and illegal transactions possible, and it all comes with that heady soupçon of infantile rebellion, libertarianism, and susceptibility to conspiracy theories.  Let's see what wonders cryptocurrency has brought us today!

On March 29, 2021, Yoshida Foods International (Yoshida) was the victim of a malware attack.  Its entire data system was isolated and encrypted, rendering it inaccessible.  The anonymous hacker offered to sell it a decryption key if it paid in cryptocurrency.  Yoshida employed an IT company to assist it in responding.  The IT company advised Yoshida to pay the ransom.  Yoshida ultimately paid $100,000 for decryption keys.  It did so using the Bitcoin account of its principal, Junki Yoshida.  It also paid just over $7000 to the IT company, and so it sought to recover $107,000 from its insurer, Federal Insurance Company (Federal).  

Yoshida's policy with Federal provided "Crime Coverage," including "Computer Fraud Coverage."  Nonetheless, Federal denied the claim, alleging that Yoshida had suffered no permanent loss and that the loss from the ransom payment had not been "direct" as required by the policy.  Mr. Yoshida suffered a loss due to fraud, but he was not covered by the policy, Federal contended.  Yoshida's only loss came when it reimbursed an employee, and Yoshida did not allege that Mr. Yoshida was engaged in computer fraud (obviously).  Federal also denied the payments to the IT company, because those were also not "direct," and as such payments require the insurer's advance written consent.

In deciding whether Federal could deny the claim in Yoshida Foods Int'l v. Fed'l Insurance Co., the Federal District Court for the District of Oregon refreshingly did not behave like a textualist bot and consult dictionaries and common usage.  Rather, the court consulted precedent and context and noted that the phrase "direct" in the context of insurance contracts has been interpreted to mean "characterized by or giving evidence of a close esp. logical, causal, or consequential relationship." There was a California case that seemed helpful to Federal, but that case did not involve ransomware and it was affirmed on other grounds in the Ninth Circuit.  That ruling turned on the specific language of the policy at issue, which was not the language of the policy at issue in the Yoshida case.  

Having distinguished that case, the court concluded:

Both the ransom payment made by Mr. Yoshida and the reimbursement of that amount by Plaintiff were proximately caused by the hacker's computer violation directed against Plaintiff's computer system. There was no intervening occurrence between the ransomware attack, the ransom payment, and the reimbursement to Mr. Yoshida, which were all part of an unbroken sequence of events. Plaintiff's reimbursement of the $107,074.20 ransom payment was a foreseeable result of the attack. 

Federal next argued that Yoshida's loss was not the result of a computer fraud but of a voluntary decision to pay the ransom.  That reading of Federal's policy would require coverage only when a hacker was able to infiltrate a company's computer system and syphon off funds directly.  The Ninth Circuit rejected such a narrow reading of such insurance coverages in Pestmaster. Ernst and Haas Mgmt. Co., Inc. v. Hiscox, Inc., 23 F. 4th 1195, 1199-1200 (9th Cir. 2022).  There, an employee was fraudulently induced to wire $200,000 to a fraudster.  The Ninth Circuit ruled on behalf of the insured, noting that "initiating a wire transfer is not the same as authorizing a payment" because that a volitional payment induced by fraud is, by definition, not authorized.  Citing an Indiana case as persuasive authority, the court in Yoshida noted more generally that payments made under duress are not volitional in a way that undermines a fraud claim.  

Finally, Federal argued that the policy's Fraudulent Instructions Exclusion applied.  That policy excluded coverage for any transfer of money authorized or approved by an employee.  Federal argued that either Mr. Yoshida was an employee who approved the transfer or that the company's account manager was the employee who authorized the payment to the hacker.  The reasoning here is a bit elusive, but ultimately the court again relies on its reasoning that an approval of payment induced under duress is not "approva,l" and so the exclusion does not apply.  

As to the written consent argument in connection with payments to the third-party IT consulting firm, the court found that language in the insurance contract requiring advance  written  consent did not apply to these facts.  The district court granted Yoshida summary judgment on its breach of contract claim. 

Yoshida also alleged breach of the duty of good faith and fair dealing.  Because Federal's arguments, while ultimately unsuccessful, were not brought in bad faith, the court granted Federal summary judgment on Yoshida's good faith and fair dealing claim.

https://lawprofessors.typepad.com/contractsprof_blog/2023/01/insurer-must-cover-ransomware-payments.html