Skip to content
Jeremy-Telman
ContractsProf Blog
Official Blog of the AALS Section on Contracts

New Jersey Superior Court Determines that Notpetya Virus Was Not an Act of War

By Jeremy Telman

In June 2017, the Notpetya virus did $10 billion worth of damage to public and private entities around the world according to The Economist (I apologize for the pay-wall).  Pharmaceuticals giant Merck & Co. (Merck) filed a claim for $1.4 billion in losses resulting from its loss of 40,000 computers infected by Notpetya. 

Because all signs indicate that the virus came from Russia and targeted Ukraine, Merck’s insurer tried to argue that the virus was an act of war and denied the claim based on the argument that its “all risks” policies excluded coverage for

Loss or damage caused by hostile or warlike action in time of peace or war. . .  by any government or sovereign power . . . or by any authority maintaining or using military, naval or air forces . . . or by an agent of such government, power, authority or forces.

As a result,  New Jersey Superior Court Judge Thomas J. Walsh had to determine whether this cyberattack amounted to an act of war.  One expects there must have been a run on copies of the Talinn Manual at the local public library.  

In Merck & Co. Inc. vs. Ace American Insurance Co. et al, Judge Walsh ruled that Notpetya was not an act of war for the purposes of the policy.  The court’s approach did not involve the Talinn manual.  Rather, the court surveyed prior opinions and found no case in which a court had treated a cyberattack as an act of war.  It also noted that the provision in the insurer’s policy uses the same language that insurers had been using for decades.  It had never been applied to cyberattacks in the past and so could not be reasonably interpreted to apply to them now.  

Bloomberg Law has coverage here which suggests, as does The Economist, that the victory for insureds might be short-lived.  Cyberattacks are taking their toll on insurers, who may now revamp their policies.  Already, cyber-insurance rates are on the rise.  The New Jersey court did not have to determine whether Notpetya was a cyberattack because it held that the policy at issue did not cover any cyberattacks.  If insurers do try to disclaim liability for cyberattacks, there will be very difficult fact issues relating to attribution.  Merck denied that Russia was the only possible culprit or, in the alternative, argued that virus might have been created by independent hackers unrelated to the Russian government.  There could also be issues of transferred intent.  In ordinary warfare, when one targets Ukraine, one rarely hits New Jersey, but that apparently is what happened here.  Is such attenuated damage still an act of war?

Cyber-insurance is a rapidly evolving field.  According to The Economist, Lloyd’s Market Association has drafted four model clauses for excluding war coverage from cyber-insurance policies.  But cyber warfare is probably just one small part of the threats that entities now face from computer viruses.  Insurers are going to try to push the costs of such risks onto the insureds, and the latter are well advised to have their own system of self-defense to intercept potential cyberattacks.

H/t Michael Gibson, who shared his hard copy of The Economist with me.

Posted in:
Current Affairs, In the News, Recent Cases and Web/Tech