(Article from Insurance Law Alert, March 2021)
For more information, please visit the Insurance Law Alert Resource Center.
A Texas federal district court granted insurers’ summary judgment motion, ruling that losses incurred through a phishing scheme were not covered by commercial crime policies because the policyholder did not have ownership of the lost funds. RealPage Inc. v. National Union Fire Ins. Co. of Pittsburgh, PA, 2021 WL 718366 (N.D. Tex. Feb. 24, 2021).
RealPage provides online rent collection services for property managers and owners. RealPage contracted with Stripe, a software company, to facilitate its payment-processing services. Under the contract, Stripe processed payments from renters through its bank account before forwarding those payments to RealPage’s clients. Any fees owed to RealPage were transferred in a separate transaction.
In May 2018, criminals used a targeted phishing scheme to access the Stripe dashboard and alter fund disbursement instructions. Through the scheme, the criminals diverted more than $10 million that was owed to RealPage’s clients. Less than $4 million was recovered. RealPage ultimately reimbursed its clients for the unrecovered lost funds and then sought coverage under Computer Fraud and Funds Transfer Fraud provisions. The insurers denied coverage.
The policies expressly limited coverage to property “that you own or lease” or “that you hold for others whether or not you are legally liable for the loss of such property.” The court held that that there was no coverage because RealPage did not “hold” the lost funds. The court reasoned that “hold” requires “possession” and does not encompass the mere “ability to direct property.” Applying this definition, the court concluded that RealPage did not hold the client funds because those funds remained in Stripe’s bank account until they were diverted to the criminals’ accounts. While RealPage had authority to direct the transfer of funds, it had no rights to the funds and could not withdraw any funds. The court concluded that “[u]nder these circumstances, RealPage did not possess the funds in any manner; thus, RealPage did not hold the funds.”
The court also rejected RealPage’s assertion that Stripe served as its agent, noting that the facts did not support such a finding and that the contract expressly disclaimed an agency relationship. Finally, the court ruled that because RealPage did not “hold” the funds, it did not sustain a “direct loss” as required by the Computer Fraud and Funds Transfer Fraud provisions.