Cyber Liability Insurance - Pitfalls in Coverage

Cyber criminals are always finding new and different ways to attack companies. Some of these methods involve directly hacking into systems to steal valuable data. Other times, though, cyber criminals attack from outside a company's system. How these attacks occur can prove vitally important to the issue of whether the company will have insurance coverage. As cyber liability insurance continues to evolve, it is more important than ever that a company understand all of the different risks it can face in the cyber arena and carefully consider the type of insurance coverage that it will obtain. Several recent cases illustrate the perils of not understanding the different methods of attack and the potential holes in coverage.

In InComm Holdings, Inc. v. Great Am. Ins. Co., a company was scammed out of $11 million dollars for which it was denied insurance coverage. InComm operates a debit card system. Essentially, consumers purchase debit card credits from retailers. The consumer then calls in a code on the phone to InComm's credit redemption system, which transfers the credits to the debit card. Cyber criminals figured out that they could cheat the system by calling InComm's credit redemption system on multiple phones at the same time thereby receiving multiple credits for the same code. In other words, the criminals paid for one code worth $10, but by calling to redeem the code on multiple phones at the same time they would actually receive $20 or $30 or $40 on their debit card. The scam was made possible due to a coding error in InComm's computer system. InComm sought coverage under its "computer fraud" insurance policy. The insurance company denied coverage on the grounds that while the defect was made possible because of a computer coding error, the scam itself was perpetrated through the phone system and not the computer system. Earlier this year, a federal court in Georgia ruled in favor of the insurance company and found that the "computer fraud" policy did not cover the loss, adopting the insurance company's argument that the scam was perpetrated through the phone and not the computer.

In another case recently filed in federal court in Washington state, Hartford Fire Insurance v. 3MD Inc., the insurance company again denied insurance coverage to a company that had cyber liability insurance. In that case, the company, 3MD, provides programming services to a variety of medical companies – creating programs and performing coding for those other companies. According to the lawsuit, an employee of 3MD hacked into the company's system and stole data, including data belonging to the companies for which 3MD provides service. 3MD sought to invoke its cyber insurance to cover the costs associated with the breach. The insurance company denied coverage on the grounds that 3MD's policy only covered breaches that occurred in relation to the services provided by 3MD for other companies. The insurance company asserted that the policy did not provide coverage for an internal breach of 3MD's own system by its own employee, even though the breach involved data of other companies. The court has not yet ruled on whether coverage is available.

Another recent hotbed of dispute relates to so-called "spoofing" scams. These are situations in which a cyber criminal sends an e-mail that appears to come from a company executive – e.g., the president, CEO, or CFO – that directs an employee – usually in the accounting department – to transfer funds to an account controlled by the criminal. These scams vary in sophistication and execution, and two recent cases illustrate that subtle variances could be the difference between whether the loss is covered by insurance.

In Medidata Solutions, Inc. v. Federal Insurance Company, a New York federal court last month found that the scam, which resulted in a loss of almost $5 million, WAS covered by insurance. In that case, a hacker sent a spoof e-mail appearing to come from the company president to the company's finance department stating that an attorney would be calling to provide the finance department with details regarding a deal. The criminal did then call the finance department claiming to be the attorney and directing the finance department to wire transfer $4.7 million to an account number he provided. The finance department stated that it would require a further confirmation from the president. Shortly thereafter, the hacker sent another spoof e-mail appearing to be from the president authorizing the transfer, and the transfer was made. The company sought coverage under its computer fraud insurance policy. The insurance company originally denied coverage, stating that the insurance policy only covered losses caused by entry of data into the company's computer system and that the spoof e-mail scam did not involve such entry of data into the system. The court rejected that argument and found that there was entry of data into the company's computer system. Specifically, the court found that the criminal entered data into the company's e-mail system and used computer coding to create the spoof e-mail.

Coming to the opposite result, a Michigan federal court in American Tooling Center vs. Travelers Casualty and Surety Company held that there WAS NOT coverage for an incident involving a spoof e-mail from a company vendor. In that case, the company received a fraudulent e-mail appearing to be from one of its vendors requesting payment in the amount of $800,000. The court noted that the policy required that the company suffer "direct loss" that was "directly caused" by the "use" of any computer. The Court found that although fraudulent emails were used to impersonate a vendor and dupe the company into transferring funds, such emails did not constitute the use of a computer to fraudulent cause a transfer, and that there was no infiltration or "hacking" of the company's computer system.

The above cases are just a few examples of the sorts of disputes that are now playing out on a regular basis to determine whether insurance coverage is available for losses associated with a "cyber breach." As illustrated by these cases, whether or not there is insurance coverage for a "cyber-related" loss can depend on very subtle differences in how the loss occurs and the specific language of the insurance policy. Failure to appreciate these subtle distinctions could result in substantial uncovered losses for a business, as was the case for several of the businesses in these cases. With regard to spoofing scams, these cases also serve as a reminder that it is vitally important to establish strict protocols for any transfer of funds – or, at minimum, making a phone call to confirm any extraordinary payment instruction. Cyber criminals are very sophisticated and can create very convincing e-mails and scenarios to extract fraudulent payments.