Judge Says Insurer Must Cover More Than $100K in Ransomware Payment

158
SHARE

This is the case of Yoshida Foods International LLC v. Federal Insurance Co., in the U.S. District Court for the District of Oregon.

Enter Email to View Articles

Loading...

Yoshida is a teriyaki sauce and soda company known for its line of Asian marinades and cooking sauces, which suffered a ransomware attack in 2021.

Yoshida Foods International LLC purchased insurance from Federal Insurance Co. that included computer fraud coverage under the crime coverage part of its policy.

In March 2021, an unknown hacker gained illegal access to Yoshida’s computer system and used malware to encrypt data in its storage devices, rendering the system unusable. 

The anonymous hacker demanded a ransom payment in cryptocurrency in exchange for each decrypting program.

President of Yoshida Foods, Junki Yoshida, used his personal cryptocurrency funds to pay the ransomware of $107,074.20 for the four decryption keys needed, for which the company reimbursed him.

The company then submitted a claim to Federal, but coverage was denied. The insurer’s position was that the company did not sustain a “direct loss” from computer fraud, with its only loss occurring when it reimbursed the company president, who was not personally insured under the policy.

In October 2021 Yoshida filed suit accusing its insurer of bad faith and seeking coverage for its losses. After a litigious court battle, the court ruled in favor of Yoshida finding that the company will be able to seek insurance compensation for money its founder paid from his personal cryptocurrency funds to acquire decryption keys from the anonymous hacker in order to restore his company’s data.

This week, U.S. District Judge Marco A. Hernandez found that the ransomware payment made by Junki Yoshida from his own personal BitCoin funds was an expense that was the result of a direct loss to his company, caused by the hacker, and should be covered by Federal Insurance Co.

Judge Hernandez rebuffed the insurer’s argument that since Junki Yoshida paid the hackers personally and was technically an employee, a contractual exemption for employee-approved transfers applied.

Judge Hernandez wrote in his ruling that “Under the defendant’s reading, if someone held a gun to an employee’s head demanding payment, and the employee made the payment, the act of paying would have been ‘approved’ by the employee…The court does not agree,”

“Thus, that the payment to the hacker came from Mr. Yoshida’s personal funds does not preclude a finding that the plaintiff suffered a direct loss.”

The Court found that the policy covered the plaintiff’s ransomware payment and IT expenses. However, the court did not find the defendant’s contrary interpretation of its policy language was in bad faith.