06.13.2018 | Articles

Cybersecurity & Data Privacy Insider Vol. 1

Recent Connecticut Decisions Shaping Coverage and Exclusions in Crime Policies

Claims arising from cybersecurity, fraud and data breaches continue to rise and present unique challenges to insureds and insurers.  In this installment of Hassett & Donnelly’s Cybersecurity & Data Privacy Insider, we will address recent case law shaping this emerging area of litigation and analyze issues facing insurers offering specialty policies to fulfill the increasing need for cybersecurity coverage.

Cybersecurity and data and privacy security cases, as well as the insurance coverage issues raised by the advent of specialty cyber risk policies, represent what seems to be one of few areas of law without the limitation of historical precedent. These areas of law represent the “Wild West” of modern litigation and only a handful of cases help interpret the definitions of certain terms used in such policies. The 2010 Connecticut Superior Court decision in Owens, Schine & Nicola, P.C. v. Travelers Cas. and Sur. Co. of Am. serves as the perfect representation of such issues. Owens, Schine & Nicola, P.C. v. Travelers Cas. and Sur. Co. of Am. (Owens I), 50 Conn.L.Rptr. 665, 2010 WL 4226958 (Conn. Super. Ct. 20 Sept. 2010), vacated, 2012 WL 12246940 (Conn. Super. Ct. 18 Apr. 2012).

Owens I and Owens II Address “Computer Fraud” and Exclusions

The Owens I decision addressed whether a Connecticut law firm was entitled to first party coverage under the “Crime Policy” issued by the defendant; the Court denied the defendant’s Motion for Summary Judgment. The plaintiff sought coverage under the Crime Policy after it instructed its bank to wire funds to a purported client in South Korea for whom it had collected a debt. The debt was paid by the debtor to the plaintiff law firm via a Wachovia Bank “Official Check” and such amount was deposited into the plaintiff’s IOLTA trustee account. The Wachovia check was later determined to be fraudulent and was not honored by Wachovia; the plaintiff’s bank debited the amount from the IOLTA trustee account.

The series of events first began on September 5, 2008 when the plaintiff law firm was contacted through email by an individual claiming to be an attorney in North Carolina. The email requested the plaintiff’s assistance in a collections matter. On September 9, 2008, the plaintiff was contacted through email by the purported client pursuing the collections matter, which conveyed that the client was owed money from a Connecticut company. A scanned, executed retainer agreement was emailed by the purported client to the plaintiff on September 17, 2008. Thereafter, on September 22, 2008, the purported client notified the plaintiff that the debtor company sent funds to satisfy the debt directly to the plaintiff law firm and that said funds should arrive on September 23, 2008. The Wachovia Bank “Official Check” in the amount of $197,110.00 was received on September 23, 2008 and was deposited in the IOLTA trustee account at Chase Bank. On September 24, 2008, the plaintiff law firm instructed Chase Bank to wire the amount from the IOLTA trustee account to an account in South Korea in accordance with another email from the purported client. Approximately seventeen emails were exchanged between the plaintiff law firm and the purported client between September 9, 2008 and September 24, 2008 when the plaintiff completed and confirmed the wire transfer. Wachovia refused to honor the “Official Check” once it was deemed fraudulent and the plaintiff sought coverage under the Crime Policy issued by the defendant. The defendant disclaimed coverage on the following grounds: 1) the claim did not constitute Computer Fraud because in order for there to be a Computer Fraud the transfer must occur as a result of a computer “hacking” incident, such as the manipulation of numbers or events through the use of a computer; 2) even if a “hacking” incident had occurred, the plaintiff did not suffer a direct loss caused by that incident; and 3) coverage was excluded under Exclusions F and R.

The Crime Policy provided the following with regard to the coverage provided thereunder:

We will pay you for your direct loss of, or your direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud.

The Crime Policy defined “Computer Fraud” to mean:

The use of any computer to fraudulently cause a transfer of Money, Securities or Other Property from inside the Premises or Banking Premises:

  1. to a person (other than a Messenger) outside the Premises or Banking Premises; or
  2. to a place outside the Premises or Banking Premises.

The Crime Policy also included two Exclusions relied upon by the defendant, which state in relevant part:

This crime policy does not cover…:

  1. Loss resulting directly or indirectly from your acceptance of money orders or Counterfeit Money, unless covered under Insuring Agreements A.1, A.2, A.3, or E.
  2. Loss resulting directly or indirectly from the giving or surrendering of Money, Securities or Other Property in exchange or purchase, whether or not fraudulent, with any party not in collusion with an Employee, except when covered under Insuring Agreement E.

Counterfeit money was defined in the Crime Policy as “an imitation of money that is intended to deceive and to be taken as genuine.” Money was defined as “a medium of exchange in current use and authorized or adopted by a domestic or foreign government, including currency, coins, bank notes, bullion, travelers checks, registered checks and money orders held for sale to the public.”

The defendant first argued that a Computer Fraud did not occur because a computer must have been used to cause the transfer of money and must be the direct cause of the loss, which requirements were not satisfied because the plaintiff contacted Chase Bank in person, by telephone and in writing to direct the wire transfer and, thus, the use of a computer did not cause the transfer of money. The Owens I Court rejected the defendant’s position and held that the phrase “use of any computer” in the insuring agreement of the Crime Policy was ambiguous as to the amount of computer usage necessary to constitute Computer Fraud and the ambiguity must be resolved in favor of the insured. The Court also stated that “A ‘computer hacking incident’ is not required, and the court in Brightpoint, Inc. v. Zurich American Insurance Company, did not impose such a requirement.” Brightpoint, Inc. v. Zurich American Insurance Company (Brightpoint), No. 1:04-CV-2085-SEB-JPG, 2006 WL 693377 (S.D.Ind. 10 March 2006).

Court Rejects Crime Policy’s Direct Causation Requirement

The Court similarly rejected the defendant’s argument that direct causation in a crime policy or fidelity requires more than “but for” or proximate causation and, instead, requires a “direct” causation. Relying on Brightpoint, the defendant argued that the alleged loss was caused by the plaintiff’s own initiative to wire funds after receipt of the check, and the receipt of the check constituted an intervening cause between the emails and the transfer of money. The defendant argued that to find that Computer Fraud caused the plaintiff’s loss because the plaintiff and the purported client communicated by email would distort the terms of the Crime Policy. The Court rejected the defendant’s argument and held that “[t]he direct causation requirement in a crime policy in Connecticut is synonymous with proximate cause.” The Court denied summary judgment because it found that the use of a computer to send emails proximately caused the plaintiff’s loss.

The Owens I Court also rejected the defendant’s argument that coverage was excluded under the Crime Policy and found that the check did not constitute a money order or “Counterfeit Money” as was argued by the defendant. Thus, coverage was not excluded under Exclusion F. Moreover, the Court found the Crime Policy ambiguous as to whether Money or Securities were given or exchanged in any exchange or purchase and, therefore, the Crime Policy was interpreted in favor of coverage. Based upon the foregoing analysis, the Court denied the defendant’s Motion for Summary Judgment on September 20, 2010.

The Owens case was scheduled to begin trial on February 10, 2011. The parties entered into an agreement to withdraw the second count of the complaint alleging bad faith, since determination of that count involved questions of fact to be determined by a jury, and, instead, submitted count one to be decided by the Court as a matter of law by way of additional motions. The parties filed Cross Motions for Summary Judgment, which were decided by the Court on June 24, 2011. Owens, Schine & Nicola, P.C. v. Travelers Cas. and Sur. Co. of Am. (Owens II), 52 Conn.L.Rptr. 236, 2011 WL 3200296 (Conn. Super. Ct. 24 June 2011), vacated, 2012 WL 12246940 (Conn. Super. Ct. 18 Apr. 2012). The Owens II Court relied on the doctrine of the “Law of the Case” to deny the defendant’s second Motion for Summary Judgment and grant the plaintiff’s Motion for Summary Judgment. The Court reasoned that “[t]he defendant, however, in its second motion for summary judgment, has not argued anything new on these issues, nor has the defendant shown how the prior decision was clearly erroneous or that adhering to that decision would work a manifest injustice.” The Court held “the present claims are not distinct from the previous ones, and the defendant has failed to bring to the court’s attention any new evidence, clarification of the law or overriding circumstance that would persuade the court that the earlier decision was wrongly decided.” Ultimately, the Court vacated the Owens I and Owens II decisions on April 18, 2012 by stipulation of the parties. The matter concluded shortly thereafter when a Withdrawal of Action was filed on the docket.

Decisions from across the country that were released after the decisions in Owens I and Owens II, which address similar issues, call into question the Court’s reasoning and the manner in which the Crime Policy was interpreted. One has to wonder whether the Court would have reached the same result in Owens I had decisions such as Pestmaster I, Apache, InComm, and American Tooling been available at the time.[1]

As demonstrated in the conflicting case law above, litigation arising from cybersecurity claims continues to challenge the courts and highlight potential areas of vulnerability for insureds and insurers offering coverage. In future installments of Cybersecurity & Data Privacy Insider, we will analyze the decisions in Pestmaster I, Apache, InComm, and American Tooling and continue to provide legal updates as decisions are released in the coming months.

 

[1] See Pestmaster Services, Inc. v. Travelers Cas. and Sur. Co. of Am. (Pestmaster II), No. 14-56294, 656 Fed.Appx. 332, 2016 WL 4056068 (9th Cir. 29 July 2016), aff’g Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., No. CV 13-5039-JFW, 2014 WL 3844627 (C.D. Cal. 17 July 2014) (“Because computers are used in almost every business transaction, reading this provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a “General Fraud” Policy…we believe protection against all fraud is not what was intended by this provision, and not what Pestmaster could reasonably have expected this provision to cover.”); see also Apache Corp. v. Great American Ins. Co. (Apache), No. 15-20499, 662 Fed.Appx. 252 (5th Cir. 18 Oct. 2016) (“The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money. To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would, as stated in Pestmaster II, convert the computer-fraud provision to one for general fraud.”); InComm Holdings, Inc. v. Great American Ins. Co. (InComm), No. 1:15-cv-2671-WSD, 2017 WL 1021749 (N.D. Ga. 16 Mar. 2017) (“That a computer was somehow involved in a loss does not establish that the wrongdoer ‘used’ a computer to cause the loss. To hold so would unreasonably expand the scope of the Computer Fraud Provision, which limits coverage to ‘computer fraud.’”); American Tooling Center, Inc. v. Travelers Cas. & Sur. Co. of Am. (American Tooling), No. 16-12108, 2017 WL 3263356 (E.D. Mich. 01 Aug. 2017) (“Although fraudulent emails were used to impersonate a vendor and dupe ATC into making a transfer of funds, such emails do not constitute the ‘use of any computer to fraudulently cause a transfer.’ There was no infiltration or ‘hacking’ of ATC’s computer system. The emails themselves did not directly cause the transfer of funds; rather, ATC authorized the transfer based upon the information received in the emails…‘Because computers are used in almost every business transaction, reading this provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a ‘General Fraud’ Policy.”).

 

Share this article
Share this article