Home Page The Publication The Editor Contact Information Insurance Key issues Book Subscribe


Vol. 5, Iss. 8
July 27, 2016

Cyber Claim: Insured Coughs Up Hacking Coverage

 

Aqua Star (USA) Corp. v. Travelers Casualty and Surety Co., No. C14-1368 (W.D. Wash. July 8, 2016) does not involve a cyber policy. But it involves a cyber claim -- hacking. And it demonstrates how unique such claims can be – in terms of both facts and especially policy language. These are not pollution exclusion claims folks. Coincidentally, as this issue was being finalized, I learned of another decision involving coverage for a hacking incident.

At issue in Aqua Star is coverage for a hacking incident that led to a serious financial loss. A hacker, disguising itself as a vendor of Aqua Star, by using a spoofed e-mail domain similar to the vendor’s real one, instructed Aqua Star to change bank account information for future wire transfers to the vendor. Aqua Star did so and was ultimately defrauded out of over $700,000.

Aqua Star was insured under a Crime policy issued by Travelers. It provided coverage for Computer Fraud: “The Company will pay the Insured for the Insured’s direct loss of, or direct loss from damage to, Money, Securities, and Other Property directly caused by Computer Fraud.”

The court, assuming that the loss was caused by Computer Fraud, turned to the potential applicability of an exclusion: The Policy “will not apply to loss resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System.”

The court concluded that the exclusion applied. But how it got there was interesting.

The Treasury Manager for Aqua Star “saved the email with new wiring instructions, and entered the new bank account information in the Excel spreadsheet that she used to keep track of payments to Longwei [the vendor].” This was her convenient way to store payment details for each vendor, saving her from having to look them up every time she made a payment. She also included the spreadsheet in a packet given to Aqua Star management to approve payments to vendors. Aqua Star did not contend that she was an unauthorized user or that she did not input Electronic Data into Aqua Star’s Computer System.

Based on this procedure, the court saw it this way: “In this case, the entry of data into the Excel spreadsheet on Aqua Star’s Computer system was an indirect cause of Aqua Star’s loss. The fraudulent bank account information was entered in Aqua Star’s Computer System and used to prepare a packet of materials for approval of the payment by Aqua Star’s management. Entering this data into a spreadsheet was a necessary step prior to initiating any transfer. [The Treasury Manager] printed out a copy of the spreadsheet and included it in a package of documents that was presented to a member of Aqua Star’s management for approval of the payment. Even if management did not rely upon or even review the account number in the packet, however, [the Treasury Manager] also used the information she input into the spreadsheet to prepare and initiate the wire transfers. Therefore, the entry of Electronic Data into Aqua Star’s Computer System was an intermediate step in the chain of events that led Aqua Star to transfer funds to the hacker’s bank accounts. Because an indirect cause of the loss was the entry of Electronic Data into Aqua Star’s Computer System by someone with authority to enter the system, Exclusion G applies.” (emphasis added).

Aqua Star, as I’m sure most policyholders would, saw it much differently, making several arguments, all of which were rejected by the court for several reasons: (1) “Although entering data into a third party’s computer system may have been the final step that led to Aqua Star’s loss, necessary intermediate steps prior to the transfer involved entering Electronic Data into Aqua Star’s own Computer System;” (2) “Saving the bank information in the spreadsheet ‘was not materially different than writing the information on a sticky note or index card;’” and (3) The exclusion was intended to apply to computer fraud that was an inside job: “where a fraud is perpetrated by an authorized user of an insured’s computer system, such as an employee or customer.”

As this issue of Coverage Opinions was being finalized, I learned of another decision involving coverage for a hacking incident: ABL Title Insurance Agency v. Maxum Indemnity Co., No. 15-7534 (D.N.J. June 30, 2016). Time is short. I’ll keep this brief.

ABL was the closing agent for a residential real estate sale. A hacker, using an email address similar to the seller’s attorney’s email address, sent an email to the buyer’s attorney, indicating that the sellers desired payment by wire transfer. As a result, ABL wired nearly $600,000 to the hacker. This caused ABL to have insufficient funds to cover disbursements for several real estate closings. As a result, lots of claims were made against ABL.

ABL sought coverage under a professional liability policy for a wrongful act in rendering professional services. At issue was the applicability of the exclusion for damages arising out of conversion. The court addressed the competing arguments of the parties but concluded that it was too early in the proceedings to make a “legal determination that the tort of conversion occurred.”


Website by Balderrama Design Copyright Randy Maniloff All Rights Reserved