Policyholders whose businesses utilize technology platforms and products that may be susceptible to programmatic weaknesses or errors should carefully review their insurance coverage to understand whether certain forms of data fraud that result from these weaknesses or errors will be covered. Fidelity and crime insurance policies often limit coverage to unauthorized access or access stemming from some form of misrepresentation or fraud. As a result, policyholders may find themselves without coverage for losses caused by authorized access that takes advantage of weaknesses or errors in the technology platform or product in order to perpetrate data fraud. To avoid a potential coverage gap, a policyholder may need to seek out separate coverage particular to such a loss.

Technology platforms and products used in today’s businesses often carry the potential risk of inherent system weaknesses or errors that can be exploited as part of various data fraud schemes. Before relying on traditional fidelity and crime insurance policies to cover resulting losses, policyholders should carefully examine the language of these policies and understand that such policies may be read to cover only fraudulent access to an insured’s systems or programs, rather than authorized access that results in fraud and is facilitated by the exploitation of a weakness or glitch in that system or program. For example, InComm Holdings, Inc. (“InComm”), a technology company involved in the business of prepaid debit cards, is currently seeking coverage from its insurer, Great American Insurance Company (“Great American”), for a loss of over $11 million resulting from more than 25,000 individual duplicate redemptions of reload currencies, i.e., “chits,” that were intended to be redeemable only once. InComm Holdings, Inc., et al. v. Great Am. Ins. Co., No. 1:15-cv-02761- WSD (N.D. Ga. 2015).

In May 2014, InComm became aware of a scheme whereby individuals exploited an automated phone system— the Interactive Voice Response (“IVR”) system—used to redeem chits worth pre-purchased amounts onto reloadable debit cards. An individual who purchases a chit receives a unique pin for that chit, and then calls into the IVR system to activate the value on the debit card, at which time the chit then becomes inactive. The scheme identified by InComm was made up of individuals submitting multiple, simultaneous chit redemption requests to the IVR system, amounting to multiple redemptions of the chit value. The scheme (“duplicate redemption scheme”) was allegedly made possible due to a “code error” in the redemption system.

InComm had purchased insurance coverage for the policy period June 1, 2013 to June 1, 2014 from Great American under a Crime Protection Policy (the “Policy”) that provided that Great American “will pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises ... to a person … outside those premises; or…to a place outside those premises.” Relying on this insuring agreement, in July 2014, InComm tendered a claim for its loss to Great American. In response, on May 12, 2015, Great American denied coverage, citing its disagreement as to the proper interpretation of the Policy’s Insuring Agreement and its computer fraud requirement.

On July 28, 2015, InComm filed suit against Great American, pursuing claims for breach of contract and bad faith, and also seeking a declaratory judgment regarding the availability of coverage under the Crime Protection Policy issued by Great American. Litigation ensued, discovery was completed, and recently, on July 15, 2016, both InComm and Great American moved for summary judgment on InComm’s contract claims, which Great American argues are not covered by its Policy.

Great American argues that the breach of contract claim (and thus the declaratory request) is not covered because: (1) there was no covered transfer of property; (2) the losses were not a direct result of the allegedly fraudulent conduct; (3) the duplicate redemptions did not constitute computer fraud; and (4) the loss from each duplicate redemption does not exceed the deductible—all of which are allegedly required by the relevant Insuring Agreement. Principally, Great American argues that the chits are not money but instead a “contractual obligation” on the part of InComm to fund the redemptions, such that there was no transfer of property, and that even if there were a transfer, it would have been indirect. Perhaps most interesting, however, is Great American’s further argument that the Insuring Agreement under which InComm seeks coverage is intended to cover only computer fraud that stems from misrepresentations or unauthorized access by third parties to InComm’s computer systems, none of which exist in the duplicate redemption scheme. According to Great American, the legitimate access by users, without any misrepresentation or concealment of information, did not cause the losses; rather, the losses were caused by a system error that allowed the possibility of duplicate redemptions.

In its summary judgment brief, InComm counters that the duplicate redemption scheme amounted to computer fraud because InComm’s IVR system is computer-based and the duplicate, simultaneous redemptions amounted to unauthorized use of the IVR system. Further, InComm notes that the coverage is not limited to “hacking” situations as Great American attempts to argue, and that if such a limitation was to be placed on the coverage, the Policy should have been drafted to include that specific exclusion. Rather, InComm takes the position that the Policy’s Insuring Agreement should be broadly interpreted to cover losses involving “misuse” and “manipulation.” InComm asserts that the duplicate redemption scheme was a utilization of the IVR system in an “unintended manner,” and that the duplicate redemptions therefore amounted to unauthorized use covered by Great American’s Policy. In addition, InComm argues that the losses it incurred all stemmed from a series of related events and, thus, are the result of a single occurrence for purposes of satisfying the Policy deductible.InComm further argues that its losses were proximately caused by the duplicate redemption scheme, such that the losses are, in fact, the direct result of the allegedly fraudulent conduct.

Although the suit is still pending and awaiting the Court’s decision on summary judgment—both of which may be denied and the claims submitted to a jury—the case serves as a signal to policyholders to review their fidelity and crime insurance policies and understand these policies’ breadth and potential limitations. Doing so will inform and educate policyholders regarding any need to negotiate for broader protections in their existing fidelity and crime policies or seek separate specialized coverage in order to avoid a potential coverage gap for data fraud losses resulting from the exploitation of system weaknesses or errors.