(Article from Insurance Law Alert, June 2024)
For more information, please visit the Insurance Law Alert Resource Center.
Holding
A California appellate court ruled that an insured did not allege a “direct financial loss” and was therefore not entitled to coverage under a provision in a cybersecurity policy that required such loss. Door Sys., Inc. v. CFC Underwriting Ltd., 2024 Cal. App. Unpub. LEXIS 3441 (Cal. Ct. App. June 3, 2024).
Background
A hacker, impersonating the president of Door Systems, sent an email to a client of the company providing new wire transfer instructions. The client followed those instructions and sent $395,000 for goods purchased to the hacker, believing it was sending the funds to Door Systems. After the fraud was discovered, Door Systems recovered approximately $160,000 and sought coverage for the balance from its insurer.
The insurer denied the claim under the policy’s “Corporate Identity Theft” coverage, which had a $250,000 limit, but accepted the claim under the “Push Payment Fraud” coverage, which had a $50,000 limit.
Door Systems filed suit, alleging that the insurer breached the contract and the covenant of good faith and fair dealing by refusing to provide coverage under the Corporate Identity Theft provision. That provision covered “loss . . . arising as a direct result of the fraudulent use or misuse of your electronic identity.” The policy defined “loss” as “any direct financial loss sustained by the company.” The insurer argued that there was no requisite loss because the client, rather than Door Systems, was the victim of the scam. After two amended complaints were filed, the trial court ultimately sustained the demurrer and the appellate court affirmed.
Decision
Door Systems argued that it suffered a direct financial loss as a result of the scam because it shipped $395,000 of goods to the client and therefore had “a direct pecuniary interest in this $395,000.00 that was categorized as an asset of [the insured] in the form of accounts receivable.” It further contended that it would be unable to recover the shortfall from the client in light of the “imposter rule,” as codified in Sections 3404 and 3406 of California’s Commercial Code. Under the imposter rule, a payor who is induced to forward money to an imposter who is impersonating the payee and exercises reasonable care in doing so may be relieved of its obligation to pay the rightful payee.
Rejecting these assertions, the appellate court ruled that the imposter rule did not apply to the case at bar. The court explained that Section 3404 applies only to “negotiable instruments,” and not to “money” or “payment orders.” Because the court deemed a wire transfer to constitute a payment order, it held that the imposter rule did not apply so as to prevent the insured from recovering the lost funds from the client.
Further, the court noted that because the imposter rule was inapplicable, the complaint failed to state a claim for breach of the insurance policy. As the court explained, the client was still contractually obligated to pay its remaining debt ($235,000) to the insured, notwithstanding its unwitting payment to a fraudulent account. As such, there was no direct financial loss to the insured as a result of the scam.
Finally, while the court agreed with the insurer that coverage was unavailable under the Corporate Identity Theft provision based on the absence of direct financial loss to the insured, it rejected the insurer’s contention that a finding of coverage under the Corporate Identity Theft provision would render the Push Payment Fraud provision superfluous. The court noted that an event may trigger coverage under more than one provision without rendering a provision superfluous.
Comments
A New Jersey court, faced with a similar scenario, also ruled that there was no coverage for losses arising out of a client’s payment to a hacker’s account. See Posco Daewoo Am. Corp. v. Allnex USA, Inc., 2017 U.S. Dist. LEXIS 180069 (D.N.J. Oct. 31, 2017). And along similar lines, courts have denied claims for coverage where the factual record indicated that the policyholder never “held” or had ownership of the of funds at issue, as required by the applicable policy. See RealPage Inc. v. Nat’l Union Fire Ins. Co., 2021 U.S. App. LEXIS 37962 (5th Cir. 2021).