In the recent case of AA v Persons Unknown[1], the Commercial Court considered whether cryptoassets could be considered “property” for the purpose of obtaining a proprietary injunction to prevent the dissipation of Bitcoins that had been transferred as ransom following a cyber-attack.
AA, an insurer which requested to remain anonymous, had paid out 109.25 Bitcoins (an equivalent of $950,000 USD) to unidentified persons who had installed ransomware onto the entirety of its policyholder’s computer systems. The ransom was paid in exchange for decryption software so that its policyholder’s systems and resulting business operations could be restored.
Following payment of the Bitcoins, AA employed a specialist investigations company to track the transfer, and established that 96 Bitcoins had been sent to an address linked to the exchange operated by Bitfinex. The remaining Bitcoins had been transferred into fiat (government-issued) currency so were no longer traceable.
Bitfinex is the trading name of the third and fourth Defendant companies (the first and second Defendants being unidentified persons who: (i) demanded the ransom; and (ii) controlled the Bitcoin following transfer). Amongst other relief (including an application to serve out of jurisdiction a claim in restitution and/or constructive trustee against the Defendants), AA applied to court for an interim proprietary injunction to prevent the dissipation of the Bitcoins.
The question before the Court in relation to the interim proprietary injunction was whether Bitcoins could be considered property at all. Traditionally, the law has only recognised two types of property: choses in possession (something capable of being possessed) and choses in action (something which embodies a right capable of being enforced by action).
In determining whether Cryptoassets were capable of being property, the Court considered the UK Jurisdiction Taskforce November 2019 Legal Statement on Cryptoassets and Smart Contracts which addressed the proprietary status of cryptocurrency in detail. Notwithstanding the fact that cryptocurrencies do not fit neatly in either category of property, the Court considered it misleading to proceed on the basis that English law recognises only those two forms of property. Cryptoassets were found to meet the four criteria set out in the definition of property in National Provincial Bank v Ainsworth[2] as being:
As such, the Court determined that cryptoassets, and specifically Bitcoin, were property.
In support of its decision, the Court referred to two English authorities where cryptocurrencies were also treated as property: Vorotyntseva v Money-4 Limited t/a Nebus.com[3], in which a worldwide freezing order granted in respect of Bitcoin and Etherium, and Liam David Robertson v Persons Unknown[4], in which an asset preservation order was granted over cryptocurrencies.
Whilst this judgment provides clarity as to the definition of cryptoassets, it should be noted that this is a decision specifically in the context of proprietary injunctions, and may not necessarily have wider application should the same point arise in other areas of law.
From an insurance perspective, it is possible to imagine a scenario in which a cryptoasset-inclusive definition of property could assist policyholders (who hold or trade in such assets) in arguing that traditional policies which do not specifically include or exclude cyber cover (i.e. “silent cyber” policies, which we consider in our article here) extend to loss of cryptocurrency. For example, if a Crime policy which covers theft of “property” is now deemed to include theft of Bitcoin (which can only be stolen as a result of a “cyber” event), then in the absence of express language as to cover for cyber events, there is a good argument that such events should be covered.
In the context of cyber policies, policyholders with appropriate cover should take comfort from the apparent willingness highlighted in this case of some insurers to take swift action to pay out ransom where insurers have deemed that the cost to the policyholder of being unable to operate as a business is likely to outweigh the ransom payment. The decision to pay the ransom in this case was, however, ultimately made and actioned by the insurer and policyholders should not attempt to make ransom, remedial or settlement payments without first trying to seek insurers consent to proceed.