(Article from Insurance Law Alert, May 2018)
For more information, please visit the Insurance Law Alert Resource Center.
The Eleventh Circuit ruled that a computer fraud policy does not cover losses caused by fraudulent debit card transactions because the losses did not “result directly” from computer fraud. Interactive Communications International, Inc. v. Great Am. Ins. Co., 2018 WL 2149769 (11th Cir. May 10, 2018).
Interactive Communications International (“InComm”) provides a service that allows the loading of funds onto prepaid debit cards issued by banks. Cardholders can purchase “chits” from retailers to add prepaid funds onto the cards. InComm processes telephonic requests by using an interactive voice response system. A vulnerability in InComm’s computer processing center allowed fraudsters to add credit to their debit cards in multiples of the amount actually purchased. Before InComm discovered this flaw, InComm transmitted more than $11 million to various debit card issuers. InComm sought coverage for these losses under a computer fraud policy issued by Great American, which the insurer denied.
A Georgia district court ruled that the computer fraud policy, which covers losses “resulting directly from the use of any computer to fraudulently cause a transfer” of money, securities or other property, did not encompass the losses at issue. See March 2017 Alert. The district court reasoned that that the underlying transfers were not caused by “use of a computer” because they resulted from manipulation of the automated telephone system. Although a computer processing system was also involved in the transactions, the court deemed that involvement insufficient to constitute use of a computer. Additionally, the court held that even if a computer was used, the losses did not “result directly” from computer use because there were intervening steps between the computer fraud and the losses.
The Eleventh Circuit disagreed with the district court as to the “use of a computer” ruling, finding that the perpetrators’ actions – which involved manipulation of both the telephone and computer systems – constituted use of a computer. However, the Eleventh Circuit affirmed the district court’s ruling that the fraud did not “result directly” from use of a computer. Rejecting InComm’s assertion that “resulting directly” requires only proximate causation, the court held that under Georgia law, “directly” requires a consequence that follows “straightaway, immediately, and without intervention or interruption.” The court concluded that this standard was not met based on the time lapse and intervening steps between the computer fraud and the loss, including the transfer of funds onto the debit cardholders’ accounts and the purchase of goods by a debit cardholder. InComm argued that the loss was immediate because it occurred at the moment the funds were transferred to the debit cardholders’ accounts. The court disagreed, noting that InComm retained some control over the funds at that point and could have prevented the loss by stopping distribution of the money from the account to the merchants. Instead, the court explained, the loss occurred when funds were actually disbursed to the merchants for purchases made by cardholders because at that point, InComm could not recover the funds.