Remember the “good” ol’ days when the run-of-the-mill theft involved someone physically taking something tangible? That is so 20th century. Now, thieves and fraudsters are able to use computers
Interactive Communications International, Inc. v. Great American Insurance Co. involved a complex financial business model to begin with. The policyholder, InComm, operates a network that allows consumers to put money onto debit cards issued by banks. InComm—through retailers—sells “chits” that consumers redeem by calling InComm’s 1-800 number and entering their debit card number and chit PIN through InComm’s interactive voice response (IVR) system (which uses eight computers), at which point the chit value is added to the debit card. On the other side, under contracts with the banks that issue the debit cards, InComm transfers the redeemed chit amount to the bank, and the bank eventually pays the redeemed chit value to the end-seller of the goods/services the debit card holder purchases. Over a six-month span, fraudsters discovered and took advantage of a vulnerability in InComm’s IVR system—if multiple simultaneous calls were made to the IVR system, a single chit, which is supposed to be redeemable only once, could be redeemed multiple times. As a result of the scheme, InComm’s system processed more than 25,000 fraudulent chit redemptions to the tune of more than $11 million in losses.
InComm sought coverage under its crime policy’s computer fraud coverage. The policy provided that the insurer would pay for loss of money “resulting directly from the use of any computer to fraudulently cause a transfer of” the money. The insurer denied coverage. InComm filed suit, and the trial court ruled there is no coverage because (1) there was no “use” of a “computer” (the fraudsters used telephones), and (2) InComm’s losses did not result “directly” from the alleged computer use because the losses did not occur until after InComm wired the funds to the bank and the bank later transferred the funds to the end-seller.
On appeal, the Eleventh Circuit disagreed with the trial court that there was no “use” of a “computer” because, under broad dictionary definitions of the term “use,” the fraudsters “used” the IVR system computers when they called and manipulated the IVR system. The court reasoned that “the fraudsters interfaced directly with the IVR computer system to effectuate their duplicate redemptions.”
While that analysis could be helpful to policyholders in other claims, the Court still affirmed the no-coverage ruling on the basis of the “resulting directly” policy language. The court held that language requires that the loss follow the fraud “straightaway, immediately, and without any intervention or interruption.” The court then reasoned that this loss did not result “directly” because there were intervening steps between the fraud and the loss, including (1) InComm’s subsequent transfer of funds to the debit card-issuing bank, which did not happen immediately upon chit redemption; (2) each debit card holder’s purchase resulting in the transfer of funds from the bank to the end-merchant (and InComm’s continued control of the funds while held at that bank); and (3) the bank’s transfer of the funds to the merchant (which, the court determined, was when the loss actually occurred). The court noted that days, weeks, months, or even years could pass between the fraudulent chit redemption and the disbursement of funds to the end-merchant.
This is an unfortunate ruling for policyholders, and one which should have gone the other way. While the court appropriately construed the “use of any computer” language broadly in favor of coverage, it was too strict in interpreting the phrase “resulting directly.” This fraudulent scheme set in motion and directly caused InComm’s losses, just as it was designed to do. Once the fraudulent redemptions were made, the following “steps” through which the loss was incurred were a foregone conclusion; none of those steps materially broke or altered the chain of causation. For all intents and purposes, the loss took place at the time the chit was redeemed, when its value was added to the debit card.
This case is a reminder to corporate policyholders of the subtle but critical dangers that lurk in their policy language, particularly those relating to cyber risks. Not all policies are created equal. In this case, one word in the policy—“directly”—may have been the difference between coverage and not. Policies vary with respect to this type of causation language—some contain stricter language than others—that often appears both in the coverage grant and the exclusions. Companies should pay close attention to causation language in their policies and consider negotiating appropriate revisions at policy purchase or renewal.
We’ll continue to see more cases in which courts analyze coverage under crime policies for today’s complex, technology-facilitated fraudulent schemes. In fact, currently there are cases pending before both the Second Circuit (Medidata Solutions) and Sixth Circuit (American Tooling Center) involving claims under computer crime/fraud components of crime policies for losses resulting from email spoofing scams. This is a developing area that corporate risk professionals should keep a close eye on, as companies continue to face the risk of new types of theft.