Know What’s Covered: Cyber Insurance Coverage Turns On Specific Policy Language

In an unpublished opinion issued by the Eleventh Circuit in Interactive Communications International, Inc. v. Great American Ins. Co. (No. 17-11712, filed 5/10/18), the appellate court found that where an insurance policy covers a loss that “results directly” from a computer fraud, the loss will not be covered where there is a sequence of events between the fraud and the cognizable harm to the insured such that the loss is not immediate or concurrent.

Great American issued a “Computer Fraud” policy to International, Inc. and HI Technology Corp. (collectively “InComm”). InComm sells “chits” to consumers at retailers such as CVS or Walgreens which can then be redeemed by phone for specific monetary value and loaded onto debit cards. Between 2013 and 2014, fraudsters manipulated a glitch in InComm’s computerized telephone redemption system, enabling multiple redemptions of a single chit. This scheme resulted in the processing of 25,553 fraudulent redemptions over 1,988 individual chits, and caused InComm to suffer monetary losses in the amount of $11.4 million.

The insurance policy at issue in the case protected InComm from “Computer Fraud” and provided coverage for “loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises; (a) to a person (other than a messenger) outside those premises; or (b) to a place outside those premises.” InComm sought coverage from Great American for its losses under those terms of the insurance policy.

Great American moved for summary judgment which the district court granted on the basis the fraud against InComm was not accomplished through the use of a computer within the meaning of the insurance policy and that InComm’s loss did not result directly from the use of the computerized phone system. On appeal, the Court disagreed with the district court’s finding that InComm’s loss did not result directly from the use of its computerized phone system. Applying a plain meaning of the term “use,” the Court determined that the fraudsters interacted directly with the phone system to engage in the duplicative chit redemption – that is, the fraud against InComm was perpetrated through the use of a computer within the terms of the insurance policy.

But the Court also agreed with the district court finding that InComm’s loss did not result “directly” from that phone system use. Applying an ordinary meaning of the term “resulting directly from,” one act or occurrence must flow directly from another “[following] straightaway, immediately, and without any intervention or interruption.” Here, the scheme set into motion a chain of events that ultimately led to InComm’s loss, but did not immediately cause that loss. Rather several steps had to occur between the redemption of a chit and InComm’s eventual loss of funds as a result of said redemption. Because of that sequence of events, the Court found InComm’s loss was temporally remote enough from the original fraud such that it did not result “directly.”

While the opinion may be unpublished and issued by the Eleventh Circuit, the case is of note as a potential harbinger of future case law in the area of cyber insurance and courts’ interpretation of insurance policies relating to hacking and other cyber-crimes. In those cases, coverage will turn on specific policy language. Businesses need to both assess the potential cyber and fraud risks to their particular business as well as know exactly what their policies say.

This document is intended to provide you with information about insurance law related developments. The contents of this document are not intended to provide specific legal advice. This communication may be considered advertising in some jurisdictions.

May 16, 2018