NotPetya was a malware attack that began to impact businesses around the world in June of 2017. As it turns out, the US and UK governments have publicly blamed Russia for NotPetya. Many commentators believe NotPetya was a politically-motivated attack against Ukraine, since it occurred on the eve of the Ukrainian’s Constitution Day. “The release of NotPetya was an act of cyberwar by almost any definition—one that was likely more explosive than even its creators intended.” Suffice it to say, while NotPetya may no longer be an immediate threat, the damages caused by this event will create a number of unique questions for the courts.
This malware was reported to have impacted nearly 1,700 of the servers and 24,000 laptops belonging to Mondelez International, Inc. (“Mondelez”), Mondelez is a multinational snack company producing brands that include Nabisco, Oreo and Cadbury Dairy Milk to name a few. Mondelez estimated its costs related to the attack to be more than $100 million. Mondelez sought insurance coverage from its insurance carrier, Zurich American Insurance Company (“Zurich”), for damages caused by NotPetya. When Zurich did not immediately agree to pay Mondelez’s damages, Mondelez sued Zurich in the Circuit Court for Cook County in Illinois. In the case entitled Mondelez Inter., Inc. v. Zurich American Ins. Co., 2018 L 11008 (2018), Mondelez filed its Complaint alleging Zurich wrongly denied coverage based on an exclusion for “hostile or warlike activities.” Consistent with the news reports, Mondelez alleges that NotPetya attacked its network and caused a variety of damages to hardware, software and other losses. By June 1, 2018, Zurich informed Mondelez that it was denying coverage under a war exclusion that barred coverage for “hostile or warlike action in time of peace or war, including action in hindering, combating or defending against an actual, impending or expected attack by any: (i) government or sovereign power (de jure or de facto); (ii) military, naval, or air force; or (iii) agent or authority of any party specified in i or ii above.”
Based on its allegations, Mondelez seeks recovery under claims for breach of contract (refusal to pay claim and refusal to withdraw denial), promissory estoppel and a violation of Section 155 of the Illinois Insurance Code. Mondelez seeks an award of at least $100,000,000. It is important to note that Zurich has not responded to these allegations yet and we will need to continue to monitor this litigation.
The central question in this litigation is expected to be whether Zurich correctly denied coverage under the hostile or warlike action exclusion. War and similar events have been excluded from insurance coverage for decades. However, we are now seeing questions as to whether damages caused by NotPetya and similar malware should be excluded from insurance coverage in the same manner as damage from war. Unfortunately, there is scant authority on the phrase “hostile or warlike action” as used in this exclusion. And, there is no authority on how this exclusion applies in the context of cyber incidents.
- The Case Law Offers A Historical Perspective On This Exclusion
Courts have addressed this exclusion at a number of pivotal points throughout history. For example, in New York Life Ins. Co. v. Bennion, 158 F. 2d 260 (10th Cir. 1946), the Tenth Circuit Court of Appeals upheld a war exclusion for a claim arising out of the bombing at Pearl Harbor under the following reasoning:
No one denies the grim reality that the attack beginning December 7, 1941, at about 7:30 a.m. Honolulu time, marked the commencement of an armed conflict between two sovereign nations which ended only when the Japanese surrendered nearly four years later. Furthermore, it seems to be agreed that the existence or non-existence of a state of war is a political question, to be determined by the political department of our Government. The basic difference lies in the contention on the one hand that a formal declaration by the Congress, which alone has the constitutional power to declare and make war, is an essential prerequisite to judicial cognizance of its existence; and the contention on the other hand that the existence of a war is not dependent upon its formal declaration, but rather is determinable from an appraisal of actualities; that the formal declaration by Congress on the day after the attack was merely a formal recognition of that which was already actually in existence.
Ultimately, the Bennion court concluded that “the existence or non-existence of a state of war is a political question, to be determined by the political department of our Government.” In upholding the exclusion, the Bennion court found this question was driven by the following analysis: “the actual existence of a state of war and the political determination of its commencement with the attack on December 7th is immaterial to this lawsuit if the word war, as used in the contract, was intended by the parties to mean a state of war which commenced only with a formal declaration by Congress on December 8th.” Consequently, the reasoning in Bennion may allow the hostile and warlike exclusion to apply to malware regardless of whether a formal declaration of war has been made by Congress.
A more recent event provided another opportunity to analyze the potential impact of hostile and warlike exclusion. In TRT/FTC Communications, Inc. v. Ins. Co. of State of Pennsylvania, 847 F. Supp (D. Del. 1993), (judgment aff’d, 9 F. 3d 1541 (3d Cir. 1993)) related to the 1989 conflict between the United States and Panama. In TRT/FTC, the plaintiff, TRT/FTC Communications, Inc. (“TRT”) was engaged in the international telecommunications business and operated a business in Panama City, Panama where it sold personal computers, fax machines and telephone systems. The insurer issued a policy that was in effect in the Republic of Panama in December 1989. When civil unrest broke out in Panama City on December 21, 1989, eight people broke into TRT’s sales facility with AK-47s and stole merchandise from TRT’s showroom. The insurer denied coverage for this loss based on the war exclusion found in the policy issued to TRT. The Court agreed with the insurer when it found the insured “proved by a preponderance of the evidence that the loss incurred by TRT in Panama City, Panama, on December 21, 1989, was a peril specifically excluded by the provisions of the above referenced War Exclusion Clause…” That is, the Court found “the sole cause of the TRT loss was the war hostilities occurring in Panama City on December 21, 1989.” Further, the Court opined that the exclusion would apply regardless of “whether the men were part of the Panamanian forces or a band of looters” since their actions “were enabled by the military hostilities occurring between Panama and the United States.”
Here, there is no doubt that the Mondelez Court will be in uncharted territory when it comes to determining whether the hostile or warlike action exclusion bars coverage for a cyber attack that may be linked to Russia. The precedent on this issue, while it may not address cyber attacks directly, provides guidance suggesting that a formal declaration of war is not necessary for the exclusion to apply. Further, there is support to apply this exclusion even if a “band of looters” is found to be behind NotPetya rather than a formal government action. Regardless of how the Mondelez Court decides this unique issue, there should be no question that it will continue to be an interesting question worth watching as more courts are called upon to address whether this exclusion applies to cyber attacks.