The increased prevalence, and awareness, about cyberattacks should surprise no one. Cybersecurity breaches against businesses and political entities within the last several years has brought the issue from a niche focus into the broader strategic focus of most organizations. Certainly, cyberinsurance policies present one potential avenue for addressing, defending against, and mitigating cyber-related security events. Recent decisions, including in particular, InComm Holdings v. Great American Insurance, 2017 U.S. Dist. LEXIS 38132 (N.D. Ga. March 16), however present certain potential limitations to cybercoverage.
One of the more common forms of a cyberattack is a phishing attack or other type of attack aimed at getting users to voluntarily release sensitive information, monetary funds, among others. It was a phishing attack that led to the now-notorious DNC email leak scandal in the last presidential election cycle. This type of attack can raise unique issues under a cyberinsurance policy. For instance, some insurers may decline coverage for this type of attack depending on the content and language of the specific cyberpolicy. Although cyberinsurance policies are not as standardized as many of the traditional commercial line policies, some commonalties do emerge. The InComm decision highlights several of these commonalities and raises important considerations for policyholders.
Specifically, policyholders may face hurdles from their insurance carriers and the courts because the phishing scheme did not require the “use” of their computers by an outside agent. Also, if the scheme involved the voluntary transfer of money, property, or information, the policy might exclude those losses. Given that cyber losses are also, often, indirect attacks on the finances of a company rather than directly breaking into the bank vault, that attenuation may also lead to a challenge of whether a “loss” occurred.
To understand how these issues apply in reality, it is important to understand factual background in the InComm decision and what led to the court’s rationale. InComm Holdings, Inc. provides a financial service that lets consumers put funds onto prepaid debit cards issued by banks. Cardholders can buy “chits” to add prepaid funds to their cards. People can buy these chits at different retailers such as CVS, Walgreens or supermarkets. When the consumer buys the “chit” they buy it for the amount of funds they want to place on the card, plus a small fee. When the cardholder buys the “chit,” the retailer notifies InComm who holds the funds in a bank account. To redeem the “chit,” the consumer calls InComm and provides them with the unique pin number printed on the “chit;” the account number for the debit card; and a three-digit security code on the debit card. After redemption, InComm moves the funds into the bank account associated with the pre-paid debit card.
The dispute in InComm involved one particular bank, Bancorp, that issued pre-paid debit cards. As part of its contract with Bancorp, InComm had to transfer funds to Bancorp within a specified period of time following “chit” redemption. The contract then provided that Bancorp hold the funds in a fiduciary or custodial manner on behalf of InComm. Bancorp held the funds in trust. This arrangement is important to the court’s determination of whether a loss occurred.
From November 2013 to May 2014, InComm was the subject of a “chit” redemption scheme. InComm had an error in their redemption system where the consumer could call from different telephones at the same time to redeem the same “chit” more than once. The simultaneous “chit” redemptions exploited a coding error in InComm’s system that resulted in the transfer of funds to Bancorp. The unauthorized redemptions resulted in about $10.3 million of wrongly transferred funds.
After discovering the scheme and deactivating the cards, InComm noticed its insurance carrier Great American Insurance Co. (GAIC) and sought coverage under its computer fraud coverage. The GAIC policy states that it will: pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises:
• To a person (other than a messenger) outside those premises; or
• To a place outside those premises.
The policy defined “premises” as “the interior of that portion of any building you occupy in conducting your business.” It defined “banking premises” as “the interior of that portion of any building occupied by a banking institution or similar safe depository.” It defined “occurrence” as “all loss or losses caused by: an act, or series of related acts; involving one or more persons; an act or acts involving a person or group of persons acting together; or an act or event, or series of related acts or events, not involving any identifiable person.” GAIC denied the claim because InComm’s alleged loss did not result from “the use of any computer” to access InComm’s system; the “chit” reload scheme did not cause the automatic transfer of any funds; and the losses resulted from multiple separate occurrences, none of which exceeded the deductible.
In granting summary judgment, the court relied on two theories. In reviewing the policy language, the court first concluded that the conduct did not involve “the use of any computer.” Since the consumers had to use the telephone to commit the scheme, the court reasoned that the use of the telephone did not result in the use of a computer. The court may have decided this point incorrectly. First, the court itself noted that other courts have considered similar provisions and factual patterns and assumed the use of a computer but found the losses otherwise not covered. Second, it is undeniable that the scheme required the exploitation of a computer coding error to work. It is hard to imagine how the exploitation of a coding error does not require the “use” of a computer.
The second ground for granting summary judgment is more problematic for the policyholder although it has less broad-reaching implications. The policy covered “loss of … money … resulting directly from a computer fraud.” GAIC argued, and the court agreed, that when the funds transferred to Bancorp, InComm did not experience a loss. The reasoning was that InComm retained an interest in the funds as a trustee and that the loss of the funds did not occur until Bancorp transferred the funds out of its account to settle the expenditures made by the consumers. Although this reading of loss seems hyper technical given that InComm effectively lost control over the funds once they transferred to Bancorp, this argument is harder to address. Still, InComm had to transfer the funds per the contract, and Bancorp had to use the funds to settle the purchases. The agreement between the two parties made it clear that the funds had to go to settle the purchases and that neither Bancorp nor InComm could use them for another purpose. For all practical purposes, this was a loss.
This portion of the decision also presents a potential systemic problem with cyberpolicies when analyzing “loss” under traditional commercial liability principles. It is far more common for a cyberattack to involve a breach that results in a demand for ransom, some intermediate transfer as in this case, or another type of loss that is different from breaking directly into the company’s “vault.”
Policyholders must pay special attention to the language of their cyberpolicies when seeking coverage. They also should work closely with a qualified broker who has specific cybercoverage experience that will guide them in finding the coverage that best suits the needs of their business. Policyholders should also work with cybersecurity consultants to identify the most likely avenues of a cyberattack against them and seek policies written to cover these most likely forms of attack. Also, given that the court had some difficulty applying more traditional insurance concepts to the newly developing cyber insurance field, it is important for lawyers representing policyholders to have a firm understanding of the technology. Those lawyers will need to take the facts presented by the scenario and develop arguments to apply those facts to core insurance principles.
ABOUT OFFIT KURMAN
Offit Kurman is one of the fastest-growing, full-service law firms in the Mid-Atlantic region. With over 135 attorneys offering a comprehensive range of services in virtually every legal category, the firm is well positioned to meet the needs of dynamic businesses and the people who own and operate them. Our eleven offices serve individual and corporate clients in the Virginia, Washington, DC, Maryland, Delaware, Pennsylvania, New Jersey, and New York City. At Offit Kurman, we are our clients’ most trusted legal advisors, professionals who help maximize and protect business value and personal wealth. In every interaction, we consistently maintain our clients’ confidence by remaining focused on furthering their objectives and achieving their goals in an efficient manner. Trust, knowledge, confidence—in a partner, that’s perfect.
You can connect with Offit Kurman via our Blog, Facebook, Twitter, Google+, YouTube, and LinkedIn pages. You can also sign up to receive Law Matters, Offit Kurman’s monthly newsletter covering a diverse selection of legal and corporate thought leadership content.
MARYLAND | PENNSYLVANIA | VIRGINIA| NEW JERSEY | NEW YORK | DELAWARE | WASHINGTON, DC