CYBER CRIME COVERAGE
November 7-9, 2012
ABA Tort Trial & Insurance Practice Section 2012 Fidelity and Surety Law Committee
Judith R. Bufler Senior Surety Claims Specialist III Liberty SuretyFirst 9450 Seward Road Fairfield, Ohio 45014 (513) 867-3819
Andy J. Chambers Attorney Jennings, Strouss & Salmon, PLC One East Washington Street, Suite 1900 Phoenix, Arizona 85004 (602) 262-5846
* This paper is based in part on a previous work titled Computer Fraud Coverage, co-authored by Carl Grant and Andy Chambers. Computer Fraud Coverage was prepared for and submitted to the ABA Tort Trial & Insurance Practice Section, 2010, Fidelity and Surety Committee, Profiles in Greed: A Study of Common Fidelity Loss Scenarios. The authors wish to acknowledge and note their appreciation for Mr. Grant’s prior contributions. Mr. Grant is the Complex Claims Director, Fidelity, for Chartis, 175 Water Street, 7th Floor, New York, NY 10038, (212) 458-1029. Copyright 2012 American Bar Association
I.
INTRODUCTION
The developments involving information technologies (“IT”) have fundamentally revolutionized and impacted virtually every aspect of modern life. Computer systems have become ubiquitous features of our personal and professional lives. Businesses increasingly rely on the use of electronic information and conduct commerce by way of electronic transactions. Our personal, social, financial, and medical information is stored on servers, or in clouds, with an increasing number of institutions and vendors. The dramatic growth and expansion of electronic data storage and electronic commerce has created new perils for financial institutions and businesses alike. Banks, credit unions and businesses of all types have become exposed to an ever increasing risk of financial loss and third-party liability resulting from cyber crime. Such losses can take many forms, but three general types of loss predominate: (1) electronic manipulation causing a fraudulent transfer of funds, (2) damage to or destruction of electronic data or software programs by way of malware, virus or the malicious acts of a hacker, and (3) costs incurred due to or third-party liability for misappropriation or disclosure of customers’ personally identifiable information (“PII”). Not surprisingly, the insurance industry has seen an increased demand for new types of products, sometimes referred to as cyber insurance, to cover the emerging perils of cyber crime. The development of such products was initially slowed by the lack of good actuarial data on which to base insurance rates.1 However, various forms of cyber insurance are now widely available, and an increasing number of financial institutions and companies are opting for some
1
See, COMPUTER SECURITY INSTITUTE, 2006 CSI/FBI COMPUTER CRIME AND SECURITY SURVEY 10 (2006), available at http://pdf.textfiles.com/security/fbi2006.pdf. -1-
form of cyber insurance. According to one recent report, gross premium revenues for U.S. cyber insurance policies have grown from $100 Million in 2002 to an estimated $1 Billion for 2012.2 Although various cyber coverage forms are now readily available in the market, the legal precedent interpreting such coverage forms remains limited. The cases that do exist demonstrate that this is an area that is very much in its infancy, subject to growing pains and continued development. Insureds are working to understand and mitigate the risks represented by cyber crime. Insurers are striving to develop products appropriately tailored to those risks. And, the courts are struggling in their application of cyber coverage forms in a world where almost all losses have some connection to a computer. Against that backdrop, this paper provides some statistical data regarding the prevalence, costs, and evolving nature of cyber crime in the United States (Section II), identifies the most common computer fraud and cyber crime coverage forms (Section III), discusses the developing, albeit still sparse, case law (Section IV), and concludes with a discussion of important considerations when evaluating and handling a cyber crime claim (Section V). II.
STATISTICAL BACKGROUND
The statistics are staggering. The 2005 FBI Computer Crime Survey reported that nearly 9 out of 10 organizations surveyed experienced at least one computer security incident annually, and 2 out of 10 organizations experienced 20 or more such incidents annually.3 Of those surveyed, 64% incurred a financial loss as the result of computer security incidents.4 Extrapolating from these findings, the FBI estimated that in 2005 the total cost to the U.S. 2
See, BETTERLEY RISK CONSULTANTS, INC., THE BETTERLEY REPORT CYBER/PRIVACY INSURANCE MARKET SURVEY – 2012 (2012), available at http://betterley.com/samples/cpims12_ nt.pdf. 3 See, FEDERAL BUREAU OF INVESTIGATIONS, 2005 FBI COMPUTER CRIME SURVEY 6-7, available at http://www.digitalriver.com/v2.0-img/operations/naievigi/site/media/pdf/FBIccs 2005.pdf. 4 Id. at 10. -2-
market for computer security incidents was in the amount of $67.2 billion per year or $7.6 million per hour.5 The most prevalent types of cyber fraud, and the resulting losses, are evolving. In 2005, the most common and expensive form of cyber crime perpetrated on businesses involved viruses and spyware.6 However, by 2007, financial fraud overtook virus attacks as the source of the greatest financial losses.7 Additionally, loss of customer and proprietary data, when combined, accounted for the second-worst cause of financial loss from computer fraud in 2007.8 2009 witnessed another shift according to the Computer Security Institute (“CSI”), who has been studying cyber crime for the past 15 years. Although reported incidents of financial fraud increased, the most expensive cyber crimes were experienced in the area of exploitation of wireless networks, with average losses of $770,000 per incident.9 The second most costly form of cyber crime involved the theft or loss of PII through all causes other than mobile device theft, with average losses of $710,000 per incident.10 Financial fraud losses came in third, with average losses of $450,000 per incident.11 Interestingly, starting in 2009, fewer and fewer respondents to CSI’s annual survey have been willing to disclose information about dollar losses they incurred due to cyber fraud incidents.12 As a result, the most recent report from CSI for the 2010/2011 period does not address the issue of costs resulting from cyber fraud incidents.
5
Id. Id. at 6. 7 See, COMPUTER SECURITY INSTITUTE, 2007 CSI COMPUTER CRIME AND SECURITY SURVEY 2 (2007), available at http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey2007.pdf. 8 Id. 9 See, COMPUTER SECURITY INSTITUTE, 2009 CSI COMPUTER CRIME AND SECURITY SURVEY 15 (2009), available on-line at http://gocsi.com/sites/default/files/pdf_survey/CSI%20Survey% 202009%20Comprehensive%20Edition.pdf. 10 Id. 11 Id. 12 Id. 6
-3-
However, there is some recent information on the prevalence and costs associated with data breaches, as reported in the 2010 Annual Study: U.S. Cost of a Data Breach prepared by Ponemon Institute, LLC. According to the Ponemon Institute, there were nearly 600 reported data breaches that put more than 12 million records in jeopardy in 2010.13 The average organizational cost of a data breach increased to $7.2 million in 2010, up 7 percent from $6.8 million in 2009.14 The most expensive data breach included in the Ponemon Institute’s 2010 study cost a company $35.3 million to resolve.15 The least expensive data breach was $780,000.16 With respect to data breaches, there is a obvious correlation between the number of compromised records and the resulting costs to company. On average, the cost to companies was $214 per compromised record.17 Surprisingly, breaches due to internal negligence are more prevalent than those caused by malicious or criminal attacks: 41 percent compared to 31 percent.18 However, the costs resulting from malicious attacks significantly exceeded those resulting from internal negligence: $318 per record compared to $215 per record.19 The Verizon Risk Team, working in conjunction with the U.S. Secret Service, also published a recent report titled the 2010 Data Breach Investigations Report. This comprehensive report provides many relevant metrics regarding the prevalence and methodologies employed to effect data breaches on U.S. companies. Of particularly interest to the fidelity field, the Verizon
13
See, PONEMON INSTITUTE, LLC, 2010 ANNUAL STUDY: U.S. COST OF A DATA BREACH 9, available at http://www.symantec.com/content/en/us/about/media/pdfs/symantec_ponemon_ data_breach_costs_report.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_ 2011Mar_worldwide_costofdatabreach. 14 Id. at 5 15 Id. 16 Id. at 6. 17 Id. at 13. 18 Id. at 25. 19 Id. at 26. -4-
Risk Team found that 94 percent of all compromised records in 2009 were attributable to the financial services market.20 Based on these statistics, there is no question that cyber crime is a booming industry that exacts a substantial monetary toll on U.S. financial institutions and companies. The risks and costs are almost certain to increase over time. One of the most significant developments in the last 5 years has been the emerging threat of disclosure of PII. With an rising number of financial institutions and companies storing sensitive personal and financial information in electronic format, that information is increasingly coming under attack from malicious hackers. Moreover, such information is vulnerable to disclosure due to internal negligence. Regardless of whether disclosure of PII is the result of malicious attacks or negligence, companies are forced to incur substantial costs due to such data breaches. With these developments, more and more companies are seeking appropriate cyber coverage to mitigate this new exposure, and the insurance industry is certain to experience more cyber claims. III.
CYBER CRIME COVERAGE FORMS
Fidelity policies are not “all risk” policies. Rather, such policies insure against loss sustained by reason of specific perils, with coverage being further narrowed by conditions and exclusions. Based on this, the starting point for any analysis involving a cyber crime claim requires a detailed review and firm understanding of the applicable coverage agreement(s) under the respective policy or bond. In this regard, it is important to recognize two points. One, there are numerous coverage agreements that may be implicated by a cyber crime claim, ranging from standard computer systems agreements to electronic extortion agreements. Two, in some
20
VERIZON, 2010 DATA BREACH INVESTIGATION REPORT (2010) 8, available at http://www. verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf. -5-
instances, there are important differences between the computer fraud related provisions under the available bonds, policies, and endorsements. Set forth below is a discussion of the development of cyber fraud coverage forms, followed by a comparison of the primary cyber fraud related provisions under the various bonds and policies. A.
The Development of Cyber Crime Coverage Prior to the 1990’s cyber fraud coverage was not made part of the standard insuring
agreements of fidelity bonds and policies such as the Surety & Fidelity Association of America (“SFAA”)21 Financial Institution Bond, Standard Form No. 24 and the Insurance Services Office (“ISO”) Commercial Crime Policy. Instead, coverage for cyber crime was provided by endorsement or rider alone. However, as demand for computer fraud coverage increased, there was a push within the insurance industry to incorporate standardized computer fraud coverage provisions directly into the form bonds and policies, which as discussed below has occurred to a significant extent. As an alternative to incorporating cyber fraud provisions into their general fidelity policies, many insurers have developed stand-alone electronic and computer crime policies, commonly referred to as Cyber Crime Policies, which cover a wide array of computer related risks and can be added as a companion policy to the insured’s primary fidelity insurance. Finally, some insurers continue to provide cyber crime coverage solely by endorsement or rider. B.
Comparison of the Primary Cyber Crime Provisions 1.
Financial Institution Bond, Standard Form No. 24
The Financial Institution Bond, Standard Form No. 24 (“Form 24”) has yet to incorporate any type of electronic or computer fraud coverage provision as a primary insuring
21
Previously known as the Surety Association of America (“SAA”). -6-
agreement. In 2002, the SFAA undertook to revise the Form 24 in part based on the recognition that the emergence of electronic commerce would affect some banks in the way they transact business with their customers.22 Notwithstanding that recognition and partial motivation to revise the Form 24, the SFAA ultimately “concluded that the standard form should be directed largely to paper transactions since many banks [would] continue to transact business traditionally and non-electronically.”23 Ten years later, one could seriously question whether the SFAA’s assumption that banks would continue to conduct business non-electronically by way of paper transactions has held true. In any case, financial institutions that are insured by way of a Form 24 and desire coverage for electronic transactions may obtain such additional coverage only by rider.24 2.
Financial Institution Crime Policy For Banks And Savings Institutions
In 2005, ISO developed and introduced the Financial Institution Crime Policy For Banks And Savings Institutions (“FICP”) as an alternative to the Form 24 and other forms available for financial institutions.25 Unlike the Form 24, the FICP specifically includes as an insuring agreement a provision for computer fraud. Insuring Agreement 7 under the FICP provides as follows: 7. Computer Fraud a. We will pay for loss resulting directly from a fraudulent: (1) Entry of “electronic data” or “computer program” into; or (2) Change of “electronic data” or “computer program” within;
22
See, ROBERT J. DUKE, A Brief History of the Financial Institution Bond in FINANCIAL INSTITUTION BONDS 21 (Duncan L. Clore ed., 3d ed. 2008). 23 Id. 24 Id. 25 Id. at 29 -7-
Any “computer system” owned, leased or operated by you or your contracted electronic data processing firm, provided the fraudulent entry or fraudulent change causes with regard to Paragraphs 7.a.(1) and 7.a.(2): (a) “Property” to be transferred, paid or delivered; (b) An account of yours, or of a “customer” to be added, deleted, debited or credited; or (c) An unauthorized account or a fictitious account to be debited or credited. b. As used throughout this Insuring Agreement, fraudulent entry or fraudulent change of “electronic data” or “computer program” shall include such entry or change made by an “employee” acting, in good faith, upon a fraudulent instruction: (1) From a computer software contractor who has a written agreement with you to design, implement or service “computer programs” for a “computer system” covered under this Insuring Agreement; or (2) Transmitted by “tested” telex or similar means of “tested” communication (except a “telefacsimile device”) purportedly sent by a “customer”, financial institution or automated clearinghouse.26 Coverage under this agreement extends to the fraudulent entry of data or programs into the computer systems of the insured bank or its contracted data processing firm, which results in property being transferred or the account of a customer being added, deleted, debited, or credited.27 Coverage for fraudulent fax transmissions received via computer are excluded, whereas such computer fax transmissions are dealt with under the Telefacsimile Transfer Fraud Insuring Agreement in accordance with the same protocols that apply to standard facsimiles.28 Also, the FICP contains numerous computer crime specific exclusions that may be implicated by a computer fraud claim under Insuring Agreement 7. Exclusions 10 and 30 – 40 26
See, Financial Institution Crime Policy For Banks And Savings Institutions (Aggregate Form), Standard Form No. FI 00 11 05 08 (ISO 2007), reprinted in FINANCIAL INSTITUTION BONDS, supra note 22 at Master Appendix, Exhibit 1. 27 See, FINANCIAL INSTITUTION BONDS, supra note 22 at page 33. 28 Id. -8-
specifically apply to computer fraud related claims and should be examined in detail when evaluating a computer fraud claim under the FICP.29 3.
Commercial Crime Policy
The Commercial Crime Policy (“CCP”) traces its origin back to the Comprehensive Dishonesty, Disappearance and Destruction Policy [known as the 3-D policy] developed and introduced by the SAA and the National Bureau of Casualty and Surety Underwriters in 1940.30 As the result of various developments, ISO and SAA introduced the CCP in 1986.31 At the time it was introduced, the CCP offered an endorsement titled Coverage Form F for computer fraud.32 Thereafter, ISO incorporated coverage for computer fraud as a primary agreement in the CCP, providing as follows: 6. Computer Fraud We will pay for loss of or damage to “money, “securities” and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises”; a. To a person (other than a “messenger”) outside those “premises”; or b. To a place outside those “premises”.33 In order to establish coverage under this agreement, the insured must demonstrate: (1) a loss of money, securities or other property; (2) resulting from the use of a computer to
29
See, Financial Institution Crime Policy For Banks And Savings Institutions (Aggregate Form), Standard Form No. FI 00 11 05 08 (ISO 2007), supra note 26. 30 See e.g., CAROL A. PISANO and ROBERT DUKE, Interpretation and Construction of the Commercial Crime Policy in COMMERCIAL CRIME POLICY 6-7 (Randall I. Marmor and John Tomaine eds., 2d ed. 2005). 31 Id. at 7. 32 Id. at 8. 33 See, Commercial Crime Policy (Discovery Form), Standard Form No. CR 00 22 07 02 (revised to 07-02), reprinted in COMMERCIAL CRIME POLICY, supra note 30 at Master Appendix, Exhibit B. -9-
fraudulently cause a transfer of property; (3) from inside the premises to a person or place outside the premises.34 The CCP policy contains four express exclusions to coverage under Insuring Agreement 6. Exclusion 4 under the CCP excludes coverage for (1) loss resulting from giving or surrendering property in exchange for a purchase, (2) loss resulting from a fraudulent instruction directing a financial institution to transfer funds from the insured’s transfer account, (3) loss, or that part of any loss, the proof of which is dependent on an inventory or profit and loss computation, and (4) loss resulting from the insured being induced by any dishonest act to voluntarily part with title or possession of any property.35 4.
Commercial Protection Policy
For certain reasons, the SAA undertook to establish an alternative to the CCP and developed the Commercial Protection Policy (“CPP”), which was introduced in 2000.36 Like the CCP, the CPP includes a near verbatim coverage agreement for computer fraud: 5. Computer Fraud We will pay for loss of, and loss from damage to, money securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises: a. To a person (other than a messenger) outside those premises; or b. To a place outside those premises.37
34
See, MICHAEL R. DAVISSON, The Other Insuring Agreements of Commercial Crime Policies in COMMERCIAL CRIME POLICY, supra note 30 at 310. 35 See, Commercial Crime Policy (Discovery Form), Standard Form No. CR 00 22 07 02 (revised to 07-02), supra note 33. 36 See, COMMERCIAL CRIME POLICY, supra note 30 at 8. 37 See, Crime Protection Policy, Standard Form No. SP 0001 (Revised to 03-00), reprinted in COMMERCIAL CRIME POLICY, supra note 30 at Master Appendix, Exhibit A. - 10 -
As with Agreement 6 in the CCP, in order to establish coverage under Agreement 5 of the CPP, the insured must demonstrate: (1) a loss of money, securities or other property; (2) resulting from the use of a computer to fraudulently cause a transfer of property; (3) from inside the premises to a person or place outside the premises. The CPP contains only one exclusion that specifically applies to Insuring Agreement 5. Exclusion 2 excludes coverage under Insuring Agreement 5 for loss, or that part of any loss, the proof of which is dependent on an inventory or profit and loss computation.38 5.
Stand-Alone Cyber Crime Policies
In addition to utilizing the standardized insurance agreements referenced above, many insurers have developed stand-alone electronic and computer crime policies, commonly referred to as Cyber Crime Policies, which can be added as a companion policy to the insured’s primary fidelity insurance. Cyber Crime Policies cover a wide array of electronic and computer related risks. Common coverage agreements include the following: Computer Systems: These agreements generally mirror the “Computer Fraud” provisions in the FICP, the CCP, and the CPP discussed above and provide coverage for loss resulting directly from the fraudulent entry or change of electronic data or computer program that causes money or property to be transferred or an account to be added, deleted, debited or credited. Electronic Data, Media, and Instruction: Covers loss resulting directly from: i.
the fraudulent entry or modification of electronic data or software
programs within the insured’s computer systems;
38
Id. - 11 -
ii.
robbery, burglary, larceny or theft of electronic data to software
iii.
the acts of a hacker causing damage or destruction to electronic
programs;
data or software programs; and iv.
damage or destruction of electronic data or software programs due
to computer virus. Electronic Communication: Provides coverage for loss resulting directly from the transfer of funds as the result of unauthorized and fraudulent electronic communications from a purported customer, automated clearing house, custodian, or financial institution. Electronic Transmission:
Covers loss resulting directly from the insured’s
customer, automated clearing house, custodian, or financial institution having transferred money or property or caused an account to be added, deleted, debited or credited based on the faith of an unauthorized electronic instruction that fraudulently purports to have originated from the insured.39 Customer Voice Initiated Transfer: Provides coverage for loss resulting directly from the transfer of money or property on the faith of an unauthorized and fraudulent voice initiated funds transfer instruction by a purported customer.40 Telefacsimile Transfer Fraud: Covers loss resulting directly from the insured having transferred money or property on the faith of a fraudulent transfer instruction that purports to have originated from a customer, financial institution, or other office of the insured, but in fact was not originated by a customer or the entity whose identification it bears.41
39
Insuring Agreement 7 of the CCP provides similar coverage for funds transfer fraud. Insuring Agreement 8 of the FICP provides similar coverage for voice initiate transfer fraud. 41 Insuring Agreement 9 of the FICP provides similar coverage for facsimile transfer fraud. 40
- 12 -
Service Bureau Operations: Provides coverage for loss resulting directly from a customer of the insured having transferred money or property or added, deleted, debited or credited an account as the direct result of the fraudulent entry or modification of electronic data or software programs within the insured’s computer systems while the insured is acting as a service bureau for the customer. Voice Computer System Fraud: Covers loss resulting directly from charges for long-distance telephone calls incurred due to the fraudulent and unauthorized manipulation or use of the insured’s code or password required to access a voice computer system owned or leased by the insured.42 Extortion:
Provides coverage for loss resulting directly from a third party
having gained unauthorized access into the insured’s computer systems and threatened to cause the transfer of money or property, disclosure of confidential security codes, or damage to electronic data or software programs. PII:
Provides first party and third party coverage for costs and liabilities
associated with the disclosure of electronically stored personally identifiable information, including notification and credit monitoring expenses and civil and regulatory defense costs. a.
Common Exclusions and Limitations
In addition to the standard types of exclusions found in most fidelity policies, Cyber Crime Policies contain additional cyber specific exclusions. Most Cyber Crime Policies expressly exclude coverage for the following:
42
This coverage may have been developed in response to the Royal American Group, Inc. v. ITT Hartford, No. 16246, 1994 WL 14888 (Ohio Ct. App. Jan. 12, 1994) (unpublished opinion), case decision, discussed in Section IV.D infra, wherein the court held that unauthorized long distance charges incurred by a hacker who stole the insured’s security code did not constitute covered property under the insured’s computer fraud coverage agreement. - 13 -
i.
Loss of any confidential information, material or data;
ii.
Loss of electronic data, media or instruction while in the mail;
iii.
Loss resulting from (1) written instructions, or (2) telegraphic or cable
iv.
Loss resulting from forged, altered or fraudulent negotiable instruments,
instructions;
securities, documents or written instruments used as source documentation in the preparation of electronic data; v.
Loss of negotiable instruments, securities, documents or written
instruments except as converted to electronic data and then only in that converted form; vi.
Loss resulting from mechanical failure, faulty construction, or error in
design of electronic media, programs or systems; and vii.
Loss resulting from the input of electronic data into the insured’s
computer system by a customer or other person with authorized access to the customer’s authentication mechanism. In addition, with respect to destruction of data or computer systems by hacker or virus, most Cyber Crime Policies expressly limit coverage to the cost of duplicating such electronic data or computer programs or, when duplication of a program is not possible, the cost reasonably necessary to restore the program to substantially the same level of operational capability. 6.
Endorsements
For those financial institutions and business that are either insured under a Form 24 or desire to expand the cyber related coverages provided under forms such as the CCP and the CPP, many, if not all, of the above described cyber related coverage forms are available by endorsement or rider.
- 14 -
IV.
CYBER CRIME CASE LAW
Cyber crime coverage cases have only recently started to work their way through the court system. Prior to 2010, there were only six reported decisions addressing cyber crime coverage. Since 2010, the number of reported decisions has more than doubled. Nonetheless, guiding case precedent remains limited in the area of cyber crime coverage. That is not to say that there is nothing of value that can be gleaned from the existing case law. To the contrary, the case law is instructive on several points. One, the prevalence of cyber crime coverage cases is increasing. Two, insureds are invoking cyber crime coverage agreements for losses that would not typically be considered to be within the intended scope of such agreements. Three, the courts are struggling to understand and apply cyber crime coverage forms in a world where virtually everything has some connection to a computer, however direct or remote that connection may be. Four, traditional understandings of concepts such as loss and covered property are difficult to apply when dealing with cyber claims. With these issues in mind, set forth below is a discussion of the issues being litigated in the context of cyber crime coverage and how the courts are dealing with those issues. A.
What Constitutes Computer Fraud? Financial fraud can take many forms and be accomplished through various means. With
respect to cyber crime coverage, one pertinent question is what amount of computer usage is necessary to constitute computer fraud and, thereby, implicate coverage? Several courts have addressed this issue and reached different results.
- 15 -
1.
Fraudulent E-mails Inducing Insured To Transfer Funds Might Be Enough
Owens, Schine & Nicola v. Travelers Casualty & Surety Co. of America43 offers a cautionary tale for all adjusters and lawyers handling a cyber crime claim. The court determined that the subject computer fraud insuring agreement was ambiguous as to the amount of computer usage necessary. Based on the perceived ambiguity, the court ruled in favor of coverage where the computer involvement in the underlying fraud was limited to a series of email communications by the perpetrator inducing the insured to wire funds on a counterfeit check that may have been created with the use of a computer. The insured law firm sought coverage for a loss it sustained after it directed its bank to wire nearly $200,000 to an overseas bank in reliance upon a fraudulent check received from a purported client. The law firm had been contacted by the purported client by e-mail and asked to assist in the collection of a debt. Following the client’s execution of a retainer agreement, the law firm received an “Official Check” from the purported debtor, which the firm deposited into its IOLTA account. The client requested that the law firm wire the funds, less the firm’s agreed retainer amount, to an overseas bank. The law firm wired the funds. It was later determined that the “Official Check” was a fraud and the firm’s bank debited the firm’s account for the amount wired overseas. All of the firm’s communications with the purported client had been conducted by e-mail. In total, the firm and the purported client had exchanged seventeen e-mails. The insured firm sought coverage under a Computer Fraud insuring agreement based on the theory that its communications with the fraudster were via e-mail and the fraudulent check was likely created with the use of a computer. The subject insuring agreement contained language similar to that found in the ISO Computer Fraud agreement, requiring “[t]he use of any 43
No. CV095024601, 2010 WL 4226958 (Conn. Super. Ct. Sept. 20, 2010) (unpublished opinion). - 16 -
computer to fraudulently cause a transfer. . . .” The carrier declined coverage and litigation ensued. The carrier filed a motion for summary judgment. Among other grounds cited in support of summary judgment, the insurer contended that claim did not involve computer fraud as defined by the policy. To constitute computer fraud, the carrier argued that the transfer must occur by way of a computer hacking incident, such as the manipulation of numbers or events through the use of a computer. In this case, no such hacking event occurred. In fact, a computer was not used in any way to complete the transfer. Rather, the transfer was directed by the insured itself in person, by phone and in writing. The court disagreed with the insurer and, instead, found that the policy was “ambiguous as to the amount of computer usage necessary to constitute computer fraud”, effectively ruling that there was sufficient computer usage to establish coverage under the Computer Fraud insuring agreement. Accordingly, based on an e-mail exchange inducing the insured to part with funds, the court denied the carrier’s motion for summary judgment and held that coverage existed under the Computer Fraud insuring agreement. This decision was subsequently upheld by the trial court, which entered judgment in favor of the insured44 and awarded the insured prejudgment interest commencing the date of the prior ruling denying carrier’s motion for summary judgment.45 2.
Cases Requiring More Substantial Computer Usage
The Owens case certainly represents one side of the spectrum on the computer usage issue, setting a low threshold to establish computer fraud. In contrast to the Owens decision,
44
Owens, Schine & Nicola v. Travelers Casualty & Surety Co. of America, No. CV095024601S, 2011 WL 3200296 (Conn. Super. Ct. June 24, 2011) (unpublished opinion). 45 Owens, Schine & Nicola v. Travelers Casualty & Surety Co. of America, No. CV095024601S, 2011 WL 6934692 (Conn. Super. Ct. Dec. 7, 2011) (unpublished opinion). - 17 -
other courts addressing this issue have required a higher degree of computer usage to establish coverage for computer fraud. In Northside Bank v. American Casualty Co. of Reading,46 the insured bank sought coverage under an Electronic Funds Transfer insuring agreement for a loss incurred on a merchant account by a vendor that accepted payments for merchandise that it never delivered to its customers. For purposes of summary judgment, the court accepted that the insured in good faith and in the usual course of business paid the merchant vendor monies upon receipt of electronic instructions transmitted through an electronic fund transfer system and sustained losses. However, the subject insuring agreement required that such electronic instructions be “modified or altered with intent to deceive after being sent … by a customer of the insured”. In reliance on this language, the insurer moved for summary judgment. The insured attempted to defeat summary judgment by arguing that the subject language was ambiguous and should be construed against the insurer or, in the alternative, that the merchant vendor’s submission of electronic instructions and subsequent failure to ship the purchased merchandise should be viewed as a modification or alteration with intent to deceive. The court rejected the insured’s arguments, ruling that the terms “modified” and “altered” were not ambiguous and that the insured was trying “to place a square peg in a round hole.” The court went on to note that: A review of the insurance policy in toto, and the electronic fund transfer and computer crimes coverage in particular, establishes that the purpose of the coverage was to protect the Bank from someone breaking into the electronic fund transfer system and pretending to be an authorized representative or altering the electronic instruction to divert monies from the rightful recipient.47
46 47
No. GD 97-19482, 2001 WL 34090139 (Pa. Ct. Com. Pl. Jan. 10, 2001). Id. at 101-102. - 18 -
Finding that the merchant vendor was a customer of the insured bank and that the electronic instructions were never modified or altered, the court granted the insurer summary judgment. Brightpoint, Inc. v. Zurich American Ins. Co.48 is another case where the court rejected the insured’s argument that only minimal computer usage was necessary to establish computer fraud coverage. Similar to the Owens case, the computer fraud insuring agreement at issue mirrored the ISO form. The insured sought to recover for a loss resulting from its sale of prepaid phone cards to a fraudster based on unauthorized checks and bank guaranties. Copies of the fraudulent checks and guaranties had initially been faxed to the insured along with purchase orders for the phone cards. According to the insured, this fact was sufficient to implicate coverage under the computer fraud insuring agreement because it set into motion a series of events that ultimately caused the insured to be defrauded. In support of this position, the insured argued that the all that was required under the terms of the computer fraud agreement was the “use of a computer followed by a theft that is in some way connected the use of the computer.” The court outright rejected the insured’s theory of coverage as a “distortion of the policy terms.” For the court, the correct view of coverage required the “manipulation of numbers or events through the use of a computer, facsimile machine or similar device.” Finding that the fraud occurred through the use of unauthorized checks and guaranties and not through the electronic manipulation of numbers or events, the court granted summary judgment in favor of the insurer. Lastly, the case of Great American Insurance Co. v. AFS/IBEX Financial Services, Inc.49 provides support for the proposition that the use of a computer must specifically cause a transfer of funds to establish computer fraud coverage. AFS/IBEX is primarily a forgery case. However, it does provide some guidance with respect to computer fraud insuring agreements 48 49
No. 1:04-CV-2085, 2006 WL 693377 (S.D. Ind. Mar. 10, 2006). No. 3:07-CV-924-O, 2008 WL 2795205 (N.D. Tex. July 21, 2008) (unpublished opinion). - 19 -
AFS/IBEX Financial Services (“AFS”) made a claim for losses stemming from checks issued by AFS under false pretense to an insurance agency. The son of the owner of the agency took possession of the fraudulently induced checks, endorsed them in the name of the agency, and then deposited them into a like named account over which he had control. As a result, AFS suffered a loss and made a claim under its Commercial Crime Policy seeking coverage for over $500,000 in losses related to the checks issued to the dishonest son. After denying the claim, Great American filed a declaratory relief action, followed by a motion for summary judgment contending that AFS’ claimed loss was not covered under any of the insuring agreements, including the computer fraud agreement. With respect the computer fraud agreement, Great American argued that the loss sustained by AFS did not bear a direct enough connection to the use of a computer to fall within the scope of the computer fraud agreement. More specifically, Great American contended that no computer actually caused the transfer of any funds from AFS account, and instead the loss was caused by checks the dishonest son tricked AFS into issuing that were then endorsed and deposited. In other words, Great American took the position that there was no direct loss resulting from the use of a computer as required under the computer fraud agreement. The case decision is silent as to what role, if any, a computer may have played in the scheme perpetrated by the dishonest son. Furthermore, AFS did not present any arguments or evidence in opposition to Great American’s assertion that the computer fraud agreement did not provide coverage for AFS’ losses. Not surprisingly, the court granted Great American’s motion with respect to the lack of coverage under the computer fraud agreement.50
50
Id. at *14. - 20 -
Nonetheless, the AFS/IBEX case provides support for the position that computer fraud insuring agreements do not provide coverage for any and all losses that may have some remote connection or relation to the use of computer. Rather, as noted by the court, “[t]he language of these provisions indicate that they are designed to cover losses directly stemming from fraud perpetrated by use of computer.”51 B.
Causation As with most fidelity claims, causation is a significant issue in cyber crime claims. It is
also an issue that has been met with mixed results as some courts have applied the broad tort based proximate cause standard, while other courts have applied the more narrow contract based direct cause standard. 1.
Cases Applying a Proximate Cause Standard
Causation was one of the defenses to coverage raised by the carrier in the Owens case discussed above. Assuming for the sake of argument that subject scheme constituted “Computer Fraud”, the insurer contended that the claimed loss was not the direct result such fraud. To this end, the carrier argued that the loss was not directly caused by a computer, but rather was caused by the insured’s own initiative to wire funds and that the insured’s physical receipt of the fraudulent check was an intervening cause between the e-mails and the transfer. Not surprisingly, given the court’s apparent result driven analysis, the court disagreed with the insurer. Under Connecticut law, the court held that the direct causation requirement under a crime policy is synonymous with proximate cause and that “the use of the computer, in this case, for emails ‘proximately caused’ the plaintiff’s loss.”52
51
Id. No. CV095024601, 2010 WL 4226958 (Conn. Super. Ct. Sept. 20, 2010) (unpublished opinion). 52
- 21 -
Similarly, in Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co.,53 the court applied a broad proximate cause standard to find in favor of coverage. The insured sought coverage for damages under the Computer Fraud grant in its commercial crime policy for various damages related to a hacking incident whereby the hacker accessed the insured’s computer system and obtained credit card and checking account information for 1.5 million customer. The damages consisted of costs incurred by the insured to resolve various third-party class actions, Attorneys General proceedings, and a FTC inquiry, as well as paying fines issued by certain credit card companies. The carrier denied coverage, contending that the hacking incident did not cause a “direct loss” as required under the policy. The court rejected the numerous decisions cited by the carrier in favor of a “direct means direct” approach to causation and instead applied a proximate cause standard. Under this standard, the court held that there was a sufficient link between the computer hacking incident and the insured’s claimed losses so as to require coverage. On appeal to the Sixth Circuit, the trial court’s application of a proximate cause standard and ruling in favor of the insured was upheld.54 2.
Cases Applying a Direct Cause Standard
Unlike the courts in Owens and Retail Ventures, a number of other courts have adopted a more rigorous direct cause standard in evaluating cyber crime coverage. The first case worth mentioning is the Brightpoint decision discussed above. Closely related to the insurer’s argument that the subject scheme did not constitute computer fraud was the insurer’s argument that the claimed loss was not the direct result of such fraud. As noted above, the insured had argued that in terms of causation the policy only required that a theft follow the use of a computer. The court
53
Case No. 2:06-cv-443, ECF No. 228 (E.D. Oh. Sept. 28, 2010). Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co., Case Nos. 10-4576, 10-4608, 2012 WL 36088432 (6th Cir. Aug. 23, 2012). 54
- 22 -
rejected such a broad interpretation of causation, noting that the term “directly” required an immediate relation to the use of a computer.55 Finding that the claimed loss did not immediately follow the use of a computer (or facsimile as it were), the court ruled in favor of the carrier. Causation was squarely at issue in Methodists Health System Found., Inc. v. Hartford Fire Ins. Co.56 This case arose out of the Bernie Madoff ponzi scheme. The insured foundation invested over $6.7 million in shares of the Meridian Diversified Fund, which in turn invested a portion of its holdings in the Tremont Hedge Fund, which then invested a portion of its holdings in the Bernard L. Madoff Investment Securities. Tremont suffered substantial losses once the Madoff ponzi scheme was discovered, which caused the insured to suffer losses via its investment in Meridian. The insured sought coverage for those investment losses under the Computer Fraud coverage grant in its commercial crime policy on a theory that Madoff used a computer to generate false documents that defrauded investors. The carrier moved for summary judgment based on certain policy exclusions and on the grounds that the insured had not satisfied the direct loss requirement of the policy. On the causation issue, the court agreed with the carrier that the policy only covered direct losses to the insured. In this case, the court found that although the Madoff ponzi scheme was a contributing factor in the insured’s losses, it was not the direct cause. Rather, the insured was too many steps removed from the fraud to claim a direct loss. Finding that certain exclusions barred coverage and that the insured had failed to meet its burden to establish a direct loss, the court granted the insurer summary judgment. Causation was also a pivotal issue in Pinnacle Processing Group, Inc. v. Hartford Cas. Ins. Co.,57 which involved fraudulent credit card chargebacks. The insured processed credit card
55
No. 1:04-CV-2085, 2006 WL 693377, *7 (S.D. Ind. Mar. 10, 2006). No. 10-3292, 2011 WL 2607107 (E.D. La. July 1, 2011). 57 No. C10-1126, 2011 WL 5299557 (W.D. Wash. Nov. 4, 2011). 56
- 23 -
transactions for merchants through a merchant account held with Merrick Bank. In certain instances, where charges must be refunded, the insured was responsible for any losses resulting from an inability to collect refunds from the subject merchant. In 2008, the insured processed over $200,000 in transactions for one of its customers, a retail jeweler. The insured took certain steps to verify the authenticity of the transactions, including calling the merchant, the customers and the issuing banks. Nonetheless, one month later, the jeweler merchant and the purported customers submitted requests for refunds on each of the transactions and the insured was forced to process the refunds or charge backs. The insured unsuccessfully attempted to recover the refunds from the jeweler merchant and Merrick Bank deducted the refunded amounts from the insured’s account. The insured sought recovery for the chargeback by Merrick Bank under a Computer Fraud coverage agreement substantially similar to the ISO form based on what it characterized as fraudulent credit card transactions. The primary basis for the carrier’s declination of coverage and subsequent motion for summary judgment was that the loss was not the direct result of the use of a computer. The court held that direct “means without any intervening agency or step: without any intruding or diverting factor.”58 Under this standard, the court held that the insured’s loss was not direct because it did not suffer a loss until (1) Merrick Bank was unable to recover the chargeback funds from the merchant bank, (2) Merrick Bank deducted funds from the insured’s reserve account, and (3) the insured fulfilled its contractual obligation to Merrick bank to replace those deducted funds. The court noted that to interpret the term “directly” as applying to such attenuated chain of events would be to create ambiguity where none exists and would defy the plain meaning of the word. The court went on to hold that the insured’s loss resulted
58
Id. at *5. - 24 -
directly from its contractual obligations to cover any chargeback losses incurred by Merrick Bank, not from computer fraud. Accordingly, the court granted the insurer summary judgment. C.
The Imposter vs. The Customer Certain cyber crime coverage agreements are drafted in a manner to make clear that they
are intended to cover only the acts of an imposter or hacker as opposed to those of an authorized customer. This distinction between the imposter/hacker and the customer was fleshed out in the case of Morgan Stanley Dean Witter & Co. v. Chubb Group of Insurance Companies, et al.59 Morgan Stanley filed suit against seven co-insurers seeking to recover over $21 million in claimed losses under three separate insuring agreements contained in the Electronic Computer Crime Policy issued by the co-insurers. As noted by the court, the facts giving rise to the lawsuit were somewhat complex. Morgan Stanley entered into a written custodial service agreement with an investment advising company named London and Bishopgate International (“London/Bishopgate”) in which Morgan Stanley agreed to safeguard money and property that was owned or held by London/Bishopgate. As custodian, Morgan Stanley was to be responsive to instructions from authorized representatives of London/Bishopgate. For purposes of facilitating receipt of any instructions, Morgan Stanley provided London/Bishopgate with computer software allowing access to Morgan Stanley’s computer programs. After London/Bishopgate and Morgan Stanley entered into the custodial services agreement, London/Bishopgate entered into an investment management contract with an investment trust named First Tokyo, which held about $100 million in securities. Under the contract, London/Bishopgate was to manage First Tokyo’s investments. To effectuate this 59
No. L-2928-01, 2005 WL 3242234 (N.J. Super. Ct. App. Div. Dec. 2, 2005) (unpublished opinion). - 25 -
arrangement, London/Bishopgate opened an account with Morgan Stanley in accordance with the custodial services agreement between the two. The purpose of the account with Morgan Stanley was to manage the investments of First Tokyo. Two years later, First Tokyo instructed London/Bishopgate to cease trading on its behalf. However, no one informed Morgan Stanley that London/Bishopgate’s authority to trade on behalf of First Tokyo had been revoked. Despite the revocation, London/Bishopgate subsequently instructed Morgan Stanley to liquidate the bulk of First Tokyo’s portfolio in five separate transactions and distribute the proceeds to certain accounts held by London/Bishopgate. The instructions were sent by computer, fax and voice to Morgan Stanley by persons specifically authorized to do business on behalf of London/Bishopgate under its custodial service agreement with Morgan Stanley. Upon discovering the loss, First Tokyo sued Morgan Stanley alleging various claims and seeking approximately $100 million in damages related to its liquidated portfolio. Thereafter, Morgan Stanley submitted a claim to the co-insurers under its Electronic Computer Crime Policy seeking to recover over $21 million it had paid to defend and settle the lawsuit by First Tokyo. Morgan Stanley contended that the claimed losses were covered under insuring agreement one, covering “computer systems”; insuring agreement five, covering “customer voice initiated transfers”; and insuring agreement six, covering “facsimile transfer instructions.” The co-insurers denied Morgan Stanley’s claim and litigation followed. At the trial court level, the motion judge determined that none of the above-referenced insuring agreements covered the type of fraud involved in Morgan Stanley’s claim and granted summary judgment in favor of the co-insurers. Morgan Stanley appealed and the appeal was met with mixed results. The appellate court affirmed summary judgment as to those claims relating to
- 26 -
the computer and facsimile coverage agreements, but reversed summary judgment as to the claims relating to the voice initiated transfer agreement, finding that coverage existed for those claims. Accordingly, the appellate court remanded the case for further proceedings under the voice initiated transfer agreement. The appellate court examined each of the three coverage agreements at issue, starting with the facsimile agreement, which covered “fraudulent FAX transfer instructions … [that] fraudulently purport to have been made by a customer or other authorized representative but which FAX transfer instructions were not made by the customer or other authorized person.” Based on this language, the court concluded that the facsimile agreement unambiguously limited coverage to situations “where an unauthorized person poses as a customer or other authorized person to issue the fraudulent transfer instructions-the so-called ‘imposter’ coverage.”60 The court went on to reiterate this determination more succinctly by stating that “the FAX agreement covered only imposters…”61 It was undisputed that the instructions at issue were all made by persons authorized to act for London/Bishopgate. Accordingly, the court concluded that those persons were not “imposters” and, therefore, the facsimile instructions were not covered under the facsimile agreement. With respect to the claim under the computer system agreement, the court noted that that agreement was subject to a policy exclusion, which excluded coverage for “loss by reason of the input of Electrical Data at an authorized electronic terminal … or a Customer Communication System by a customer or other person who had authorized access to the customer’s authentication mechanism.” Based on this exclusionary language, which the court found to be clear and unambiguous, the court determined that “the computer system’s [sic] agreement 60 61
Id. at *3. Id. at *4. - 27 -
excluded fraudulent transactions by customers …”62 In an attempt to side-step the customer exclusion, Morgan Stanley argued that London/Bishopgate was not its customer. Rather, Morgan Stanley contended that First Tokyo, as the owner of the funds or property that was transferred, was the customer. For a variety of reasons the court disagreed and held that the only customer for purposes of the computer systems insuring agreement was London/Bishopgate. Accordingly, the court held that losses resulting from instructions electronically conveyed by Morgan Stanley’s customer, London/Bishopgate, were excluded from coverage under the computer systems agreement and affirmed summary judgment as to that portion of Morgan Stanley’s claim. In evaluating coverage under the voice initiated transfer insuring agreement, the court focused on the absence of the word “purportedly” in the second portion of the agreement and found that that portion of the agreement was not limited to imposters or hackers. The agreement covered losses caused by the insured transferring “funds” because of voice transfer instructions that: “[1] fraudulently purport to have been made by a person authorized and appointed by a Customer to request by telephone the transfer of such funds but which instructions were not made by said Customer or by any officer, director, partner or employee of said Customer or [2] were fraudulently made by an officer, director, partner or employee of said Customer whose duty, responsibility or authority did not permit him to make, initiate, authorize, validate or authenticate customer voice initiated funds transfer instructions.” The co-insurers made two arguments against coverage. First, the co-insurers argued that the agreement was limited to the transfer of funds and did not cover securities. The court rejected this argument, holding that the term “funds” was broader than, and therefore included, the term
62
Id. at *4. - 28 -
securities.63 Second, the co-insurers contended that like the first portion of the agreement, the second portion of the agreement only applied to imposters and hackers. In support of this position, the co-insurers argued that the second portion of the agreement required the importation of the word “purport” from the first portion of the provision. However, the court refused to do so and held that the second portion of the agreement was not limited to imposters or hackers. Rather, the court held that the plain language of the second portion of the agreement covered voice initiated transfers fraudulently made by officers and employees of the insured’s customer who lacked the requisite authority to make the transfer instruction. 64 Based on First Tokyo’s revocation of London/Bishopgate’s authority to trade on its behalf, the court found that the London/Bishopgate representatives who initiated the transfers did not have authority to make such transfers. The court held that such conduct appeared to fall within the plain language of the second portion of the voice initiated transfer agreement, and reversed summary judgment in favor of the co-insurers under that agreement. D.
Loss Of Covered Property Courts have also evaluated the issue of whether the claimed cyber fraud resulted in a loss
of covered property. This was the central coverage issue in Royal American Group, Inc. v. ITT Hartford.65 Royal American was engaged in the business of providing customers with access to its long distant telephone network for a fee. Its long distant network was based on contracts with certain large long distant service carriers, which allowed Royal American to access their networks for use by Royal American’s customers. Royal American’s customers connected to these networks by using a “1-800” telephone number and a security code. The security code was
63
Id. at *4. Id. at *5. 65 No. 16246, 1994 WL 14888 (Ohio Ct. App. Jan. 12, 1994) (unpublished opinion). 64
- 29 -
stored in a computer located at Royal American’s facilities. An unknown individual using another computer accessed Royal American’s computer and stole the security code. The hacker then used the security code to access Royal American’s network resulting in over $37,000 in unauthorized long distant charges to Royal American’s computerized accounts with its long distant carriers. Royal American sought coverage for the unauthorized charges under its general liability policy, which included a general crime provision and specific coverage for computer fraud. The carrier denied the claim and Royal American filed suit. The trial court granted summary judgment in favor of Royal American finding that the carrier was required to cover the losses from the unauthorized long distance charges. The insurer appealed asserting multiple assignments of error. Among other things, the insurer objected to the trial court’s finding that Royal American’s contracts with the long distant carriers constituted “securities” as defined in the policy and that the unauthorized long distant charges resulted in the loss of or damage to “covered property”. The trial court had found that Royal American’s contracts with the long distant carriers were “contracts representing … other property” as defined under “securities” in the policy and that “[t]he damage resulting from these contracts which represent [Royal American’s] right to utilize the property of the carriers is clearly Covered Property” under the policy.66 The appellate court reached a different conclusion, noting that the definition of “securities” in the policy did not “alter or expand the plain, ordinary, and reasonable meaning of
66
Id. at *2. - 30 -
the term to include Royal American’s contracts with the long distant carriers.”67 The court went on to hold that it would not stretch the plain and ordinary meaning of the policy definition to include Royal American’s contractual right to access another company’s long distant network. Finally, the court held that, even assuming arguendo that Royal American’s contracts with the long distant carriers constituted securities under the policy, there was no evidence that Royal American’s interests in those contracts was lost or damaged.68 As such, the court held that Royal American’s contractual liability for the unauthorized long distance charges was not covered property under the policy. Finding that the policy did not provide coverage for the unauthorized long distance charges, the court reversed the trial court’s grant of summary judgment in favor of Royal American and remanded the case.69 Covered property was also at issue in the recently reported decision of Vonage Holdings Corp. v. Hartford Fire Ins. Co.70 Vonage is a telecommunications company that provides voice and messaging services over broadband internet networks. In 2009, Vonage discovered that hackers gained access to Vonage’s servers for purposes of routing calls to Cuba through one of Vonage’s telecommunications carrier partners, Primus Telecommunications. During the hacking incident, Vonage claimed that it lost the ability to use the full capacity of its servers and that the lost capacity result in a loss of over one million dollars. Vonage made claim under its Computer Fraud coverage agreement, similar to the ISO form agreement. The carrier denied the claim and Vonage filed suit.
67
Id. Id. 69 Id. 70 No. 11-6187, 2012 WL 1067694 (D.N.J. Mar. 29, 2012). 68
- 31 -
The insurer filed a motion to dismiss alleging that the claim did not involve a loss of tangible property or a transfer of tangible property outside of Vonage’s premises. The court disagreed, finding that the hackers’ use of Vonage’s servers was within the plausible definition of a transfer of the insured’s property outside of the insured’s premises and that Vonage’s lost ability to use the full capacity of the servers was within a plausible interpretation of what constitutes a loss of property.71 Based on the foregoing, the court denied the insurer’s motion to dismiss. E.
Exclusions 1.
Employee Dishonesty Exclusion
Apps Communication, Inc. v. Hartford Casualty Ins. Co.72 is an interesting recent case where the court upheld the employee dishonesty exclusion under a computer and media endorsement. An unidentified employee of the insured introduced a computer virus to the insured’s computer system that deleted and damaged numerous computer files and disrupted the insured’s business operations. The insured filed suit seeking coverage under the computer and media endorsement of its property policy. In the alternative, the insured sought coverage under the employee dishonesty endorsement. However, the computer and media endorsement excluded loss caused by employee dishonesty and the employee dishonesty endorsement extended coverage only to loss of money, securities and other tangible property, not data or software. Accordingly, the insurer filed a motion to dismiss the complaint. The court granted the insurer’s motion, effectively enforcing both the employee dishonesty exclusion in the computer and media endorsement and the covered property limitation in the employee dishonesty endorsement. 71 72
Id. at *3. No. 11 C 3994, 2011 WL 4905628 (N.D. Ill. Oct. 14, 2011).
- 32 -
2.
Other Exclusions
As noted above, the Morgan Standley case upheld a customer/authorized user exclusion to the applicable computer systems insuring agreement. Finding that the fraudulent instructions were electronically transmitted by a customer of the insured with authorized access to funds transfer request program, the court held that the resulting losses were excluded from the computer systems agreement.73 The court in the Methodist Health case also found that certain exclusions applied to the claimed computer fraud. In that case, the court held that both the trading loss exclusion and the entrustment exclusion prevented coverage under the computer fraud provision. The trading loss provision excluded coverage for “[l]oss resulting directly or indirectly from trading, whether in your name or in a genuine or fictitious account.” The insured argued that the trading loss exclusion did not apply because its investments were not the cause of the loss, rather the loss was caused by Madoff’s fraudulent misrepresentations perpetrated, in part, by the use of a computer. The court rejected this strained reasoning, finding that the exclusion extended to losses that resulted directly or indirectly from trading, which included the Madoff related losses. 74 The entrustment provision excluded “[l]oss resulting from your, or anyone acting on your express or implied authority, being induced by any dishonest act to voluntarily part with title to or possession of any property.” The insured contended that the entrustment exclusion did not apply because the dishonest acts of Madoff were twice removed from its entrustment of investments with Meridian Diversified Funds, which invested with Tremont Hedge Fund, which in turn invested with Madoff. The court was not persuaded by this argument finding that both Meridian
73
No. L-2928-01, 2005 WL 3242234, *3-4 (N.J. Super. Ct. App. Div. Dec. 2, 2005) (unpublished opinion). 74 No. 10-3292, 2011 WL 2607107, *4 (E.D. La. July 1, 2011). - 33 -
and Tremont were acting on the insured’s implied authority and, therefore, the entrustment exclusion applied.75 In Retail Ventures, the trial court and the Sixth Circuit addressed an exclusion barring coverage for “any loss of proprietary information, Trade Secrets, Confidential Processing Methods or other confidential information of any kind.” The insurer contended that the exposure of the credit card and checking account information of the insured’s customers by a hacker fell within the plain and ordinary meaning of either “proprietary information” or “other confidential information of any kind.” The trial court rejected the insurer’s interpretation of the exclusion. The court held that the customer account information was not proprietary information because the plain meaning of proprietary connotes exclusive or sole right, and the insured did not have the sole right to the information.76 The court further held that the customer account information did not constitute “other confidential information of any kind” because that phrase was subject to the ejusdem generis principle of construction, whereby the general term must take its meaning from the specific terms with which it appears. Applying this rule of construction, the court found that “other confidential information of any kind” was limited by the preceding terms “proprietary information, Trade Secrets, Confidential Processing Methods.” The court interpreted these specific terms to mean secret information concerning the manner in which the insured operated business. From there, the court reasoned that the customer account information did not relate to the manner in which the insured operated its business, and was therefore outside the scope of “other confidential information of any kind.”77 The Sixth Circuit affirmed the trial court’s
75
Id. at *5. Case No. 2:06-cv-443, ECF No. 228, 5 (E.D. Oh. Sept. 28, 2010). 77 Id. at 5-6. 76
- 34 -
interpretation of the exclusion, finding that customer account information was not proprietary and somehow did not constitute “other confidential information of any kind.”78 V.
PERTINENT COVERAGE ISSUES & PRACTICAL CONSIDERATIONS
Set forth below is a discussion of the pertinent coverage issues and practical considerations to be aware of when handling a cyber crime claim. A.
Know Your Policy It goes without saying that the first priority in handling any cyber crime claim is to have a
firm understanding of the implicated insuring agreement(s) and the exclusions thereto. There are numerous cyber crime related coverage agreements offered by insurers. In some instances, there are important differences between the various cyber crime provisions and applicable exclusions. Although a cyber loss may be covered under one agreement, it may not be covered under another similar, but different, provision. For example, certain stand-alone Cyber Crime Policies contain agreements that specifically cover loss resulting from the acts of a hacker that damage or destroy electronic data or software programs. On the other hand, coverage under the computer systems agreements in the FICP, the CCP, and the CPP is strictly limited to loss resulting from the use of computer to cause a transfer of money or property or cause an account to be added, deleted, credited, or debited. Such coverage does not extend to loss resulting from damage to electronic data or computer programs. In addition, the available bonds and policies contain varying exclusions that may apply to a claimed computer fraud loss. For example, the FICP and most Cyber Crime Policies contain numerous computer fraud specific exclusions that exclude a variety of losses ranging from loss
78
Case Nos. 10-4576, 10-4608, 2012 WL 36088432, *9-11 (6th Cir. Aug. 23, 2012). - 35 -
resulting from disclosure or use of confidential information to loss from electronic instructions by the insured’s customer. Unlike the FICP and most Cyber Crime Policies, the CPP contains only one exclusion that specifically applies to the computer systems fraud agreement, namely the inventory policy exclusion. Additionally, what may be generically referred to as a cyber crime claim may actually implicate more than one coverage agreement. This fact is demonstrated by the Morgan Stanley case discussed above, wherein the insured made a claim for losses sustained as the result of fraudulent instructions sent to the insured by its customer via computer, fax and telephone and sought coverage under the computer systems agreement, the facsimile agreement, and the voice initiated transfer agreement. Accordingly, at the outset of any claim investigation it is important to identify each computer crime agreement that may be implicated by the facts of the claim and the nature of the loss. B.
Loss of Covered Property The computer fraud provisions in the FICP (Agreement 7), the CCP (Agreement 6), the
CPP (Agreement 5), and most Cyber Crime Policies cover loss resulting from the use of a computer to cause a transfer of money, securities or property held by the insured to a third party. In order to establish coverage under these agreements, the insured must demonstrate that, among other things, a covered act directly caused the loss of money, securities or other property held by the insured. Additionally, many cyber crime agreements expressly exclude from coverage nonmonetary loss resulting from a number of computer related acts ranging from the malicious destruction of electronic data or programs to the unauthorized use or disclosure of confidential information held by the insured.
- 36 -
C.
Causation Based on the fact that an increasing number of business transactions have some
connection to a computer system, one of the most important issues to evaluate when handling a cyber crime claim is the issue of causation. Cyber crime coverage agreements do not, or at least are not intended to, cover any and all loss that may have some remote connection to the use of computer. Rather, such agreements are intended to cover only financial loss that bears a direct and immediate connection to the use of a computer. In other words, to establish coverage, the insured should be required to demonstrate that a computer specifically caused the transfer of funds from the account of the insured. However, caution is warranted as some courts have adopted a less rigorous proximate cause standard and found in favor of cyber coverage notwithstanding a more remote connection to the use of a computer in perpetrating the fraud. D.
Was the Loss Caused by an “Imposter”, as Opposed to a “Customer” or Other Authorized Representative? Coverage for claims under the voice initiated transfer funds and the telefacsimile transfer
fraud agreements in the FICP (Agreements 8 and 9, respectively) and most Cyber Crime Policies is limited to loss resulting directly from the fraudulent instruction of an imposter or hacker as opposed to a customer or other authorized representative.79 Similarly, coverage is excluded under
79
See, Agreement 8 and 9 of the Financial Institution Crime Policy For Banks And Savings Institutions (Aggregate Form), Standard Form No. FI 00 11 05 08 (ISO 2007), supra note 26, which expressly limit coverage for fraudulent transfer instructions to those instances where the individual giving the instruction is not the authorized person he or she represented themselves to be. See also, Morgan Stanley Dean Witter & Co. v. Chubb Group of Insurance Companies, et al., Docket No. L-2928-01, 2005 WL 3242234, *3 (N.J. Super. Ct. App. Div. Dec. 2, 2005) (unpublished opinion) (holding that the subject telefacsimile agreement limited coverage “unambiguously to situations where an unauthorized person poses as a customer or other authorized person to issue the fraudulent transfer instruction…”). Although the court in Morgan Stanley held that coverage under the voice initiated transfer fraud agreement was not limited to instructions by imposters, that determination was based on policy specific language that is different from the language in Agreement 9 of the FICP and like agreements in most Cyber - 37 -
the computer systems fraud agreements in the FICP (Agreement 7) and most Cyber Crime Policies for loss resulting from the input of electronic data into the insured’s computer system by a customer or someone that had authorized access to a customer’s authentication system.80 Accordingly, when evaluating coverage under the computer systems fraud, voice initiated transfer fraud, and telefacsimile transfer fraud agreements, it is critical to determine whether the fraudulent instruction originated from an imposter, and therefore may give rise to coverage, or from a customer or other authorized persons, in which case the loss will likely be excluded. The application of the imposter requirement for coverage under voice initiated transfer fraud and telefacsimile transfer fraud agreements should in most cases be fairly straight forward. As an issue of fact, a person either is or is not the person they represent themselves to be. However, the application of the customer exclusion to coverage under a computer systems fraud agreement may in some instances be more difficult. This cautionary point is demonstrated by the facts of Morgan Stanley81 case. The reader will recall that London/Bishopgate had accounts with Morgan Stanley, the insured, which London/Bishopgate used to manage the investments of its clients such as First Tokyo. The loss arose from London/Bishopgates’ fraudulent depletion of funds held on behalf of First Tokyo in one of the accounts. Morgan Stanley attempted to circumvent the customer exclusion to coverage under the subject computer systems fraud agreement by arguing that First Tokyo, not London/Bishopgate, Crime Policies, which expressly limit coverage for voice initiated transfer to instructions originating from individuals who are not the authorized person they represent themselves to be. 80 See, Exclusion 39 of the Financial Institution Crime Policy For Banks And Savings Institutions (Aggregate Form), Standard Form No. FI 00 11 05 08 (ISO 2007), supra note 26; see also, Morgan Stanley Dean Witter & Co. v. Chubb Group of Insurance Companies, et al., Docket No. L-2928-01, 2005 WL 3242234, *3 (N.J. Super. Ct. App. Div. Dec. 2, 2005) (unpublished opinion) (holding that exclusion q of the subject Computer Crime Policy clearly and unambiguously excluded coverage for fraud by customers or other authorized persons) 81 Docket No. L-2928-01, 2005 WL 3242234, *3 (N.J. Super. Ct. App. Div. Dec. 2, 2005) (unpublished opinion). - 38 -
was its customer for purposes of the claimed loss, and that therefore the unauthorized instructions by London/Bishopgate were not those of a customer. However, the court disagreed with London/Bishopgate and affirmed the trial court’s determination that no reasonable juror could conclude that London/Bishopgate was not a customer for purposes of the exclusion. In reaching this conclusion, the appellate court focused on four factors: (1) the agreements between Morgan Stanley and London/Bishopgate that described London/Bishopgate as Morgan Stanley’s customer; (2) London/Bishopgate was the only entity with authorized access to Morgan Stanley’s customer communication system and customer authentication mechanism; (3) Morgan Stanley had no direct business relationship with First Tokyo; and (4) none of London/Bishopgate’s clients, including First Tokyo, had access to or ever attempted to access London/Bishopgates’ accounts with Morgan Stanley.82 In determining whether an entity is a customer for purposes of the customer exclusion to computer systems fraud coverage, other courts will likely follow the lead of the appellate court in the Morgan Stanley case and examine the agreements between the parties, the parties course of conduct, and whether the entity at issue had authorized access to the insured’s computer system and customer authentication mechanism. E.
Use of Consultants to Investigate the Claim The use of technical consultants can be especially beneficial when investigating and
evaluating a cyber crime claim. Computer systems and programs involve highly technical mechanisms and nuances beyond the general comprehension of most non-IT professionals. As such, the use of a technical consultant may be advisable, if not necessary, in order to determine the precise cause of the loss, the nature of the loss, and who caused the loss. Based on this, in
82
Id. at *’s 3-4 - 39 -
many cases it may be prudent to consider the use of a technical consultant early on when investigating and evaluating a cyber crime claim. VI.
CONCLUSION
There are a number of converging developments that make cyber crime coverage an especially salient issue for fidelity claims adjusters and attorneys. Financial institutions and businesses increasing store and rely on the use of sensitive electronic data and conduct business by means of electronically transmitted instructions and communications. With this shift in the way business is conducted, there has been a dramatic growth in cyber crime resulting in significant financial losses to banks, credit unions and businesses alike. As more of these companies seek to insure against the perils of cyber crime, the fidelity industry will undoubtedly experience an increase in the volume of cyber claims. At the same time, policy forms covering computer fraud are relatively new and have not been subject to significant interpretation by the courts. In the absence of more significant guidance from the courts, a proper investigation and evaluation of cyber claims should be guided by a firm understanding of the implicated agreements and exclusions, with a detailed focus on issues such as the nature of loss, the cause of the loss, and the identity of who caused the loss.
- 40 -
