Win for Insurance Industry in Computer Fraud Coverage Ruling

Computers are involved at some point in almost every business transaction—that is the reality of life in the digital age. The implications of that fact are still being worked out with respect to the interpretation of insurance contract computer fraud provisions. This month, a judge in the Northern District of Georgia issued a narrow reading, handing the insurance company an important victory.

InComm is a debit card processing company that allows consumers to purchase credits, referred to as “chits,” which can be loaded onto a debit card. From November 2013 through May 2014, a system vulnerability allowed consumers to redeem a single chit multiple times, thereby receiving more than the value they had purchased. In total, InComm processed more than 25,000 unauthorized redemptions, mistakenly transmitting more than $11 million to various debit card issuers.

Once InComm discovered the losses, it sought coverage from its insurer, Great American Insurance Company (“GAIC”). Citing to the policy’s computer fraud provision, GAIC denied and InComm responded by filing suit for breach of contract and bad faith and seeking a declaration of coverage.

The relevant computer fraud provision stated: “[GAIC] will pay for loss of, and loss from damage to, money, securities, and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises: (a) to a person (other than a messenger) outside those premises; or (b) to a place outside those premises.”

In the case of InComm, the company’s redemption program allowed cardholders to conduct debit card activity by dialing in by phone and using either voice or touchtone commands to claim chits. Therefore, the unauthorized transactions at issue (conducted by sophisticated identity theft perpetrators) were accomplished using a phone, not a computer.

In granting summary judgment to GAIC, the court found that the computer fraud provision did not apply because the actual fraud was committed using a phone. The court explained that simply because “a computer was somehow involved in a loss does not establish that the wrongdoer ‘used’ a computer to cause the loss.” Finding to the contrary would “unreasonably expand the scope” of the computer fraud provision, which was intended to limit coverage to computer fraud. Finally, the judge concluded, to accept “lawyerly arguments” that coverage should be expanded to include losses “involving a computer engaged at any point in the causal chain” would “strain the ordinary understanding of computer fraud.”

The case is InComm Holdings Inc. v. Great American Insurance Co., No. 1:15-cv-2671 (N.D. Ga. Mar. 16, 2017).

About The Authors

Matt has counseled clients on the evaluation of data privacy risks, responses and solutions, and he serves as a breach coach, providing analysis and advice to address data breach events, including forensics, notification pursuant to federal and state laws, credit monitoring, and public relations issues. In addition to breach response, Matt has counseled insurers on the underwriting of cyber/tech policies.

Tagged with: , ,
Posted in Legislation, Litigation
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Subscribe For Updates

cyberlawmonitor

Cozen O’Connor Blogs