Keeping pace with technology and the courts

Thriving businesses embrace technology and all the potential it offers. Few businesses survive today without e-mail or social media. While the challenge for businesses is to keep pace with technology, the challenge for the insurance industry is to provide appropriate solutions to address computer crime loss exposures.

Commercial and government crime policies are designed to protect businesses and governmental entities against a variety of crime-related perils including employee theft, forgery, burglary, robbery, and computer fraud. In particular, the computer fraud coverage insures against loss of property resulting from a hacker intrusion into a computer system. These types of attacks and fraudulent schemes perpetrated with the use of computers are clearly on the increase.

As the modes of the attacks change, courts are weighing in with varying interpretations of the computer fraud coverage found in commercial and government crime policies. Among them are Brightpoint, Inc. v. Zurich Am. Ins., Co.,2006 WL 69337 (U.S.D.C. Ind. 2006); Owens, Schine & Nicola, P. C. v. Travelers Cas. And Sur. Co.,2010 WL 4226958 (Sup. Ct. Conn. 2010); and Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co., 691 F.3d 821 (6th Cir. 2012).

In the Brightpoint case, the U.S. District Court for the Southern District of Indiana ruled in favor of the defendant, Zurich American Insurance. Brightpoint had been ordering pre-paid phone cards from a distributor for dealers who had previously presented Brightpoint with faxed purchase orders, along with faxed guarantees and post-dated checks, and then delivered the cards upon receipt of the originals. Brightpoint suffered a loss after surrendering phone cards valued at approximately $1.5 million to an impostor posing as a dealer who paid Brightpoint with a fraudulent check. The insurer prevailed by successfully arguing that the initial fax received by Brightpoint did not directly trigger the loss to Brightpoint, holding that the direct trigger was the fraudulent check handed to a Brightpoint employee, which was not a covered cause of loss under the policy’s Computer Fraud Insuring Agreement.

In Owens, Schine the court held that the law firm was entitled to coverage when fraudulent e-mails it received prompting its actions were determined to be the proximate cause of loss. The insured law firm agreed to collect a debt in response to an e-mail it received from a foreign entity. Owens received a check from the purported debtor in the amount of $198,610 and deposited it into its trust account. The next day the law firm wired the money to the purported client and suffered a loss when its bank advised the firm that the debtor’s check had not cleared. The insurer denied the claim on the grounds that the fraudulent e-mails received by Owens from the purported client were not the direct cause of loss. The Connecticut Superior Court disagreed and held that the e-mails did directly cause the loss and that there was coverage under the computer fraud coverage of the law firm’s commercial crime policy.

Finally, in Retail Ventures, the court held that expenses such as the cost of providing information to consumers, media, and government investigators incurred by Retail Ventures’ Designer Shoe Warehouse subsidiary (popularly known as “DSW Shoes”) as a result of a data breach were covered Under its commercial crime policy. The court upheld the district court’s conclusions; among the reasons was that the customer information stolen from DSW Shoes was not proprietary or confidential information as those terms were used within the policy’s Confidential Information exclusion.

ISO introduced updates to its commercial and government crime policies to address these and other court decisions— and to modernize the computer fraud coverage—by:

• Covering loss resulting directly from fraudulent entry or fraudulent change of electronic data or computer programs within the insured’s computer system, which also includes mobile devices. However, incidental use of the computer to perpetrate fraudulent schemes, as occurred in the Brightpoint and Owens, Schine cases, is not intended to fall within the scope of this coverage.

• Introducing a data security breach exclusion in response to the Retail Ventures case. Coverage for data security breaches is more appropriately provided through specifically designed cyber-liability policies, such as the ISO E-Commerce program.

ISO also introduced a data security breach exclusion to its Financial Institution Crime policies in response to the Retail Ventures decision.

The ink has yet to dry on the new policy language—and even now, newer computer-related exposures are looming. For example, losses arising through the use of cryptocurrency (the most commonly known is Bitcoins), an intangible and virtually unregulated currency, may become the new exposures that will continue to challenge the industry to develop appropriate coverage solutions. ISO monitors such emerging issues and will seek to keep its insurance programs responsive and cutting-edge.

The authors

Robert Olausen is manager and Kevin Donohue is insurance lines consultant, Specialty Commercial Lines at ISO, a member of Verisk Insurance Solutions Group at Verisk Analytics (Nasdaq:VRSK).