Policyholders and insurers continue to grapple with the circumstances under which losses arising from data security breaches and social engineering fraud will be covered under various insurance policies. Two recent decisions – one in favor of the policyholder and one against – continue to support the notion that resolution of these cases will be highly fact-specific and the outcome will be difficult to predict in many instances.
In State Bank of Bellingham v. BancInsure, Inc., 823 F.3d 456 (8th Cir. 2016), a policyholder hit a homerun when the Eighth Circuit Court of Appeals affirmed a decision in the policyholder’s favor finding coverage for losses suffered when the policyholder, a small local bank, was victimized by a hacker that gained access to a computer used to effectuate wire transfers. As a result, two unauthorized transfers were executed from the bank’s account to two different foreign banks. A subsequent investigation revealed that the compromised computer had been infected with a virus that, at the opportune time, permitted unauthorized access to the infected computer for the hacker to effectuate the unauthorized wire transfers. The Eighth Circuit rejected the insurer’s argument that the overriding cause of the loss was an employee’s failure to adhere to security protocols or take reasonable steps to protect the computer. Rather, the Eighth Circuit found that the unlawful computer hacking by a third-party was the “efficient proximate cause” of the policyholder’s loss. The Eight Circuit noted that, even if the employee’s negligent actions “played an essential role” in the loss and created a risk of intrusion into the bank’s computer system, “the intrusion and the ensuing loss of bank funds was not ‘certain’ or inevitable. The ‘overriding cause’ of the loss Bellingham suffered remains the criminal activity of a third party.”
However, in Taylor & Lieberman v. Federal Insurance Company, -- Fed. Appx. --- (8th Cir. Mar. 9, 2017), the policyholder struck out when the Ninth Circuit Court of Appeals affirmed the lower court’s decision, albeit on different grounds, to deny coverage for losses suffered as a result of a social engineering scheme. In Taylor & Lieberman, the policyholder, an accounting firm, was victimized when a client’s email account was hacked, enabling the hacker to send emails from the client’s account to the policyholder’s employee purportedly directing two large transfers out of the client’s account. The fraudulent email was signed with the client’s name at the end, and the policyholder’s employee, believing the instructions to be legitimate, effectuated the transfers.
In affirming the lower court, the Ninth Circuit held that the fraudulent emails were not forgeries or alterations of financial instruments under the policy’s forgery coverage, noting that the emails themselves did not qualify as “financial instruments” and were not drawn upon the policyholder’s account, but rather, an account belonging to the policyholder’s client. The Ninth Circuit also found there was no coverage under the policy’s computer fraud coverage because the fraudulent emails were not an “unauthorized (1) ‘entry into’ its computer system, [or] (2) ‘introduction of instructions’ that ‘propogate[d] themselves’ through its computer system.” Finally, there was no coverage under the policy’s funds transfer fraud coverage because the policyholder knew and authorized the transfers, albeit as a result of fraudulent instructions.
The facts presented in these two cases show an apparent distinction in the availability of coverage for cyber crime losses depending upon how the crime was actually committed. In State Bank of Bellingham, there was an actual intrusion by a hacker into the policyholder’s computer system. In Taylor & Lieberman, the court seemed to conclude that policyholder’s employee was “hacked,” not its computer system. The hacker gained access to the policyholder’s computer by and through its employee’s voluntary actions. These cases show that courts continue to have difficulty applying the complex fact patterns often present in social engineering fraud claims to the language of crime policies, even though the end result – the unlawful gaining of access to the policyholder’s computer system – is the same.