Adventures in cyber litigation: Frozen crypto-assets and the role of cyber insurance – Data Protecti…
A few weeks ago, we blogged about the decision of the English High court in AA v. Persons Unknown & Ors.
Given the level of interest in the case, we have prepared a deeper-dive into the facts and the implications of the decision, with a focus on the important role played in the case by cyber insurance. This is set out below.
For some time, cyber exposure has been at or near the top of every major company’s risk register. And with good reason: IT infrastructure is fundamental to business in the digital age, there is a high frequency of major cyber-attacks, large organisations invariably hold large quantities of personal data in electronic form, and substantial fines and civil claims are increasingly commonplace for data breaches.
To protect against this exposure and mitigate the impact of adverse cyber incidents, insurance companies have developed cyber cover – a modular insurance product covering a range of losses such as liability for damages, legal and PR costs, and ransom payments. From a litigation perspective, this means that there may be insurance available to meet defence costs and awards of damages following GLO claims (as in Various Claimants v. WM Morrison Supermarkets plc) or representative actions (as in Lloyd v. Google LLC). Similarly, a cyber insurer may step in to pay a ransom in return for a decryption key, where a victim’s system is compromised by ransomware or similar malware. However, whether they are standing behind insureds (in a defence situation) or meeting ransom payments (in an extortion situation) insurers are important players in the growing prevalence of cyber litigation.
Until recently, there had not been an example of a cyber insurer actively participating in a recovery action. Although CMOC v. Persons Unknown provided a very clear demonstration of the steps which a cyber-attack victim may take in order to recover stolen assets, in that case there was no insurer involvement (as far as can be seen from the judgment). However, following AA v. Persons Unknown & Ors, there is now an equivalent example of a cyber insurer making new law and extending the limits of English civil procedure to achieve a similarly positive result. This case has received considerable attention in legal circles because it confirms – for the first time – that cryptocurrencies constitute property under English law. However, the involvement of the victim’s insurers has received less attention.
The AA case: Malware, ransom demands and a Bitcoin exchange
In autumn 2019, a hacker infiltrated the systems of a Canadian insurance company which was itself insured against cyber-crime losses. Although the judgment does not give details of the insurance policy, it can be inferred that cover was provided (in the normal way) for ransom payments arising from cyber extortion. Having accessed the victim’s system, the hacker installed encryption malware. Following negotiations, the hacker subsequently agreed to provide a decryption key in return for a ransom payment of $950,000 (to be paid in Bitcoin; 109.25 at the applicable exchange rate). The Bitcoin were duly transferred, the decryption key was provided and the victim’s systems were restored.
While this could have been the end of the story, the insurer evidently had other ideas. Using a specialist investigator, the insurer was able to trace 96 of the transferred Bitcoin to an account held with a cryptocurrency exchange, Bitfinex. It was understood that Bitfinex held certain details relating to the account holder’s identity in order to comply with its KYC obligations. The insurer therefore applied to the Court for a proprietary injunction against the account holder and Bitfinex which also required Bitfinex to identify the account holder.
The Court’s decision
As a proprietary injunction can only be granted in respect of property, it was first necessary to decide whether Bitcoin qualified as such. This presented a difficulty that, under the traditional (19th century) approach only two types of personal property were recognised: “choses in possession” (i.e. rights to tangible things) and “choses in action” (i.e. rights enforceable by legal action, such as the right to receive payment of a debt). However, cryptocurrencies such as Bitcoin did not obviously fit into either category, being both intangible and consensus-based. The Judge (Bryan J) decided that although cryptoassets do not fit neatly into the established dichotomy, nevertheless they bear the key features of intangible property – being definable, identifiable and capable of assumption by third parties, and having a degree of permanence. On that basis, it followed that Bitcoin were a form of property that could be the subject of a proprietary injunction.
Other interesting features
Importantly, the case also demonstrated the ability of the Courts to respond to challenges quickly and effectively where the circumstances require it. On this occasion, there was a high risk that the remaining Bitcoin would be dissipated immediately, if the application was not heard and granted, privately and quickly. It was also a concern that both the victim and the insurer could be the target of further cyber-attacks if the application was made public.
In the AA case, the insurer was only able to mount a recovery action because the Bitcoin could be traced to an account with Bitfinex. Had the Bitcoin been dissipated or exchanged for fiat currency, such an action would not have been possible. However, the fact that a cyber insurer has been willing to go to such lengths to recover a ransom payment is an important development. As with other classes of insurance, it sends a clear message that cyber insurers will invest in recovery actions – where appropriate – to realise the value of their subrogation rights. This case also raises the question as to when insurers will authorise a ransom payment. In general terms, the answer is that the insurance policy should contain a framework for the making of such payments, sometimes involving input from external negotiators. Finally, just as the CMOC case created new law by permitting an injunction against “persons unknown” and endorsing service by social media, so the AA case moves the dial a bit further by allowing crypto-assets to be the subject of a proprietary injunction. As these cases show, the Courts are adapting and developing the existing procedural framework to meet the challenges of the digital age. Further cases of this nature will no doubt follow, and in all likelihood some of them will be at the prompting of cyber insurers.