A federal district court in Pennsylvania recently held that a bank’s payments to a commercial deposit customer reimbursing the customer for fraudulent transfers made after a data security breach could not be excluded from coverage under the bank’s insurance policy by the insurer on the basis that the payments were “voluntary” – despite the fact that the bank did not seek the insurance company’s consent before making the payments. The October 6 decision on a motion for summary judgment by the insurer involved a case where a business customer of a bank was the victim of a malware attack that allowed a hacker to obtain the on-line banking credentials of an officer of the business and transfer over $3 million out of its account. The bank reimbursed the business customer for the fraudulent transfers under Article 4A of the UCC in effect under Pennsylvania law and submitted a claim to the bank’s insurance company under its professional liability policy. The insurance company denied coverage on the basis that the bank breached the voluntary payments exclusion under the policy. The court held that the bank’s reimbursement payments to its customer were not voluntary payments because they were compelled by Article 4A and therefore inherently involuntary. The court concluded that the payments are not subject to the voluntary payments exclusion in the policy, which will allow the bank to argue at trial that the insurance company was not prejudiced by the bank’s payment prior to notifying the insurance company of the claim.
Nutter Notes: Section 204(a) of UCC Article 4A generally requires a bank to reimburse depositors for unauthorized funds transfers to the extent that the bank is not entitled to enforce such transfers, and to pay interest on the reimbursable amount. The relevant provision of the insurance policy provided that the insurance company would not be liable for any “settlement, defense costs, assumed obligation, admitted liability, voluntary payment, or confessed or agreed damages or judgment to which [the insurer] has not consented.” [Emphasis added.] The policy also prohibited the bank from voluntarily making any payment with respect to any claim covered by the policy without the insurer’s written consent. The case is an important precedent for banks seeking to recoup from insurers reimbursement for payments made to depositors for fraudulent transfers resulting from data breaches or cyber-security incidents. While banks should as a general rule make every reasonable effort to give prompt notice to insurers to attempt to avoid coverage disputes arising from fraudulent transfers, state and federal data security breach notice requirements often require banks to take immediate and costly response measures that do not permit time to wait for insurers to react to claims.