The Continuing Evolution of Crime Policies and Backpedaling of Circuit Courts in 2018
Federal Circuit Court decisions issued in 2018 have disturbed what appeared to have been a trend toward the status quo in coverage cases involving crime policies. Cybersecurity & Data Privacy Insider Vol. 2 left off discussing the August 2017 decision in American Tooling I issued by the United States District Court for the Eastern District of Michigan, Southern Division. The American Tooling I Court followed the trend of rejecting an insured’s complex or expert-analyzed definition of computer fraud and, instead, held that it would not convert the crime policy into a general fraud policy. Less than one year later, the Sixth Circuit Court of Appeals issued its decision in American Tooling II reversing the District Court’s decision and remanding for further consideration. American Tooling Center, Inc. v. Travelers Cas. and Sur. Co. of Am. (American Tooling II), 895 F.3d 455 (6th Cir., 2018).
Computer Fraud Not Just “Hacking”
The Sixth Circuit distinguished the facts at issue in American Tooling from the facts of Pestmaster II, which decision was issued by the Ninth Circuit. Most significantly, the American Tooling II Court noted that Pestmaster II involved a case where the insured hired another company to perform payroll services and, in that role, pay taxes on its behalf. Money was properly transferred to the company pursuant to the agreement and the other company simply failed to pay the taxes. The American Tooling II Court noted that “[t]he fraud occurred when Priority 1 failed to pay the taxes and kept the money instead.” In contrast, American Tooling transferred money to a criminal impersonator who sent fraudulent emails using a computer and “these emails fraudulently caused [American Tooling] to transfer the money to the impersonator.” In three short sentences, the Court rejected the position of the District Court that finding coverage would convert the policy to a general fraud policy stating:
Travelers’ attempt to limit the definition of “Computer Fraud” to hacking and similar behaviors in which a nefarious party somehow gains access to and/or controls the insured’s computer is not well-founded. If Travelers had wished to limit the definition of computer fraud to such criminal behavior it could have done so. . . Because Travelers did not do so, the third party’s fraudulent scheme in this case constitutes “Computer Fraud” per the Policy’s definition.
Importance of Well-Crafted Exclusions
In contrast, the Ninth Circuit Court of Appeals issued a decision in 2018 affirming the decision of the United States District Court for the Western District of Washington granting summary judgment in favor of the insurer when the crime policy at issue contained an exclusion that “unambiguously provides that the policy ‘will not apply to loss or damages resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System…’” Aqua Star (USA) Corp. v. Travelers Cas. And Sur. Co. of Am. (Aqua Star II), 719 Fed.Appx. 701, 702 (9th Cir., 2018).
The lesson from the April 2018 Aqua Star II decision appears to be that, in the unsettled climate of cybersecurity and the advent of new policy language to address these emerging issues, a well-crafted exclusion can clarify the boundaries of coverage afforded by the policy and clearly signal the insurer’s interpretation of the purpose and scope of coverage to its insured and the Court. Note, however, that the same exclusion was deemed ambiguous and interpreted in favor of the insured in American Tooling II when the policy definitions of Electronic Data and Computer Systems were more broad than the layman understanding of such terms. A footnote in American Tooling II noted that other policies had a more narrow definition of computer fraud. As such, more narrow definitions may be clearer and more favorable to insurers.