In Metro Brokers, Inc. v. Transportation Insurance Company, No. 1:12-CV-3010-ODE (N.D. Ga. Nov. 21, 2013), The United States District Court for the Northern District of Georgia, Atlanta Division, applying Georgia state law, granted defendant Transportation Insurance Company’s (TIC) motion for summary judgment, giving effect to two cyber risk exclusions in an all-risk insurance policy resulting in the denial of Metro Brokers, Inc.’s (Metro) claim for losses from fraudulent electronic withdrawals from the company’s bank account.
Metro, a real estate brokerage company, maintained accounts with Fidelity Bank (Fidelity) and used Fidelity’s automated clearing house (ACH) system to make payroll and other payments. In December 2011, a thief (or thieves) logged onto Fidelity’s online banking system using a Metro employee’s login credentials and caused nearly $200,000.00 in ACH payments from Metro’s escrow account to be distributed to various bank accounts throughout the United States.
Metro then made a claim for losses from the fraudulent transfers under an all-risk insurance policy issued by TIC (the policy).
TIC denied Metro’s claim citing the Policy’s broadly worded “malicious code” and “system penetration” exclusions. Metro argued that the fraudulent transfers were covered under the Policy’s Forgery and Alteration endorsement (F&A Endorsement). Metro filed suit against TIC in district court and the parties cross-moved for summary judgment.
Applying Georgia contract law in denying Metro’s motion for summary judgment and granting TIC’s motion, the court first found that the language of F&A Endorsement limited its coverage to negotiable instruments and then determined that the fraudulent withdrawals did not constitute a forgery because there was no “negotiable instrument” involved in the subject transfers, noting that both federal and state statutory law clearly distinguish electronic fund transfers from negotiable instruments.
The court then went on to determine whether the broad language of the “malicious code” and “system penetration” exclusions supported a denial of Metro’s claim. The court noted that the parties agreed that the evidence suggested that whoever had caused the fraudulent transfers learned Metro’s login credentials through the Zeus virus that was found on several of Metro’s computers. Metro argued that the virus didn’t actually cause the fraudulent transfers, but rather that the loss was caused by the person(s) that used the hacked information. Finding that TIC properly denied Metro’s claim, the court held that the intent of the broadly worded exclusions was clearly to deny computer fraud claims, noting among other rationales that TIC had produced evidence that it offered other policy endorsements intended to cover loss of funds due to unauthorized electronic transfers. The court also gave effect to the policy’s anti-concurrent causation language, finding that the role of the computer virus in causing the loss was not so remote to fall outside of the Policy’s language excluding losses “caused directly or indirectly by … malicious code or system penetration.” (Emphasis added).
In the growing body of case law addressing cyber risk insurance issues, Metro Brokersreminds both insureds and insurers of the importance of the specific policy language at issue and is an example of one court’s willingness to give effect to a broadly worded computer fraud exclusion.