“Show Me the Money – Seriously, Because We Can’t Find It”

ALERT: Companies have been receiving emails and other electronic instructions to make payments or transfer funds that – oops – are not truly authorized to be paid or transferred.  This is fraud.  But is it “computer fraud”?

In Universal American Corp. v. National Union Fire Insurance Co. of Pittsburgh, PA., 25 N.Y.3d 675 (N.Y. Ct. App. June 25, 2015), it wasn’t.  New York’s highest court held that a “computer fraud” endorsement to a fidelity bond covered a hacker’s unauthorized “entry” into the insured’s computer system and subsequent fraudulent transfer of funds.  It did not, however, cover an authorized user’s input of information to transfer funds based on the receipt of fraudulent instructions to do so.  The policy defined “Computer Systems Fraud” as follows: “Loss resulting directly from a fraudulent (1) entry of Electronic Data or Computer Program into, or (2) change of Electronic Data or Computer Program within the Insured’s proprietary Computer System…provided that the entry of change causes (a) Property to be transferred, paid or delivered…”.  The court reasoned that a fraudulent “entry” was not the input of fraudulent data into the system, as had occurred, but the unauthorized penetration of the system by a third party – i.e., a hacker.  Since the fraudster never entered the insured’s computer system, the court concluded that there was no coverage.

In Apache Corporation v. Great American Insurance Co., 2015 WL 7709584 (S.D. Tex. Aug. 7, 2015), the court reached the opposite conclusion.  A “computer fraud” provision in a Crime Prevention Policy did cover an authorized user’s transfer of funds based on fraudulent email instructions.  The definition of “computer fraud” in this case, however, was the very language distinguished by the Universal American court as broader than the language there at issue: “We will pay for loss…resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises… (a) to a person…outside the premises; or (b) to a place outside the premises.”  The court reasoned that the email-centric nature of the fraud made computer use a “substantial factor” in causing the fraudulent transfer, and the insured therefore had coverage.

So what?

So, I randomly pulled a form cyberinsurance policy from my collection.  Guess which definition of “computer fraud” it mirrored?  It was nearly identical to the language in Universal American. It also clarified that the unauthorized “entry” (whether that means system access or data input) could not be by an authorized user.  Many companies purchasing cyberinsurance are concerned about fraudulent emails causing employees to do things that they shouldn’t.  Companies should not, however, assume that a cyber policy will contain this coverage.  Based on my scientifically unreliable sample set of one, there’s a good chance that, at least as a default, it doesn’t.