As cyber risks continue to evolve, resulting insurance claims continue to implicate a variety of types of policies. Although many claims are addressed without lawsuits being filed, some are not. And while not all coverage actions result in a substantive litigation decision, some do. As those decisions accumulate, they are worth examining as this very active area of risk management grows.
One of the most talked-about types of cybercrime remains “business email compromises.” These measures are designed to hoodwink people into sending or releasing funds to someone other than the intended recipient. Cases continue to be litigated over whether policies with computer fraud, funds transfer fraud, crime or other coverages respond to such losses of funds. Recent decisions show the importance of specific policy language and the particular facts of the schemes or scams.
In Taylor and Lieberman v. Federal Ins. Co., the federal 9th Circuit Court of Appeals affirmed summary judgment in favor of the insurer on March 9, 2017. The policyholder, an accounting firm, was hit by a fraudster who took control of the email account of one of the firm’s clients. The perpetrator used the client’s account to send seemingly legitimate wire payment instructions and backup documentation to the policyholder. After twice arranging for wire transfers in response to such communications, an employee of the policyholder contacted the client for confirmation before accommodating a third request. The plan was exposed, additional funds were not sent to the false account, and some of the earlier-sent money was recovered. The accounting firm sought coverage for the balance under a portfolio policy with forgery, computer fraud, and funds transfer fraud coverage sections.
In granting summary judgment for the insurer, the Taylor and Lieberman trial court noted that a “direct loss” is required for coverage but was absent in this case. The court remarked that a “direct loss” might have been something like the draining of funds from an escrow account maintained by the policyholder and hacked into by the perpetrator. Instead, said the court, this loss resulted from “a series of far more remote circumstances….”
The appellate court affirmed on other grounds. It held that the forgery section did not apply because no financial instruments were involved. The computer fraud section was not triggered because just sending an email is not a sufficient use of a computer and there was no effort to infiltrate or affect the policyholder’s system. Finally, no coverage was provided by the funds transfer fraud section because the wire transfer requests were known to and in fact arranged by policyholder and since the fraudulent instructions came to the policyholder and not a financial institution, as required by the policy.
See also InComm Holdings, Inc. v. Great Am. Ins. Co., No. 1:15-cv-02671 (N.D. Ga., Mar. 16, 2017) (summary judgment for insurer under crime and computer fraud provisions when loss did not arise from use of a computer and when actions were not the direct causes of the alleged loss); Apache Corp. v. Great Am. Ins. Co., No. 15-20499 (5th Cir., Oct. 19, 2016) (reversing the lower court’s summary judgment for the insured, the appellate court instead held for the insurer on the grounds that a fraudulent email that caused a misdirected funds transfer was “merely incidental to the occurrence of the authorized transfer of money.”).
The stream of such cases flows on. For example, on April 7, 2017, a manufacturing policyholder moved for summary judgment in a case against its insurer. Seeking coverage under a computer crime policy, it contends that hackers got into both its own computer system and that of one of its parts suppliers, allowing apparently appropriate emails to be exchanged that resulted in three wire transfers to what turned out to be a fake account. The insurer has denied coverage because the loss was not directly caused by use of a computer and since the transfer did not come from inside the “premises” or from inside “financial institution premises” as defined by the policy. See American Tooling Center, Inc. v. Travelers Cas. and Sur. Co. of Am., No. 16-12108 (E.D. Mich.).
And the litigation over losses from cyber-related risks also continues to involve much more traditional coverages, such as comprehensive general liability (CGL) policies. There have been several much-publicized cases in the past several years about whether harm to data constitutes “property damage,” whether a hacker’s access to or use of breached data is “publication” or creates “personal and advertising injury,” and more. New filings involving such positions include, for example, Charter Oak Fire Ins. Co. v. 21st Century Oncology Inv., LLC, No. 2:16-cv-00732 (M.D. Fla.) (motion to dismiss filed Jan. 17, 2017 over whether third party class actions following a patient data breach at the insured’s oncology clinics concern a “publication” of data and a “personal injury”), St. Paul Fire & Marine Ins. Co. v. Rosen Millennium, Inc., No. 6:17-cv-540 (M.D. Fla., filed Mar. 27, 2017) (new complaint seeking coverage for fines to credit card companies, investigative and notification costs, and other expenses associated with a data breach of customer payment cards), and Yahoo! Inc. v. Nat’l Union Fire Ins. Co. of Pittsburgh, Pa., No. 5:17-cv-00489 (N.D. Cal., filed Jan. 31, 2017) (complaint contending that email scanning suits pending against the insured allege “personal injury” or “personal and advertising injury”).
The policy language, facts and jurisdiction will affect the outcomes in litigation or other proceedings. These recent filings illustrate that insureds and insurers present and face a wide array of arguments that will mark the legal landscape. Disputed claims will continue to shape the body of law that both insureds and insurers should consider in their insurance transactions going forward. And it rolls on.
Molly McGinnis Stine is a partner in Locke Lord’s Chicago office. She can be reached at email@example.com.