Have you honestly read your “computer fraud” or “cyber insurance” policy coverage? Chances are, if you did, you probably would not understand the wording and if you are really covered. Here is an example of wording:
F. Computer Crime
1. Computer Fraud
The Company will pay the Insured for the Insured’s direct loss of, or direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud.
Well do not worry because these types of provisions are very ambiguous; and are likely created this way on purpose. Jurisdictions all over the country struggle with and interpret computer fraud provisions like this in various ways.
If you are covered for computer fraud, then you will almost always find, in the definitions section of your insurance policy, more vague definitions of what exactly is “computer fraud.” These definitions may look like:
E. Computer Fraud means:
The use of any computer to fraudulently cause a transfer of Money, Securities or Other Property from inside the Premises or Financial Institution Premises:
1. to a person (other than a Messenger) outside the Premises or Financial Institution Premises; or
2. to a place outside the Premises or Financial Institution Premises
One of the main cases on what constitutes “computer fraud” is, American Tooling Center v. Travelers Casualty & Surety Company of America.1 In this U.S. Sixth Circuit Court of Appeals case, the court dealt with this exact type of ambiguous computer fraud provision. The scenario presented was one in which an impersonator/hacker infiltrated the insured’s email server, sent the insured fraudulent emails using a computer, which in turn fraudulently caused the insured to transfer money to the impersonator.
When the insured sought to recover under the computer fraud provision of their insurance policy, the insurance company denied the claim, claiming that facts did not constitute computer fraud. Specifically, the insurance company did not contest that there was a transfer of money from plaintiff’s bank to a person, but rather, that the definition of computer fraud required a computer to “fraudulently cause the transfer . . . [meaning that] it is not sufficient to simply use a computer and have a transfer that it fraudulent.”2
As support for this argument, the insurer cited a Ninth Circuit case, Pestmaster Services v. Travelers Casualty & Surety Company,3 where the court stated that “Travelers could have drafted this language more narrowly,” but “[b]ecause computers are used in almost every business transaction, reading this provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a ‘General Fraud’ Policy.”4 However, the court in Pestmaster was distinguishable from Am. Tooling, mostly due to the difference in factual circumstances.
Pestmaster is distinguishable for multiple reasons, but principally it is distinguishable on its facts. In that case, Pestmaster had hired Priority 1 Resource Group to handle its payroll tax services and granted Priority 1 electronic access to its bank account. Priority 1 was then authorized to transfer funds out of Pestmaster’s bank account into its own account, and from there it was to pay Pestmaster’s payroll taxes. The fraud occurred when Priority 1 failed to pay the taxes and kept the money instead. Thus, in Pestmaster, everything that occurred using the computer was legitimate and the fraudulent conduct occurred without the use of a computer.5
Upon distinguishing the facts of Pestmaster from the case before the court, the court determined that because the scenarios were so different (authorized party of principal party fraudulently transferring principal’s money to itself vs. authorized party of principal being defrauded by a third party hacker and fraudulently transferring money to third party), that this situation should essentially constitute prima facie computer fraud, which would then be covered under a computer fraud provision.
The court, in its rejection of the insurer’s argument, stated:
[H]ere the impersonator sent ATC fraudulent emails using a computer and these emails fraudulently caused ATC to transfer the money to the impersonator. And the Policy definition does not require, as Travelers argues, that the fraud “cause any computer to do anything.” Travelers’ attempt to limit the definition of “Computer Fraud” to hacking and similar behaviors in which a nefarious party somehow gains access to and/or controls the insured’s computer is not well-founded. If Travelers had wished to limit the definition of computer fraud to such criminal behavior it could have done so. Because Travelers did not do so, the third party’s fraudulent scheme in this case constitutes “Computer Fraud” per the Policy’s definition.6
The Am. Tooling court’s decision sheds light on how a court may interpret the computer fraud provision. Whereas the Pestmaster court was worried that its analysis may, in-turn, “over-broaden” the scope of computer fraud provisions, the Am. Tooling court put its foot down and determined that a scenario with a hacker infiltrating a company’s email database is in fact computer fraud.
*It must also be noted that in coming to its decision, the Am. Tooling court also took notice of one of the most popular rules of contract/insurance law: ambiguity is construed against the drafter. Thus, this traditional contract rule further diminished the defendant insurer’s argument, as the court held that this type of general computer fraud provision was clearly ambiguous to the point where both sides had completely different interpretations of the scope of the coverage; a black and white situation in which the provision should be construed against the drafter (insurer).
1 Am. Tooling Ctr., Inc. v. Travelers Cas. and Sur. Co. of Am., 895 F.3d 455, 461 (6th Cir. 2018).
2 Am. Tooling Ctr., at 461.
3 Pestmaster Services, Inc. v. Travelers Cas. & Surety Co. of Am., No. 14-56294, 656 F. App’x 332 (9th Cir. July 29, 2016).
4 Am. Tooling Ctr., Inc. at 461.
5 Id. (Citations omitted).
6 Id. at 462 (Citations omitted).