Direct Means Proximate? Oregon District Court Holds Ransomware Payment Is a Direct Loss
AuthorsMichael Keeley , Anne Juntunen , J. Caralisa Connell
In yet another troubling decision to the crime insurance industry, on Dec. 6, a federal district court, applying Oregon law, found coverage for a ransomware payment under a Computer Fraud insuring agreement. Yoshida Foods Int’l, LLC v. Fed. Ins. Co., No. 3:21-cv-01455-HZ, 2022 WL 17480070 (D. Or. Dec. 6, 2022). In doing so, the court added a new and problematic precedent to Ninth Circuit causation case law. It also cast doubt over whether payments made under duress, such as ransomware payments, are “authorized.”
On March 29, 2021, a hacker encrypted Yoshida Foods’ computer system and demanded a ransom for the encryption keys. When the insured’s IT consultant was unable to pay the ransom, the insured’s President used his own personal cryptocurrency to make the payment, which was valued at $107,074.20. Thereafter, on April 5, 2021, Yoshida recovered its data and had access to its computer system fully restored. On May 27, 2022, over a year after the ransomware attack, the insured approved a reimbursement to its President for the cryptocurrency ransom payment. On June 8, 2022, the insured’s Vice President then instructed an account manager to transfer the $107,074.20 reimbursement from Yoshida Foods’ account to Yoshida Management, LLC. Then, finally, on June 10, 2022, over 14 months after the ransomware attack, Yoshida Management, LLC actually reimbursed the President for the ransom payment.
Yoshida Foods sought coverage for the reimbursement under the Computer Fraud Coverage Insuring Clause of Federal’s policy. Federal denied coverage on the basis that the ransom payment was not a direct loss, there was no permanent loss of money, securities, or property directly resulting from a Computer Violation, and the ransom payment was excluded under the Fraudulent Instructions Exclusion. Yoshida filed suit seeking coverage under the policy, and the parties filed cross-motions for summary judgment on the coverage issues. Federal also sought summary judgment on the insured’s bad faith claims.
The United States District Court for the District of Oregon found in favor of the insured on coverage. The court first addressed the issue of causation. The Computer Fraud Coverage Insuring Clause required a “direct loss of Money . . . sustained by an Insured resulting from Computer Fraud committed by a Third Party.” Federal asserted that the insured suffered no loss because it did not make the ransom payment, rather the insured’s President did with his personal funds. Moreover, the insured’s only loss occurred when it reimbursed the President – over a year after the ransomware attack, and any such loss was an indirect or consequential loss rather than a direct loss from the computer violation.
The court examined definitions of “direct” as discussed by numerous courts and ultimately determined that “Oregon courts have held that ‘direct loss’ describes ‘a proximate, rather than remote, relationship’ between the act covered under the policy and the resulting loss or damage.” Using this definition, the court held that “[b]oth the ransom payment made by [the President] and the reimbursement of that amount by [the insured] were proximately caused by the hacker’s computer violation.” The court went on to conclude that Yoshida’s loss was a direct result of the ransomware attack because what happened in between was “an unbroken sequence of events,” with Yoshida’s reimbursement to the President being “a foreseeable result of the attack” that occurred over fourteen months earlier. Notably, the court stated, “[t]he passage of time did not break the causal chain because there was always an understanding that the ransom payment was a liability to [the insured], not to [the President] personally.”
In reaching its decision, the court distinguished the case from Taylor & Lieberman v. Federal Insurance Co., No. CV 14-3608 RSWL, 2015 WL 3824130 (C.D. Cal. June 18, 2015), aff’d, 681 F. App’x 627 (9th Cir. 2017). In Taylor, the insured was duped into sending its clients’ funds to a fraudster and later reimbursed its clients. The Ninth Circuit affirmed the California district court’s opinion finding that an insured did not sustain a direct loss. However, the Ninth Circuit affirmed Taylor on the grounds that computer fraud coverage was not implicated because there was no unauthorized entry into the plaintiff’s computer system. The Ninth Circuit did not discuss the district court’s rationale on direct loss. The Yoshida court distinguished Taylor by explaining that, unlike Taylor, Yoshida’s case involved ransomware and a hacker actually entering the insured’s computer system and installing malware. While the two cases involved different underlying frauds, the court chose to ignore the district court’s rationale in Taylor and the factual similarities between the cases, including the fact that both involved payments made by an insured to reimburse another party.
The court also rejected Federal’s argument that the ransom payment was not a direct loss because the insured “made a conscious decision to pay a cyber-criminal.” In doing so, the court distinguished Pestmaster Services, Inc. v. Travelers Casualty and Surety Company of America, No. CV 13-5039-JFW (MRWx), 2014 WL 3844627, aff’d in part, vacated in part, 65 F. App’x 332 (9th Cir. 2016), again ignoring the direct loss analysis and focused on the fact that the Pestmaster fraud “was not due to a ‘computer violation’” and did not involve a ransomware attack.
The district court also cited the recent case of Ernst & Haas Management Co., Inc. v. Hiscox, Inc., 23 F. 4th 1195 (9th Cir. 2022) noting the court’s statements in Ernst that “initiating a wire transfer is not the same as authorizing a payment” and “[t]hat reasoning – that this fraud became ‘authorized’ precisely when it succeeded – cannot be the correct reading of the contract” to determine that the insured making a “volitional payment” does not make the loss indirect. While the Yoshida court used phrases like “directly related” and “direct loss” in its comparison to Ernst, the court failed to include any of Ernst’s causation discussion. Moreover, the court overlooked the numerous steps between the ransom demand and the President’s payment (and the even more numerous steps between the ransom demand and the insured’s reimbursement of the Principal), deciding that these steps, including the insured’s “volitional payment,” did not destroy the causal chain.
Going a step further, the court found that the hacker’s demand to be paid in cryptocurrency rather than traditional funds had “forced” Yoshida to turn to its President to lend the cryptocurrency for payment, making the President’s use of his own funds a foreseeable and non-intervening act. In reaching this conclusion the court was persuaded by the Indiana Supreme Court’s decision in G&G Oil Co. of Indiana v. Continental Western Insurance Co., 165 N.E.3d 82 (Ind. 2021), holding that a ransomware payment was “nearly the immediate result” of the use of a computer. The court explained:
“The hacker required payment in cryptocurrency, which Plaintiff made volitionally but under duress. Had Plaintiff not made the payment, its entire computer system would have remained nonfunctional, resulting in even greater loss. Thus, Plaintiff’s coerced decision to make the ransom payment cannot be considered voluntary.”
Notably, Yoshida’s loss was more attenuated than the insured’s loss in G&G Oil. Whereas the insured in G&G Oil used its own funds to pay the hackers, Yoshida’s funds were not depleted until it reimbursed the President over a year later. The court did not address any factual distinctions between the two cases, but simply stated: “[The insured]’s reimbursement to [the Principal] for the ransom payment was not so remote that it broke the causal chain resulting in a direct loss from computer fraud.”
The court also held that the Fraudulent Instructions Exclusion did not apply. That exclusion precluded coverage for “loss resulting from any transfer, payment or delivery of Money, Securities, or Property approved by an Employee,” whether the payment was made “in good faith or as a result of trick, artifice, fraud or false pretenses.” Federal argued that the ransom payment was approved by an employee because (1) the insured’s accounting manager formally authorized the reimbursement; and (2) the principal was acting as an employee when he authorized payment to the hacker. First, the court stated that the exclusion’s purpose is “to prohibit reimbursement when an employee erroneously responds to a fishing email or complies with an email that provides fraudulent instructions to transfer funds.” The court then determined that the exclusion did not apply to the accounting manager’s actions because the accounting manager did not erroneously authorize the reimbursement payment, but simply processed a payment authorized by the insured’s sole member.
The court continued to find the exclusion also did not apply to the Principal’s actions. Even though the President had authorized the ransom payment, he was not an Employee of Yoshida because the definition of employee encompassed executives only while they were performing acts within the scope of the usual duties of an employee, and paying a ransom is an “extraordinary situation” outside the scope of a usual employee’s duties. Thus, the President acted as an executive, not a regular employee. The court went even further to hold that the ransom payment could not have been “approved” because it was made under duress, and thus could not implicate the Fraudulent Instructions Exclusion. The court compared the situation to someone who pays money with a gun is held to his head and noted that the ransom payment was “coerced” because the insured needed to regain access to its computer system. Thus, in neither of these cases would the payment truly be “approved,” as is required under the Fraudulent Instructions Exclusion.
Despite its questionable analysis on the coverage issues, the court did favorably find for Federal on the bad faith claims. The court determined that while the insured provided a more persuasive interpretation of the policy, there was no evidence that Federal acted dishonestly, with reckless disregard, or without any reasonable basis for denying the claim. As part of its explanation, the court noted that the Computer Fraud Coverage Insuring Clause did not include the words “ransomware” or “encryption” and was not specifically tailored to a ransomware attack. Thus, whether the policy provided coverage for the insured’s loss was subject to “interpretation and disagreement.”
The analysis in Yoshida reflects the court’s view that ransom payments should be treated differently from other types of knowingly-made payments. As shown in its gun-to-the-head analogy, the court considered Yoshida’s ransom payment not only foreseeable but inevitable, like a payment one would make if threatened with death. Of course, this analogy is unrealistic: plenty of businesses choose not to pay ransoms for a variety of reasons.
While the court’s decision is concerning, insurers should take note that the case was decided under a proximate cause standard and is therefore distinguishable in direct-means-direct jurisdictions.
The views and opinions expressed in the article represent the view of the authors and not necessarily the official view of Clark Hill PLC. Nothing in this article constitutes professional legal advice nor is it intended to be a substitute for professional legal advice.