When a business is victimized by computer hacking, and customers have lost money as a result, the governing laws or regulations may require the business to make the customer whole. Such payments may be eligible for insurance coverage. Before paying, a business should ideally get the insurer’s permission, which may not be unreasonably withheld, because insurance policies typically require the insurer’s consent before the insured makes a “voluntary payment” to settle a liability. Even if no consent is obtained, however, the policyholder may be able to obtain coverage for such payments when they are clearly mandated by law and thus are not “voluntary.”

Earlier this month, a district court in Pennsylvania held that an insurer could not avoid indemnifying its insured, a bank, for a payment it made to reimburse a depositor that was robbed as a result of computer hacking. First Commonwealth Bank v. St. Paul Mercury Ins. Co., 2:14-cv-00019, 2014 U.S. Dist. LEXIS 141538 (W.D. Pa. Oct. 6, 2014). The case is significant because it demonstrates that insurance coverage is available when the insured is complying with the law governing its obligations in response to a computer hacking event, despite that the insurer has not granted its consent to the insured’s actions.

The case was initiated when the policyholder, First Commonwealth Bank (a Pennsylvania bank), and its parent company, First Commonwealth Financial Corporation, filed a complaint in Pennsylvania state court. (See First Commonwealth, 2:14-cv-00019, D.E. 1-2, Compl. ¶ 1, pp. 4–13 .) The complaint was later removed to the U.S. District Court for the Western District of Pennsylvania. (Id., D.E. 1.) At issue in the suit was a banker's professional liability policy. (Id., D.E. 1-2, Compl. ¶ 24 & Ex. A.) The complaint alleged that “one of First Commonwealth Bank’s depositors was recently targeted by a computer hacker who wrongfully wired $3,585,120 out of the depositor’s accounts.” (Id. ¶ 1.)

The depositor allegedly was an oil company that became a victim of malware, which allowed a hacker to find the username and password for the company’s bank accounts. (Id. ¶ 10.) Using the username and password, the hacker then initiated three wire transfers: one in the amount of $2,158,600 to a recipient bank in Russia; another in the amount of $76,520 to a recipient bank in Pennsylvania; and a third in the amount of $1,350,000 to a recipient bank in Belarus. (Id. ¶¶ 11–13.)

According to the complaint, an intermediary bank noticed that the transfer appeared to be fraudulent and notified First Commonwealth of the problem. (Id. ¶¶ 15–16.) First Commonwealth alleged that it then contacted the depositor oil company, which confirmed that the transfers were not authorized. (Id. ¶ 17.) First Commonwealth was able to recover only the money transferred to the Pennsylvania bank, and could not recover the money transferred to the Russian or Belarusian banks. (Id. ¶ 18–19.)

The depositor oil company then demanded that First Commonwealth reimburse the funds that the third party had transferred to the Russian and Belarusian recipients. (Id. ¶ 20.) First Commonwealth refunded the money because it believed that there was no valid defense to the depositor’s demand under a Pennsylvania statute, 13 Pa. C.S.A. § 4A204(a), which requires such a refund when a bank accepts a fraudulent request for a wire transfer. (Id. ¶¶ 22–23.) After making this refund, the bank noticed the loss to its insurer, St. Paul Mercury Insurance Co., which denied coverage on the grounds that First Commonwealth had not obtained the insurer’s consent to the refund before paying it. (Id. ¶¶ 26 & 28.)

After First Commonwealth filed its breach-of-contract suit against St. Paul, the insurer moved to dismiss pursuant to F.R.C.P. 12 (b)(6), arguing that coverage was lost due to the application of a “voluntary payment” provision. (First Commonwealth, D.E. 12.) As quoted and emphasized in St. Paul’s motion to dismiss brief, this provision states as follows:

The Insureds agree not to settle or offer to settle any Claim, incur any Defense Costs or otherwise assume any contractual obligation, admit any liability, voluntarily make any payment or confess or otherwise agree to any Damages or judgments with respect to any Claim covered by this Policy without the Insurer’s written consent, which shall not be unreasonably withheld. The Insurer shall not be liable for any settlement, Defense Costs, assumed obligation, admitted liability, voluntary payment, or confessed or agreed Damages or judgment to which it has not consented.

(Id., at p. 3 (emphasis in original).)

Rejecting St. Paul’s argument, the district court denied the motion to dismiss and held that First Commonwealth had not voluntarily paid the refund to the depositor oil company. First Commonwealth, 2014 U.S. Dist. LEXIS 141538, at *10–12. The court noted that Black’s Law Dictionary defined “voluntary” as “[u]nconstrained by interference; not impelled by outside influence.” (Id. at *10.) Given that broad definition, the court concluded it was “difficult . . . to find that the mandate of 13 Pa. C.S.A § 4A204 is not an outside influence that interfered with the restrictions imposed upon Plaintiffs under the Policy.” (Id. *10–11.)

The court also distinguished cases cited by St. Paul in which a court had enforced a requirement to obtain the insurer’s permission before paying a claimant. (Id. at *11.) According to the court, these cases merely stood for the proposition that such provisions are enforceable, but did not demonstrate that the provision applied to the facts at issue: “None of these cases, however, involve a bank’s legal and statutory obligation to refund a client when an unauthorized wire transfer has been made or any other situation where the insured’s act of paying a claim was compelled by law or other outside influences.” (Id.)

Despite this favorable outcome, it is still a best practice for insureds to obtain an insurer’s consent to make a payment settling a liability, if only to avoid any later dispute. Nevertheless, when an insurer refuses to grant its consent, First Commonwealth stands as a strong precedent in favor of coverage, at least when the payment is required by a clear mandate such as 13 Pa. C.S.A. § 4A204(a).