(Article from Insurance Law Alert, March 2017)
For more information, please visit the Insurance Law Alert Resource Center. A Georgia federal district court ruled that losses caused by fraudulent debit card transactions are not covered by a computer fraud provision. InComm Holdings, Inc. v. Great Am. Ins. Co., 2017 WL 1021749 (N.D. Ga. Mar. 16, 2017).
InComm provides a service that allows customers to load funds onto prepaid debit cards issued by banks. Cardholders can purchase “chits” from retailers to add funds onto the cards. InComm processes such requests by using an Interactive Voice Response System (i.e., telephone) as well as Application Processing Servers (computer servers that process the requested transactions). A vulnerability in InComm’s processing center allowed cardholders to add credit to their debit cards in multiples of the amount actually purchased. Before InComm discovered this flaw, unauthorized redemptions caused InComm to transmit more than $11 million to various debit card issuers. InComm sought coverage from Great American for these losses, which the insurer denied. In ensuing coverage litigation, the court agreed with Great American that the policy’s computer fraud provision does not encompass the losses at issue.
The computer fraud provision covers losses “resulting directly from the use of any computer to fraudulently cause a transfer” of money, securities or other property. The court found that the underlying transfers were not caused by “use of a computer” because they were caused directly by the automated telephone system. Although a computer processing system was also involved in the transactions, the court deemed that involvement insufficient to constitute use of a computer. The court stated: “A person ‘uses’ a computer where he takes, holds or employs it to accomplish something. That a computer was somehow involved in a loss does not establish that the wrongdoer ‘used’ a computer to cause the loss. To hold so would unreasonably expand the scope of the Computer Fraud Provision.” Additionally, the court held that even if a computer was used, the losses did not “result directly” from computer use because they “occurred only after InComm wired money to [a bank], after the cardholder used his card to pay for a transaction, and after [the bank] paid the seller for the cardholder’s transaction.” In so ruling, the court relied on
Apache Corp. v. Great American Ins. Co., 2016 WL 6090901 (5th Cir. Oct. 18, 2016), in which the court, considering an identical computer fraud provision, denied coverage for wire transfers made at the direction of fraudulent emails.