LifeLock Identity Theft Protection Policy May Cover Theft of Cryptocurrency Assets–Atwal v. LifeLock

This is a lawsuit against LifeLock. In August or September of 2018, Atwal allegedly lost approximately $12 million worth of cryptocurrency because a third party misappropriated his credentials. A few months prior, Atwal had subscribed to a LifeLock “Ultimate Plus” identify theft protection policy. Atwal now seeks coverage from LifeLock for his loss. You can see the policy language from LifeLock’s Ultimate Plus policy here.

On LifeLock’s motion to dismiss, the court issues a mixed ruling for LifeLock, saying it may be on the hook for some of the loss.

Whether plaintiff has an “Account” covered by the policy: The policy defines “Account” as:

a U.S. regulated and domiciled checking, savings, money market, brokerage, or credit card Account of [the customer] held directly or indirectly by a Financial Institution and established primarily for personal, family or household purposes. ‘Account’ also includes a Retirement Account held in [the customer’s] name, or the name of [the customer’s] authorized representative.

The court surveys legal decisions addressing whether cryptocurrency is “regulated” under U.S. law. While courts recognize that generally the whole purpose of this type of currency is to function outside government regulation, “a public sale of cryptocurrency is [a] sale of securities regulated under the Securities Act.” However, plaintiff failed to allege that he purchased the cryptocurrency at issue in a public sale. The court thus finds that the assets lost by the plaintiff were not kept in an “Account”. The court rejects the breach of contract claim for any losses which hinge on the status of the “Account” as one subject to U.S. regulation.

Whether plaintiff suffered a “Stolen Identity Event”: Another provision of the policy defined a “Stolen Identity Event” as any “theft of personal information without [the customer’s] express authorization to establish or use a deposit, credit, or other Account.” “Personal information” is broadly defined to include “personal identification, social security number, or other method of identifying [the customer].” The court says plaintiff has sufficiently alleged he experienced a “Stolen Identity Event” (the loss of his account access credentials) and states a breach of contract claim on this basis.

Breach of the Duty of Good Faith and Unjust Enrichment: The court rejects plaintiff’s claims for breach of the duty of good faith and for unjust enrichment. Under New York law, the breach of duty of good faith requires an allegation distinct from the breach of contract claim. Plaintiff fails to make that allegation here. New York law recognizes unjust enrichment despite the existence of a contract in “unusual” circumstances. This is not the case here.

__

This is a noteworthy ruling, given the prevalence of these types of losses. Other than an insurance company, plaintiffs have tried their luck suing wireless carriers, where SIM swapping is involved.

I found the court’s discussion of the policy provisions somewhat confusing. Policies are famously byzantine in how they describe what is covered and excluded, and this policy was no exception. The policy covers losses arising from (i) a “Stolen Identity Event” or (ii) a “Stolen Funds Loss” (resulting from an “Unauthorized Funds Transfer”). Note: the policy provides for different levels of coverage depending on the event in question. My read of the policy is that it provides coverage up to $1 million if you can show there was a “Fraudulent Withdrawal,” which means a loss of funds as a result of a “Stolen Funds Loss incurred as a direct result of a Stolen Identity Event.” On the other hand, if you merely experience a “Stolen Identity Event,” without an unauthorized withdrawal, the policy covers things like remediation and reimbursement for for costs of remediation.

Either way, all of the losses appeared tied to the definition of “Accounts”, and given the court’s conclusion that the account at issue did not fit into the category of an “Account,” I couldn’t quite understand why the court found plaintiff adequately alleged a breach of contract claim.

The policy‘s definition of “Stolen Identity Event” also covered a scenario where someone’s identity was stolen and the perpetrator used the identity to “enter into a contract or commit a crime.” The court did not discuss this, but I wondered whether plaintiff could argue that the perpetrator here used the plaintiff’s identity to “enter into a contract” (i.e., in using or further transferring the assets)?

One final point worth noting is that rules governing interpretation of policies vary by state. Some states, such as Washington, have robust protection for insureds. Ambiguities in policies are interpreted in favor of the insured, and insurers owe a duty of good faith when making coverage decisions. I could see a different result under Washington law.

Case citation: Atwal v. NortonLifeLock, Inc., 1:20-cv-00449-WMS (W.D.N.Y. Feb. 3, 2022)