How Cyber Cases Can Inform COVID-19 Business Litigation
How Cyber Cases Can Inform COVID-19 Business Litigation
Authored by Christopher Ott for Law360March 30, 2020
Right now, the world wrestles with a colossal viral outbreak. In response to the crisis, hundreds of millions of people are staying home to reduce their personal risks and to flatten the curve for society overall.
From this mass sheltering, businesses face inverted demand curves that appear so steep and transformative that they are facing a similar scenario: close their doors and stay home. However, business cannot isolate without consequences, and the consequences can be devastating.
When a business chooses to close its doors, its obligations remain. A crisis-closed restaurant retains its instant and upcoming obligations to suppliers and employees. Businesses throughout all sectors will face similar challenges as those posed to this hypothetical restaurant: (1) pending and accruing bills from suppliers and contractors; (2) pending and accruing employee costs; (3) pending and future real estate costs; as well as (4) ongoing credit costs.
Because no further income is being generated for the near future, someone from that cost matrix will likely not get paid. For many businesses, these types of catastrophic events have an intuitive fix: This is why we invest in insurance.
However, a different type of virality — large-scale cyberinfections — reveals why this type of business hedge is rife with litigation risk. Sophisticated cyberactors and nation states exploit cybervulnerabilities to steal money, corrupt information and otherwise covertly disrupt business services. In many instances, the risks include the shutdown of entire industries. All of this disruption is, in a word, expensive.
Cyberinsurance could provide one avenue toward the reduction of these costs, just as existing insurance coverage would hopefully cover the current COVID-19 crisis. However, recent history suggests that rather than result in insurance payouts, gigantic cyberinfections lead to equally enormous litigation.
NotPetya and a Digital Attacks by Nation States
Businesses hoping to understand their COVID-19 litigation risks can learn from recent complicated privacy and data litigation. Often, this litigation, as with COVID-19, involves massive disruptions to industries. Indeed, certain malware attacks have halted entire industries and crippled supply chains, which causes problems that should be familiar to all COVID-19-affected businesses.
Insurance policies typically exclude coverage for extraordinary events; including but not limited to invasion, revolution and acts of terrorism. Theoretically, a state-sponsored hack could be considered either an attack, consistent with the much-maligned Gerasimov doctrine, or a criminal act. Given the amount of money involved, it appears inevitable that insurance carriers will invoke the extraordinary event exclusions. Indeed, they already have.
NotPetya was a ransomware attack that, beginning in 2017, caused more than $10 billion in global damages. In February 2018, the U.S. and other Western nations issued coordinated statements publicly attributing the NotPetya malware to the Russian government. Nontraditional warfare targets from many industries throughout the world suffered enormous NotPetya-related losses.
The NotPetya cybervirus victims were diverse and often were not traditional warfare targets. For example, Mondelez International Inc., a global snack company, claimed that it suffered more than $100 million in damages to its computers and disrupted supply chains. Mondelez had purchased cyberinsurance. This foresight appears to have provided little comfort, however.
In Mondelez International Inc. v. Zurich American Insurance Co., the plaintiff asked an Illinois state court to determine whether the hostile or warlike action exception in its Zurich cyberinsurance policy affected its claim for NotPetya-related losses. Apparently, Zurich was reluctant to pay because experts attributed NotPetya to the Russian government. Thus, the very sophistication of the cybercriminal — a nation state hacker — actually counseled against invocation of the insurance coverage.
How Outbreaks of War and Viruses Similarly Reference Principles of Impracticability and Fairness
Regardless of whether it ultimately succeeds, Zurich’s theory, which combines the ancient principles of war clauses with bleeding-edge technology and turbulent international politics, has much to teach us. The COVID-19 crisis provides a similarly potent blend of complex disciplines.
Most contracts contain a force majeure provision or somehow internalize the concept of impracticability. These principles incorporate centuries of business practices and hundreds of cases but all orbit around the concept that some occurrences are so big and so unlikely that it would be unfair to enforce a contract.
Thus, while the war interpretation is unlikely to appear in post-COVID-19 litigation, the core struggle of emergent impracticability remains the same. In either case, in the short term, those disputes will be resolved by pitched litigation.
The litigation will be intense specifically because the stakes will be so high. Outbreaks of war and viruses both involve complete shutdowns of industries. Thus, the costs of these crises are astronomical. They are also notable because they involve responses to very quickly developing crises; indeed the growth curve to both threats can righteously be described as viral.
Also, their core mechanisms are eerily similar: Both involve the unwanted injection of code (either the genetic payload of an infectious agent or the malignant delivery of computer code) into a healthy system (either a living cell or an otherwise functional computer system). It is therefore unsurprising that the two threats bear so many litigation similarities.
Courts Could First Gravitate to the Simplest Interpretation
The problems caused by these events are too expensive and complex to submit to easy fixes. The courts will likely face these issues before contractual, regulatory or legislative fixes can be addressed. The cyberthreat landscape is much broader and deeper than NotPetya, which cost billions of dollars by itself.
When it comes to COVID-19, the losses appear to be in the trillions of dollars. Accordingly, courts will be faced with high-stakes disputes and little in the way of legislative or regulatory guidance. Still, lessons can be learned from the high-stakes cybercases.
Typically, these data security and privacy disputes present courts with misleadingly straightforward questions:
1. Was a state sponsored cyberattack directed by a nation state?
2. Was COVID-19 an unavoidable force majeure event?
These questions superficially appear to present binary choices, which is to say they are simple yes or no propositions. History teaches that this is a trap.
Based upon a surface-level analysis, some case law suggests that cyberwar must be military in character. NotPetya escaped into the cyberwilderness and wreaked massive damages of dubious military value. On the opposite side, but with the opposite outcome, a court may look at NotPetya and determine that the action is definitely an act of war because it constituted an act of aggression by a sovereign state.
Courts interpreting the impracticability of contracts due to COVID-19 shutdowns will also be faced with simple binary choices. All superficial approaches, however, could result in bad outcomes.
The Integrative Path Forward in Interpreting Viral Impracticability in Contracts
In the absence of any specifically negotiated definitions for impracticability, these viral cyberdisputes involve three inquiries: (1) the factual details of the mechanics of the event; (2) the evidentiary reliability of the event’s attribution to governmental actors; and (3) how the details of that attribution affect the impracticability of the contract, if at all.
This nonexclusive list, which was derived from data security and privacy litigation such as that surrounding NotPetya, provides a framework for critically analyzing risk in the the upcoming COVID-19 disputes.
The first question flows from the pragmatic concern that the lines between disaster, war and misfortune are frustratingly (and often intentionally) blurry. In the 2014 Yahoo! Inc. breach, criminal hackers were working at the behest of Russian intelligence to perform intelligence gathering while also generating criminal profits.
Many of the Chinese hacks, such as the steel and aerospace industry hacking campaigns, were undertaken by Chinese military and intelligence officers to fraudulently aid Chinese companies in the western markets. Although digital, these attacks were not purely criminal or warfare.
Similarly, the rollout of COVID-19 shutdowns was not centrally coordinated via the federal government but rather represented the accretion of hundreds of state, local, business and personal crisis decisions. To properly navigate these facts, businesses will need to prepare to marshal the broadest-based authorities possible to paint a complex constellation of events as a straight line.
The second question involves the provenance of the attribution. Courts have struggled to differentiate between consensus attribution, based upon verifiable facts, and mere groupthink. The quality of this attribution necessarily varies in each event and depends upon factors as wide ranging as the quality of the science, political realities and business needs.
Many cases required full-fledged evidentiary hearings. Other cases solely involved judicial notice of significant relevant facts. Any evidentiary option will involved high-level litigation skills to communicate the finer technical details against the backdrop of a broader sociopolitical backdrop.
The third question, impracticability, underlines how the pragmatic question is never as narrow as the nature of warfare or pandemic. Uniform Commercial Code Section 2-615 excuses commercial performance for commercial impracticability where basic assumptions of contract contemplate that an occurrence rendered performance impracticable.
In past cybercases, the courts have had to wrestle with core issues about the expectations of individual contracts. What are the expectations of a restaurant supply contract? Or an employment contract? Or a long-term lease? No matter, the specific contractual context, answering this third question has required a highly fact-intensive inquiry that will build upon the answers to the first two questions.
The correct answer to all three questions involves digging into the details about what happened and why. The best manner in which to persuasively present these facts involves an integrative approach to law and science.
Viral litigation in light of cyber or COVID-19 events requires a broad base of litigation skills. The shape of these presentations, whether cyber or purely COVID-19, will be eerily similar.
To be truly persuasive, companies should prepare to present a deep, holistic set of facts surrounding: the external history of their closure; the internal audit trail of their corporate decision making; technical descriptions of how the complex event unfolded against the backdrop of their decisions; and dynamic, but unadorned, courtroom presentations.
This similarity should prove comforting to businesses; these are threats and issues that have been met and addressed by businesses in the past. Learning the lessons of those past viral threats can help a business stay ahead of the next threats looming on the horizon. If you can prepare, you can internalize the risks and prepare to fight smartly.
 See generally U.C.C. Section 2-615.
 As discussed in this article, “attribution” for COVID-19 does not mean that a government caused the virus itself but rather whether a government caused the associated shutdown. As the shutdown orders unfold in real time from the various state and local authorities as this article is written, it seems that attribution of that type will not prove simple.
This article was originally published in Law360's Expert Analysis section on March 30, 2020. To read the article on Law360's site, please visit: https://www.law360.com/articles/1257624.