On September 15, 2015, Bitpay, Inc. filed a lawsuit against its insurer, Massachusetts Bay Insurance Company, related to a hack at the company that resulted in an unauthorized transfer of bitcoin valued at more than $1.8 million. In its Complaint filed in Atlanta, Bitpay refers to itself as a “global bitcoin payment processor.” Bitpay’s Complaint and other reports provide the following timeline related to the alleged unauthorized transfer:
- On December 11, 2014, Bitpay’s CFO received an e-mail from a hacker claiming to be David Bailey with yBitcoin, a digital currency publication, asking the CFO to comment on a document.
- Unfortunately, the email to Bitpay’s CFO was sent by an unknown person that had hacked Mr. Bailey’s e-mail account.
- By following instructions provided in the hacker’s fake e-mail from Bailey, Bitpay’s CFO ended up providing his e-mail credentials to the hacker.
- After having the CFO’s e-mail credentials, the hacker gained access to the CFO’s computer, reviewed the CFO’s e-mails to learn how transfers were made within the company.
- Bitcoins were transferred when Bitpay’s CEO received e-mails that appeared to be from the CFO requesting bitcoins from customers’ “digital wallets.” As he had done on many occasions, the CEO made the transfers as requested by CFO.
- On one transfer the CEO copied Bitpay’s customer on the e-mail confirming the purchase of bitcoins and the customer sent an e-mail back that they did not purchase the bitcoins.
The Complaint alleges that after investigating the claim, Massachusetts Bay denied Bitpay’s claim for coverage. Bitpay’s lawsuit seeks damages based on a claim for breach of contract and bad faith under Georgia law. Bitpay attached a copy of Massachusetts Bay’s denial letter to its Complaint which states, in part, the following reason for denial of Bitpay’s claim for coverage:
As noted in Insuring Agreement 6 cited above, the Policy requires that the loss of money be the direct result of the use of any computer to fraudulently cause a transfer of that property from inside the premises to a person or place outside the premises. “Direct” means without any intervening step i.e. without any intruding or diverting factor. The Computer Fraud Insuring Agreement is only triggered by situations where an unauthorized user hacks into or gains unauthorized access into your computer system and uses that access to fraudulently cause a transfer of Money to an outside person or place. The facts as presented do not support a direct loss since there was not a hacking or unauthorized entry into Bitpay’s computer system fraudulently causing a transfer of Money. Instead, the computer system of David Bailey, Bitpay’s business partner, was compromised resulting in fictitious e-mails being received by Bitpay. The Policy does not afford coverage for indirect losses caused by a hacking into the computer system of someone other than the insured.
Furthermore, there is an important distinction between fraudulently causing a transfer, as the Policy language requires, and causing a fraudulent transfer, which is what occurred upon the CEO’s approval of the bitcoin transactions after receiving the fictitious e-mails. The loss incurred by Bitpay was not a direct loss.
While the insurance policy at issue in the Bitpay litigation was a Commercial Crime Policy and not a cyber insurance policy, this case still serves as an example of the unique insurance claims presented by technology. Just a few years ago there was virtually no market for insurance coverage for bitcoin operations. Further, as this technology progresses a certain amount of confusion is expected. For example, based on the allegations in Bitpay’s Complaint, some technology commentators have questioned the value of cyber insurance based on Massachusetts Bay’s denial under a Commercial Crime Policy. (See “Cyber insurance rejects claim after BitPay lost $1.8 million in phishing attack“). Whether there is coverage under this policy will be determined by the court. However, while this case is worth monitoring, the court’s determination on the Commercial Crime Policy should not necessarily be used to determine the value of cyber insurance.