Publications

(Article from Insurance Law Alert, July/August 2015)

For more information, please visit the Insurance Law Alert Resource Center.

The New York Court of Appeals ruled that coverage for the “fraudulent entry” of data is limited to losses caused by unauthorized access into the policyholder’s computer system and does not encompass losses caused by an authorized user’s entry of such information into the system.  Universal Am. Corp. v. Nat’l Union Fire Ins. Co. of Pittsburgh, PA, 2015 WL 3885816 (N.Y. June 25, 2015).

National Union issued a policy to Universal, a health care company, that covered losses “resulting directly from a fraudulent . . . entry of Electronic Data or Computer Program into . . . the Insured’s proprietary Computer System.”  When Universal discovered $18 million in losses from the payment of fraudulent claims, it sought indemnification from National Union.  National Union denied coverage on the ground that the policy did not provide coverage for fraudulent claims entered into Universal’s computer system by authorized users. 

A New York trial court agreed, ruling that the provision unambiguously provided coverage only “for an unauthorized entry into the computer system by a hacker or through a computer virus.”  The appellate court modified and affirmed the ruling, holding that the policy covered losses from “wrongful acts in the manipulation of the computer system” but did not cover losses from fraudulent content entered by authorized users, as was the case here.  The New York Court of Appeals affirmed, reasoning that the term “fraudulent” modified the word “entry,” and that the policy therefore covered only losses from improper entry or access into the computer system (i.e., hacking), but not losses caused by the submission of fraudulent content by authorized users.  The decision illustrates the importance of policy language in this context, as the court expressly distinguished cases involving broader policy language, including explicit definitions of “computer fraud.”