Technical Overview of Blockchain Technology and Bitcoin
Blockchain refers to a data structure created by “chaining” blocks of data together. After a first block is created (the “genesis block”), each new block contains a cryptographic reference to the preceding data block in the blockchain. Another, often touted feature of blockchain technology is that once a block of data is added, it cannot be easily deleted or modified without detection because of the computational power required.
Blockchain structures usually rely for storage on a system of decentralized computers known as nodes, each of which will contain a copy of the blockchain. Data are added to the Bitcoin blockchain by “miners” who operate computers that solve difficult mathematical problems.
In short, and at its simplest, blockchain can be thought of as an “append-only” distributed database,[3] with no central server and no ability to easily change or modify a record once added.[4] Blockchain’s decentralized organizational structure stands in contrast to a conventional system used by networked computers that rely on a “client-server” structure.[5]
Bitcoin is the most widely known use of blockchain technology. Bitcoin was first described in a technical whitepaper published in 2008 by a person (or possibly persons) writing under the pseudonym “Satoshi Nakamoto.” The whitepaper describes Bitcoin as a “purely peer-to-peer version of electronic cash [that] would allow online payments to be sent directly from one party to another without going through a financial institution.”[6] A variety of courts and regulators have grappled with the nature of Bitcoin; to date, there is no consensus about either its precise legal status or nature.[7] How Bitcoin is characterized for legal purposes may depend on how it is being used. Why this lack of clarity may matter for insurance purposes is discussed in greater detail below.
How Does a Bitcoin Transaction Work?
Oversimplifying a bit, a Bitcoin transaction involves three cryptographic hashes (a long and unique series of letters and numbers): the sender’s public address, the sender’s private key, and the recipient’s public address. Any person who knows the private key can transfer the sender’s Bitcoin. If the private key is lost, the Bitcoin cannot be transferred. If the private key is stolen, transfers cannot be stopped. There is no “help desk.”[8]
Because control over Bitcoin depends on knowledge of and access to private keys, one of the biggest (and most publicized) risks associated with it and other cryptocurrencies has been cryptocurrency exchange thefts. According to the Wall Street Journal, “[s]ince 2011, there have been 56 cyberattacks directed at cryptocurrency exchanges, initial coin offerings and other digital-currency platforms around the world, according to an analysis by Autonomous Research, a London-based financial-services research firm, bringing the total of hacking-related losses to $1.63 billion.”[9]
But theft is not the only risk factor. Loss by any means is a problem. An owner of Bitcoin might print and store a copy of private keys in a desk drawer at home or in the office. If a fire, flood, or other peril destroys the home or office and the keys with it, the owner not only loses the ability to transfer the Bitcoin but also, as a practical matter, loses the Bitcoin.
The risk of cryptocurrency loss is compounded to a degree by the open-source nature of the software that the assets rely on for creation and transfer, where code is publicly available and bad actors can observe and take advantage of vulnerabilities. Take “the DAO hack,” in which a decentralized investment fund was created on the Ethereum blockchain in 2016. It raised more than $150 million in cryptocurrency, but soon after its launch, an error in the DAO code allowed a user to move nearly a third of those funds to private control. Because the code (the digital signature, to be precise) was public but “immutable,” it was impossible to stop the hack while it was happening and while remaining true to the concept of immutability.[10]
For insurance purposes, a potentially important nuance to consider is the location and method by which the owner holds private keys. One method is using a software “wallet,” which secures the keys in electronic form and allows the owner to transfer them to another person directly from the wallet. Another way to store keys is to leave them in the custody of a cryptocurrency exchange.[11]
Insuring Bitcoin Losses
Coverage for theft or loss under homeowners policies. In the absence of case law directly on point, we are forced to begin with a hypothetical. Let us assume an insured loses private keys, through the destruction of either a device on which the keys were stored or a piece of paper on which they were written, and seeks coverage under a version of the standard fire policy.
An exemplar form from one of the large property casualty companies contains the following coverage grant for “personal property”:
“Personal property owned or used by an insured person anywhere in the world. When personal property is located at a residence other than the residence premises, coverage is limited to 10% of Coverage C—Personal Property Protection.[12]
The policy also contains a sublimit for “[m]oney, bullion, bank notes, coins and other numismatic property.” The question becomes whether Bitcoin is “money” for purposes of applying the sublimit. While there are no cases applying this language to Bitcoin or other cryptocurrencies, there is precedent applying it to other types of assets.
McKee v. State Farm Fire & Casualty Co. involved the theft of two bags of silver coins for which the plaintiff had paid $3,830 apiece in 1965. “At the time of the burglary, the plaintiff claimed the value of the coins was $11,512.20.”[13] The insurance company argued that a $100 sublimit for “money, bullion, numismatic property and bank notes” applied. The plaintiff argued that the coins were not money because money is a “‘medium of exchange,’ something in circulation as a part of the currency . . . [and] since his pre-1965 silver minted coins were an investment on his part, withdrawn from circulation, they were not ‘money’ in the sense intended by the insurer.”[14] The court rejected the plaintiff’s argument:
Plaintiff’s silver coins are most reasonably regarded as “money,” and whether kept from circulation by plaintiff or not, retain their monetary character. Limiting the reasonable meaning of “money” to only that which is actually circulating as part of the currency is not reasonable. Another dictionary definition of “money,” Webster’s New Dictionary of the English Language (1975), describes it as “coin, gold, silver, or other metal, stamped by public authority and used as the medium of exchange.” We deem it reasonable to view silver coins such as those possessed by plaintiff as money to which the liability limitation would be applicable.[15]
Other courts have found similar language ambiguous, however, and refused to apply the sublimit. Michaels v. State Farm Fire & Casualty is an example.[16] There, the plaintiffs sought coverage under the personal property part of their homeowners policy for a stolen coin collection. The trial court awarded compensatory damages and interest but denied bad-faith damages. The policy at issue contained a $200 limit for “money, bank notes, coins and medals.” The plaintiffs argued that a coin collection is “numismatic property” and does not fall within the scope of those listed items.
In the absence of applicable Pennsylvania precedent, the court reviewed precedent from other states. A Missouri case cited by the insurance company “found that rare coins kept by an insured as collectors items were insured as ‘money’ at face value and not as ‘other property’ at market value.”[17] But that case was distinguishable because the policy at issue was “designed to cover loss of money incidental to [the insured’s] business. . . .”[18] Other cases reviewed by the court focused on money as a medium of exchange rather than a commodity, a distinction that led the court to find full coverage for the insured.[19]
The coin collection cases seem to turn on whether the court agrees that the term “money” is sufficiently unambiguous to encompass coins purchased as collectible items rather than for use in trade. It seems likely that coverage for lost Bitcoin and other cryptocurrencies will similarly turn on a court’s view of the clarity of such language.
If a court were to look outside the policy to determine whether Bitcoin falls within the rubric of “money,” there are a variety of places a court might look for guidance. Bitcoin is described as a form of “electronic cash” in the original 2008 Bitcoin whitepaper.[20] Federal agencies in the United States have taken a variety of positions. FinCEN, a Treasury agency tasked with enforcing the Bank Secrecy Act (BSA), has distinguished between currency and virtual currency as follows:
FinCEN’s regulations define currency (also referred to as “real” currency) as “the coin and paper money of the United States or of any other country that [i] is designated as legal tender and that [ii] circulates and [iii] is customarily used and accepted as a medium of exchange in the country of issuance.” In contrast to real currency, “virtual” currency is a medium of exchange that operates like a currency in some environments, but does not have all the attributes of real currency. In particular, virtual currency does not have legal tender status in any jurisdiction. This guidance addresses “convertible” virtual currency. This type of virtual currency either has an equivalent value in real currency, or acts as a substitute for real currency.[21]
Under FinCEN’s analysis of the BSA and applicable regulations, “[a]ccepting and transmitting anything of value that substitutes for currency makes a person a money transmitter under the regulations implementing the BSA.”[22]
Other federal agencies have characterized Bitcoin differently. The Commodities Futures Trading Commission (CFTC) has taken the position that Bitcoin and other cryptocurrencies should be treated as “commodities” under the Commodities Exchange Act.[23] According to Internal Revenue Service guidance, “[f]or federal tax purposes, virtual currency is treated as property. . . . Under currently applicable law, virtual currency is not treated as currency that could generate foreign currency gain or loss for U.S. federal tax purposes.”[24]
Given the lack of precedent and varying regulatory guidance on the nature of Bitcoin and other virtual currencies, it is difficult to predict how individual courts will rule in particular cases in which a money sublimit (or exclusion) is in place. To the extent that “money” is ambiguous as applied to virtual currency, the ambiguity would, in most cases, be construed against the drafter and in favor of coverage. Given the existence of Bitcoin-specific exclusions and endorsements in crime policies (discussed below), one could argue that insurance companies that want to exclude Bitcoin risk have the ability to do so, and failure to specifically exclude the peril is a factor that weighs in favor of concluding that Bitcoin is not “money” for purposes of applying a money sublimit (or exclusion).
Coverage for Bitcoin loss or theft under crime policies. At least one exchange loss resulted in an insurance coverage dispute arising under a commercial crime policy. Bitpay, Inc. v. Massachusetts Bay Insurance Co. involved a social-engineering exploit.[25] The plaintiff alleged that its chief executive officer (CEO) received an email that ultimately compromised the chief financial officer’s (CFO’s) computer: “The phony email sent by the person who hacked Mr. Bailey’s computer directed [the CFO] to a website controlled by the hacker wherein [the CFO] provided the credentials for his Bitpay corporate email account.”[26]
While Bitpay appears to have resulted in a settlement, documents contained in the publicly available case file provide some context for the arguments made by the policyholder for, and the insurance company against, coverage. Bitpay was insured under a commercial crime policy issued by the Hanover Insurance Group. Coverage was provided on Insurance Services Office (ISO) forms, including the CR 00 22 05 06 Commercial Crime (Discovery) form. At issue was the scope of available coverage under the computer fraud coverage part, which provides that the insurer
will pay for loss or damage to “money”, “securities” and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises”:
a. To a person (other than a “messenger”) outside those “premises”; or
b. To a place outside those “premises”.[27]
The policy also included a manuscript “Bitcoin Definition and Valuation Endorsement,” which redefined “Money” as “or other funds; Bitcoins; or books of account and other records, recorded in writing or in other form.”[28]
The insurance company denied coverage under the computer fraud coverage part. The denial letter offered three reasons: (1) the policy did “not afford coverage for indirect losses caused by a hacking into the computer system of someone other than the insured”; (2) the transfer requests themselves were approved by Bitpay’s CEO, and thus not a “direct loss”; and (3) the “[B]itcoin transactions involved a transfer of property from inside the premises to outside the premises.”[29]
In response, Bitpay’s lawyers argued that (1) the word “‘directly’ modifies the type of loss therefore requiring a ‘direct loss’” and that Bitpay had suffered a direct financial loss as opposed to excluded consequential losses involving lost income; (2) under relevant precedent, computer fraud “exists whether the hacker actually makes the transfer or the hacker causes the transfer. . . .”; (3) the premises requirement does not apply because “[u]nlike traditional money, [B]itcoin does not exist in physical form in any location or premises, and it cannot be transferred from or to any physical location. . . . Accordingly, any agreement to insure [B]itcoin that purportedly requires [B]itcoin to be on Bitpay’s premises is illusory, and MBIC’s interpretation is meritless and evidences bad faith.”[30]
Bitpay’s policy was a 2006 version of the ISO Commercial Crime Policy (Discovery Form), the CR 00 22 05 06. The form was silent on coverage for virtual currencies, which is probably why Bitcoin was specifically addressed in a manuscript endorsement. In 2015, ISO amended the Commercial Crime Form to include a specific exclusion for “virtual currencies” applicable to “Loss involving virtual currency of any kind, by whatever name known, whether actual or fictitious including, but not limited to, digital currency, crypto currency or any other type of electronic currency.” When a version of the 2015 form is used, coverage can be added back for scheduled virtual currencies by using ISO endorsements issued at the same time.[31]
Conclusion
Courts and regulators continue to grapple with the nature of Bitcoin. As the technology matures, it is likely that insurance policies will adapt to address the risk. For now, coverage lawyers and clients are faced with blue waters and some uncertainty. Whether the technology is disruptive, however, coverage will still be determined by traditional rules of policy interpretation, using tools in all coverage attorneys’ tool kits.
Stephen D. Palley is a partner in the Washington, D.C., office of Anderson Kill, LLP.
[1] Stephen D. Palley is a partner in the Washington, D.C., office of Anderson Kill, LLP. Mr. Palley is a member of the firm’s Insurance Recovery practice and cochair for the firm’s Blockchain and Virtual Currency group. Any opinions set forth in this article are Mr. Palley’s alone and not endorsed by the firm or any past, present, or future clients.
[2] For a nuanced perspective on the future of blockchain technology, see Marci Ianitisi & Karim R. Lakhani, “The Truth about Blockchain,” Harv. Bus. Rev., Jan./Feb. 2017. For how blockchain might save the whales, see Pete Rizzo, “Researchers Plan ‘Unstoppable’ DAO to Help Whales Save Themselves,” CoinDesk, May 20, 2016.
[3] Depending on the blockchain protocol used, the technology can be used to store static data—raw information—and can also be used to store executable code that will be triggered after a certain amount of time passes or an external event occurs. This executable code is sometimes referred to, not quite accurately, as “smart contract” code.
[4] The inability to change information or code once added to blockchain is sometimes referred to as “immutability.” On the one hand, there are powerful advantages to a distributed, programmable database to which all participants have equal access and which no one can unilaterally change after the fact. On the other hand, a database that cannot be edited and software that cannot be turned off present unique and, in some cases, potentially troubling risks. A discussion of those risks is beyond the scope of this article.
[5] Oversimplifying, in a client-server structure, individual users read and write data to centralized servers controlled by administrators who have privileged access and control over the data. See, e.g., Business Dictionary, “Client-Server Architecture” (“A client computer provides the user interaction-facility (interface) and some or all application processing, while the []server computer might provide high-volume storage capacity, heavy data crunching, and/or high resolution graphics. Typically, several client computers are connected through a network (or networks) to a server which could be a large PC, minicomputer, or a mainframe computer. Every computer connected to a website acts as a client while the website’s computer acts as a server.”).
[6] Satoshi Nakamato, Bitcoin: A Peer-to-Peer Electronic Cash System 1.
[7] See, e.g., Commodity Futures Trading Comm’n v. McDonnell, 287 F. Supp. 3d 213, 218 (E.D.N.Y. 2018) (describing cryptocurrencies like Bitcoin as “virtual currency” or “‘digital assets used as a medium of exchange.’ They are stored electronically in ‘digital wallets,’ and exchanged over the internet through a direct peer-to-peer system. They are often described as ‘cryptocurrencies’ because they use ‘cryptographic protocols to secure transactions . . . recorded on publicly available decentralized ledgers,’ called ‘blockchains.’”) (citations omitted). A number of other reported opinions discuss the nature of Bitcoin, which may be relevant to whether its loss is covered under a particular insurance policy. See, e.g., United States v. Ulbricht, 858 F.3d 71, 83 n.3 (2d Cir. 2017) (“Bitcoin is also a completely decentralized currency, operating free of nation states or central banks; anyone who downloads the Bitcoin software becomes part of the Bitcoin network.”); Sec. & Exch. Comm’n v. PlexCorps, No. 17-civ-7007 (CBA) (RML), slip op. at 2 (E.D.N.Y. June 19, 2018) (“. . . Bitcoin and Ethereum are digital assets representing financial value.”); Rensel v. Centra Tech, Inc., No. 1:17-cv-24500-JLK (S.D. Fla. June 19, 2018), ECF No. 77, at 2 n.1, 2018 U.S. Dist. LEXIS 100720, at *3 n.1 (report and recommendations) (“Bitcoin is the original cryptocurrency and was developed as a ‘peer-to-peer electronic cash system,’ and allows online payments to be sent directly to a party without the involvement of any financial institution or other third party.”) (citation omitted); Sec. & Exch. Comm’n v. Shavers, No. 4:13-CV-416, 2014 U.S. Dist. LEXIS 194382, at *20 (E.D. Tex. Aug. 26, 2014) (finding Bitcoin has “a measure of value [that] can be used as a form of payment” for purposes of satisfying the “investment of money” prong of the Howey test used to determine if something is an investment under the Securities Act of 1933).
[8] One of the key distinguishing features of a blockchain platform is whether it is public or private. In a public blockchain, anyone can operate a node or act as miner. All of the data included in the Bitcoin blockchain are visible to the world. For more on the distinction between public and private blockchains, see Praveen Jayachandran, “The Difference Between Public and Private Blockchain,” Blockchain Unleashed: IBM Blockchain Blog (May 31, 2017).
[9] Steven Russolillo & Eun-Young Jeong, “Cryptocurrency Exchanges Are Getting Hacked Because It’s Easy,” Wall St. J., July 16, 2018.
[10] See Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: The DAO, Exchange Act Release No. 81207 (July 25, 2017).
[11] Three of the more widely known such exchanges in the United States are Coinbase, Gemini, and Kraken. Using an exchange to store keys places most of the onus for security on the exchanges. The websites for Coinbase and Gemini state publicly that they maintain commercial crime coverage. See Coinbase; see also Gemini—The Next Generation Digital Asset Platform. According to Kraken’s chief executive officer and cofounder, Kraken maintains no insurance coverage and relies on its “balance sheet” to cover losses in the event of an exchange hack. Jesse Powell (@jespow), Twitter (Aug. 14, 2016, 6:10 PM).
[12] Allstate Insurance Co. Standard Homeowners Policy, Coverage C, ¶ 1, at 6. See also HO-5 (01-00) (“$200 [sublimit] on money, bank notes, bullion, gold other than goldware, silver other than silverware, platinum other than platinumware, coins, medals, script, stored value cards and smart cards.”). In contrast, one of the standard Insurance Services Office commercial property forms (CP 00 10 10 12) contains an exclusion applicable to “[a]ccounts, bills [and] currency” at Exclusion 2(a). While similar arguments about whether or not “Bitcoin” is “currency” would likely be raised, presumably an insurer would argue that the “Electronic data” exclusion (2(n)) would apply as well.
[13] McKee v. State Farm Fire & Cas. Co., 193 Cal. Rptr. 745, 746 (Cal. Ct. App. 1983); see also O’Dell v. Cal. Capital Ins., No. A138500, 2014 Cal. App. Unpub. LEXIS 7000, at *23 (Cal. Ct. App. Oct. 1, 2014) (holding that antique firearms are firearms for purposes of applying firearms sublimit regardless of whether they are used as such and citing McKee for proposition that use to which insured puts property does not matter).
[14] McKee, 193 Cal. Rptr. at 747.
[15] McKee, 193 Cal. Rptr. at 747.
[16] Michaels v. State Farm Fire & Cas., 33 Phila. Co. Rptr. 59 (Phila. C.P. Civ. Div. 1997).
[17] Michaels, 33 Phila. Co. Rptr. at 70 (citing Cornblath v. Fireman’s Fund Ins. Co., 392 S.W.2d 648, 651 (Mo. Ct. App. 1965)).
[18] Michaels, 33 Phila. Co. Rptr. at 70.
[19] Michaels, 33 Phila. Co. Rptr. at 70 (citing De Biase v. Commercial Union Ins. Co. of N.Y., 278 N.Y.S.2d 145, 148–49 (Civ. Ct. 1967)). See also Cotlar v. Gulf Ins. Co., 318 So. 2d 923, 926 (La. Ct. App. 1975) (finding doubloon collection did not fall within sublimit for “money, bullion, numismatic property and bank notes”); Crunk v. State Farm Fire & Cas. Co., 719 P.2d 1338, 1341 (Wash. 1986) (cashier’s check was functional equivalent of cash and thus fell within $100 sublimit; reversing intermediate appellate court); Wilhite v. State Farm Fire & Cas. Co., 297 N.W.2d 517 (Wis. Ct. App. 1980) (“It is this court’s opinion that a check which is issued as a part of a current transaction, and which both parties contemplate will be presented for collection through banks in due course, is not ‘numismatic’ property under the above definitions. It has no inherent artistic or historical value. It is not given or retained for purposes of scientific, cultural or esthetic study. It is rather a commonly accepted form of payment in lieu of cash.”).
[20] Satoshi Nakamato, Bitcoin: A Peer-to-Peer Electronic Cash System 1; Bitcoin.org (“Bitcoin is an innovative payment network and a new kind of money.”).
[21] U.S. Dep’t of Treasury Financial Crimes Enforcement Network, No. FIN-2013-G001, Application of FinCEN’s Regulations to Persons Administering, Exchanging, or Using Virtual Currencies 1 (Mar. 18, 2013) (footnotes omitted).
[22] U.S. Dep’t of Treasury Financial Crimes Enforcement Network, No. FIN-2013-G001, Application of FinCEN’s Regulations to Persons Administering, Exchanging, or Using Virtual Currencies 3 (Mar. 18, 2013).
[23] In re Coinflip, Inc., d/b/a Derivabit & Francisco Riordan, CFTC No. 15-29, slip op. at 3 (Sept. 17, 2015).
[24] I.R.S. Notice 2014-21.
[25] Complaint ¶¶ 12–17, Bitpay, Inc. v. Mass. Bay Ins. Co., No. 1:15-cv-03238-SCJ (N.D. Ga. filed Sept. 15, 2015), ECF No. 1.
[26] Complaint ¶ 14, Bitpay, Inc., No.1:15-cv-03238-SCJ, ECF No. 1.
[27] Policy, Exhibit A to Answer to Complaint, Bitpay, Inc., No.1:15-cv-03238-SCJ, ECF No. 7-1, at 5.
[28] Policy, Exhibit A to Answer to Complaint, Bitpay, Inc., No.1:15-cv-03238-SCJ, ECF No. 7-1, at 24.
[29] June 8, 2015, Letter from Hanover to Bitpay, Exhibit B to Complaint, Bitpay, Inc., No.1:15-cv-03238-SCJ, ECF No. 1-1, at 35–36.
[30] June 15, 2015, Letter from Morris Manning to Hanover, Exhibit C to Complaint, Bitpay, Inc. No.1:15-cv-03238-SCJ, ECF 1-1, at 39–40.
[31] E.g., CR 25 44 11 15 (Include Virtual Currency as Money) (for use with commercial crime policies); CR 25 46 11 15 (Include Virtual Currency as Money) (for use with employee theft and forgery and government employee theft and forgery policies).