Are there risks with blockchain technology?

Insurers using smart-contract policies with blockchain technology should be aware that savvy fraudsters could compromise stored data.

A blockchain is a distributed ledger that records and stores transactions on individual blocks in real-time. (Photo: Shutterstock)

While industry understanding of the potential uses and pitfalls of blockchains continue to evolve, the insurance industry has begun using blockchains to record smart contracts or self-executing insurance policies. Under smart-contract insurance policies, claims handlers may face new legal questions, which traditional principles of insurance law might help to answer.

The blockchain underlying smart contracts

A blockchain is a distributed ledger that simultaneously records and stores transactions on individual blocks. Before a transaction can be added to the blockchain, the ledger’s decentralized data storage points (i.e., nodes) must reach a consensus that the transaction is valid and approve it. Each block, like a fingerprint, obtains a unique identity, which is recorded on that block and the following block, forming a blockchain.

The blockchain is not centrally managed; each node simultaneously stores the data.  The two primary forms of blockchain networks are: (1) a “permissionless” blockchain, which is a public network where anyone who runs the necessary software may use, validate and view the data on the blockchain, and (2) a “permissioned” blockchain, which is a closed system that requires a private key to engage with the network.

Smart-contract insurance policies

While smart contracts pre-date blockchain technology, today, smart contracts commonly are written on a blockchain. Smart contracts are not (yet) “smart” in the sense of using artificial intelligence. Instead, smart contracts are self-executing contracts written as code; they work as an “if-then” transaction.

A computer programmer writes the code that enables the contract to execute upon the satisfaction of specified conditions, which are encrypted and distributed on the blockchain.  Think of a vending machine transaction: payment is inserted, and the snack drops down. Under a smart-contract insurance policy, when an insured enters claim information onto the blockchain that satisfies the conditions for coverage, the claim is paid. A smart contract can be used for the entire agreement or for only certain contract provisions.

Claims under smart-contract insurance policies

While the law may sometimes lag behind emerging technology, substantive principles of insurance law should nonetheless apply regarding smart contract insurance policies. Only a handful of cases nationally have discussed smart contracts, and only concerning cryptocurrency.  However, claims-handling issues under smart-contract insurance policies might include disputes regarding the result of the contract, fair claims practices and claims fraud. The following discussion provides an overview of such issues.

Interpretation of smart-contract insurance policies

A common issue with traditional insurance contracts is whether the written terms are ambiguous. If they are, such ambiguity typically is construed in the insured’s favor. A smart contract, being an if-then transaction, might not be capable of being ambiguous. However, what if there is a dispute regarding the execution of the smart contract, such as where a party disputes whether a claim should have been paid based on the information recorded on the blockchain? Should similar principles regarding ambiguity apply with regard to disputes concerning the outcomes of smart contracts?

Some might argue that, under a smart contract, “the code is the contract,” such that the parties must adhere to the outcome produced by the code to which they had previously agreed.  (Although, if applied literally, such a view would also bind parties to a weakness or loophole in the smart contract code that could produce an unintended result.)

Rather than enforce an unintended result, in order to construe a term against the drafter, a court might focus on the parties’ sophistication and the negotiability of the contract’s terms to determine how to interpret an alleged ambiguity. If the policy’s terms and conditions were non-negotiable, a court might adopt the outcome under the smart contract that favors the insured.

Fair claims handling under smart-contract insurance policies

Many jurisdictions mandate fair claims handling practices that insurers must follow in some circumstances, including the timely payment of covered claims. With the self-executing nature of smart-contract insurance policies, insurers may more easily abide by such rules. For example, blockchain technology can immediately acknowledge receipt of a claim and pay, or disclaim coverage for a claim.

However, an insurer may wish to adopt a review process for claims under smart-contract insurance policies to avoid unintended consequences. Such review processes could take into account the regulatory constraints that states traditionally require for ensuring fair claims practices. For example, if an insurer was to determine, based on the blockchain, that misinformation resulted in the incorrect payment of the claim, a process for assuring timely communication of such issue could track applicable fair-claims standards.

An insurer considering such a review process also might contemplate whether to issue any reservation of rights with respect to claims tendered under a smart-contract insurance policy, which could be recorded directly onto the blockchain. The issue of whether a reservation of rights recorded onto a blockchain provides an insured with sufficient notice has not been tested in case law. However, in such circumstances, existing rules governing the timeliness and content of such reservation of rights arguably apply.

Blockchain technology and smart contracts could provide streamlined platforms for claims management but also may introduce previously unanswered questions. However, traditional principles of insurance law may guide insurers in developing any internal review process of claims under smart contracts even before such legal questions have come under judicial review.

Claims fraud under smart-contract insurance policies

Blockchain technology receives much attention for the security it provides, but fraud and misinformation still may persist. A blockchain merely stores the information safely; it does not make inaccurate data accurate. Someone with access to record information on the blockchain where the smart contract is stored might provide false or inaccurate evidence of loss, resulting in an incorrect payment.

External databanks from which smart contracts receive information (i.e., oracles) also are a potential vulnerability. Oracles supply the blockchain with information that can cause the smart contract to self-execute. Oracles are not within a blockchain network’s consensus validation mechanism and could be targets for hacking and data manipulation.

Smart-contract insurance policies also might be directly hacked using a 51% attack, where the attacker compromises 51% of the nodes needed for a smart contract to execute. With majority control, the attacker can approve fraudulent or incomplete conditions and cause the smart contract to pay a fraudulent claim. While such an attack may be less likely on large, public blockchains because of the vast quantity of nodes, they may be more likely with small, private networks, where an insurance contract would be written and stored.

Finally, ransomware attacks may pose a threat to the extent an attacker could gain access to the blockchain, encrypt payment data, and demand a ransom payment in exchange for the release of such data. Loss from such an attack might include, in addition to ransom payments, a delay in claims processing and long-term denial of access to important data.

As demand grows for smart-contract insurance policies that use blockchain technology, claims-handlers may face new legal questions. However, traditional insurance principles nevertheless are likely to apply. In developing claims-handling procedures for smart contracts, insurers can follow existing laws governing fair claims practices and contract interpretation. Insurers also should be familiar with blockchain and smart-contract technologies, including their susceptibilities to fraud and the improper payment of claims.

Stacey McGraw (Stacey.mcgraw@troutman.com) is a partner in the Washington, D.C. office of Troutman Sanders and works with professional liability insurance carriers building efficient strategies to manage risks and prevent costly litigation. Michael Huggins (Michael.huggins@troutman.com) is an associate in the San Francisco office of Troutman Sanders and advises clients on complex and high-stakes insurance coverage and litigation concerning professional and general liability.

See more: