NotPetya Cyber Attack: Was it Warlike or Hostile? One Judge Says No!
Let’s start by saying: I’m no expert on the definition of “war,” "warlike" or "hostile" activities. Yes, I was in the U.S. Army during the second Gulf War, did some awesome stuff, learned some cool tricks while in the Military Intelligence Corps, and served 4 years with honor. But a scholar on war, I am not.
As an example of how difficult it is to define war: While in law school, I dedicated an entire semester to writing a law review article on the definition of war. By the end of it, I was more confused than when I started. Similar to Justice Potter Stewart's famous opinion on the definition of hardcore pornography -- I can't define it, but I know it when I see it.
Now that I’ve stated my caveats, provisos, disclaimers, etc., we can look at the New Jersey Superior Court’s recent decision in the legal battle between Merck and its insurance carriers related to Merck’s $1.4 billion (with a "B") loss resulting from the NotPetya malware attack in 2017.
If It Walks Like a Duck . . .
Just as a recap, on June 27, 2017, Merck’s computer systems were infected by malware known as NotPetya. According to Merck, NotPetya affected computers in countries around the world. Merck claims that the damage spread to 40,000 computers and the resulting losses total more than $1.4 billion. Merck had purchased $1.75 billion in property insurance to protect against this type of loss. The “all risks” insurance policies provide coverage for loss or damage resulting from destruction or corruption of computer data and software.
The insurance carriers denied coverage for several reasons, one of which is that the policy contains a “Hostile/Warlike” exclusion. The insurance carriers argued that NotPetya was an instrument of the Russian Federation as part of its ongoing hostilities against the nation of Ukraine. Most people agree that NotPetya was a Russian attack, but was not intended to harm private corporations on a global scale.
The language of the exclusion in the insurance policy states:
The parties asked the judge to decide whether or not this exclusion was triggered by the NotPetya event. Merck argued that its reasonable understanding of this exclusion involved the use of armed forces, and all of the case law on the war exclusion supported that interpretation. Of course, NotPetya was not a traditional, armed forces attack.
The judge noted that no court had applied a war (or hostile acts) exclusion to anything remotely close to cyber-attacks. The judge also noted that the evidence suggested that the language used in these policies has been virtually the same for many years. Even though the insurance companies must have been aware of cyber threats, the insurance companies did nothing to change the language of the exclusion to reasonably put Merck on notice that it intended to exclude cyber-attacks. Hence, Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare. The judge stated: “Given the plain meaning of the language in the exclusion, together with the foregoing examination of the applicable case law, the court unhesitatingly finds that the exclusion does not apply.”
Now, let’s be clear, this is the decision of one judge in New Jersey dealing with a very novel area of the law. This decision is still subject to appeal. Other jurisdictions may disagree and find that the exclusion is applicable to cyber-attacks. But, for now, we have one well-reasoned legal opinion finding that, in the insurance context, NotPetya was NOT warlike or hostile action.
~ Florida Cyber Lawyer, Robert Stines, Esq., CIPP