The Eighth Circuit’s decision last Friday in State Bank of Bellingham v. BancInsure, holding that computer systems fraud insurance indeed insures against such fraud, even where employee negligence was a contributing factor, was a positive development for financial institutions as well as any crime insurance policyholder. The Eighth Circuit agreed with the district court that under Minnesota’s concurrent-causation doctrine, the insured could recover under a standard Computer Systems Fraud insuring agreement regardless of whether any excluded peril, i.e., employee negligence, contributed to the loss because the covered peril of computer systems fraud was the “efficient and proximate cause” of the loss.
The case involved a small Minnesota bank that was the victim of a computer fraud attack. It began with a bank employee, who initiated a legitimate wire transfer through a bank computer using a security USB token issued to her by the Federal Reserve, the password provided by the security token, and her personal passphrase. The employee inappropriately verified the wire transfer using another employee’s security token, password, and passphrase. She then improperly left both security tokens in the computer and the computer running when she left the bank for the day.
Unbeknownst to anyone at the bank, a hacker had previously infected the computer with a Trojan horse virus. The next morning, the hacker accessed the bank computer through the malware delivered via the virus. The hacker used the security tokens that had been left in the computer, along with the passwords and passphrases of the two bank employees, to complete two fraudulent wire transfers to bank accounts in Poland totaling $940,000. The bank employee discovered the fraudulent transfers within an hour. The bank was able to recover the funds from one of the wire transfers, but could not recover the funds from the other wire transfer.
The bank sought coverage for the loss of these bank funds under its financial institution bond, which provides coverage similar to a crime insurance policy. The policy had a Computer Systems Fraud insuring agreement, which covered loss resulting directly from a fraudulent entry or change of electronic data or computer program on the bank’s computer systems. The issuer of the policy apparently conceded that the Computer Systems Fraud insuring agreement would cover the loss but argued that several exclusions operated to preclude coverage: exclusions for loss caused by an employee, for loss resulting from theft of confidential information, and for loss resulting from mechanical failure or gradual deterioration of a computer system.
The Eighth Circuit concluded that, under Minnesota’s concurrent-causation doctrine, the exclusions did not apply. The doctrine provides that where there are multiple causes of a loss, one of which is a covered peril and another of which is an excluded peril, the availability of coverage turns on which peril is the “overriding cause,” also known as the “efficient and proximate cause,” of the loss. The Court determined that there was coverage because the computer systems fraud was the efficient and proximate cause of the loss of the bank funds. Even though the bank employee’s lax attention to security and other conduct by bank employees, such as failing to maintain the computer’s antivirus software, may have been contributing causes of the loss and may have even “played an essential role” in the loss, these circumstances did not inevitably lead to the hacker’s intrusion and illegitimate wire transfers.
This is a good result for policyholders who, in purchasing computer fraud coverage, presumably believed they were in fact protected against such hacking attacks. The Eighth Circuit correctly rejected the insurer’s attempt to shirk its coverage obligations. The decision may also prove helpful to victims of the Business E-mail Compromise (BEC) scam, which we have discussed several times in the past year, in obtaining coverage under computer fraud provisions despite insurers’ efforts to wrongfully withhold such coverage. Just as the Eighth Circuit found that the fraudster’s hacking of the bank computer was the overriding cause of the loss of bank funds, a fraudster’s illegitimate instructions to employees is the overriding cause of loss in a BEC scam. And while, in each case, the unsuspecting employee’s conduct may have played a role, it was not the proximate cause of the loss, and therefore coverage should be paid.