(Article from Insurance Law Alert, May 2019)
For more information, please visit the Insurance Law Alert Resource Center.
A New Jersey federal district court granted part of an insurer’s motion to dismiss claims arising out of a denial of coverage for cyber fraud losses under a crime protection policy. Children’s Place, Inc. v. Great American Ins. Co., 2019 WL 1857118 (D.N.J. Apr. 25, 2019).
The Children’s Place, Inc. (“TCP”) discovered two payments totaling nearly $1 million made to an unauthorized third-party hacker. According to the complaint, the hacker allegedly falsified email domain names to appear identical to those of individuals employed by a vendor of TCP. Additionally, the hacker allegedly intercepted emails between TCP and the vendor and altered payment instructions in order to direct payments to the hacker’s account. TCP sought coverage under three provisions of a crime protection policy: (1) Computer Fraud; (2) Forgery or Alteration; and (3) Fraudulently Induced Transfers. The insurer denied coverage and, in ensuing litigation, moved to dismiss TCP’s breach of contract and declaratory judgment claims.
The court refused to dismiss the claims for coverage under the Computer Fraud provision, finding that the complaint alleged facts sufficient to state a claim for relief. The policy defines Computer Fraud as “the use of any computer . . . to gain direct access to [TCP’s] computer system.” The court held that a viable claim for Computer Fraud coverage existed because the complaint alleged that the hacker accessed the vendor’s email system and intercepted emails between TCP and the vendor. The insurer argued that a valid claim was not alleged because the complaint alleged access to the vendor’s emails, not TCP’s computer system. Rejecting this argument, the court reasoned that by improperly accessing the vendor’s email system, the hackers effectively gained access to TCP’s computers as well, noting that “an email system that does not send the messages to the intended recipient is no longer under the control of the sender.” The court also rejected the insurer’s causation argument (i.e., that the loss of funds was caused by the actions of TCP employees in effectuating the transfer rather than the hacker’s computer fraud). The court explained that at the dismissal stage, it was obligated to accept as true TCP’s allegation that loss was a “direct result” of the hacker’s access to the computer system.
However, the court granted the insurer’s motion to dismiss claims seeking coverage under the Forgery or Alteration and the Fraudulently Induced Transfers provisions. The policy defines Forgery or Alteration as “loss resulting directly from forgery or alteration of checks, drafts, promissory notes, or similar written promises, orders, or directions to pay a sum certain in money.” The court noted that the complaint failed to allege that any forged materials referenced “a sum certain in money.”
In dismissing the claims seeking coverage under the Fraudulently Induced Transfers provision, the court explained that TCP had failed to allege that it verified the authenticity and accuracy of the payment instructions, a condition precedent to coverage. The court granted leave to amend these claims within thirty days.
Approximately a dozen courts have addressed coverage for cyber-related losses presented under similar Computer Fraud provisions. Many of those cases arose out of a wire transfer initiated by a fraudulent email sent by third-party hackers impersonating a bank, vendor or other entity with whom the policyholder regularly communicates. Outcomes have turned largely on courts’ interpretation of the terms “use” (as in “use of a computer”) and “directly” (as in whether there is causation between the fraudulent activity and the policyholder’s loss) as applied to the facts at issue. In some cases, the determinative issue was whether there was “unauthorized entry” into the policyholder’s computer system, a requirement that has been deemed unfulfilled where the policyholder’s employees effectuated a transfer (even if at the instruction of a hacker/impersonator).