Computer crime and data breaches have become a reality for most businesses. Words like spearphshing or ransomware that were obscure five years ago are now in the headlines on a regular basis. The FBI calculated over $1.4 billion in reported losses from hacking and similar computer crime in 2017. A data breach can cause serious monetary consequences for businesses, besides the goodwill hit of having to notify customers and colleagues of the intrusion.
Accordingly, business have tried to mitigate the risks of a data breach or hack through insurance coverage. Since cybercrime coverage is in its infancy, it’s unsurprising disputes have arisen between businesses and insurers regarding the extent of coverage under these policies.
Emerging caselaw shows that cybercrime coverage is not immune from the traditional conflict between the insured’s interest in being made whole after a loss and the insurer’s interest in paying as little as possible on claims. A good example is the recent decision by the U.S. Court of Appeals for the Sixth Circuit in American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America. American Tooling Center (“ATC”), lost over $800,000.00 in a phishing scam. Hackers first infiltrated ATC’s email servers and obtained the names of ATC’s contacts with ATC’s Chinese subcontractor. After ATC wired certain payments to its subcontractor, the hackers posed as the subcontractor’s agents and claimed to have never received the payments. ATC canceled its initial wire transfer and re-sent the funds to the hackers. ATC realized what had happened when the genuine subcontractor called to demand payment.
ATC tendered the claim to its insurance carrier, Travelers, under ATC’s coverage for “computer crime.” ATC’s policy provided Travelers “will pay the Insured for the Insured’s direct loss of, or direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud.” ATC requested Travelers cover the over $800,000.00 it lost in the phishing scheme.
Travelers refused to pay. Relying on the words “direct loss,” Travelers claimed ATC hadn’t actually lost the over $800,000.00 it wired to the hackers. Instead, Travelers argued ATC only had a “direct loss” in the amounts it had to pay to its subcontractor over and above those amounts it paid to the hackers. Since the subcontractor (presumably sympathetic to ATC) had settled for a reduced payment, Travelers claimed it need only pay ATC the amount its subcontractor agreed to accept.
The court had little trouble rejecting Travelers’ argument, stating:
A simplified analogy demonstrates the weakness of Travelers’ logic. Imagine Alex owes Blair five dollars. Alex reaches into her purse and pulls out a five-dollar bill. As she is about to hand Blair the money, Casey runs by and snatches the bill from Alex’s fingers. Travelers’ theory would have us say that Casey caused no direct loss to Alex because Alex owed that money to Blair and was preparing to hand him the five-dollar bill. This interpretation defies common sense.
Separately, Travelers also argued the phishing attack was not covered under ATC’s computer fraud coverage. Travelers claimed coverage only existed where the perpetrator actually caused the transfer, not where the hackers deceived employees into transferring money unwittingly. The court observed that if Travelers wanted to restrict coverage thusly, it could easily have made that explicit in the policy – indeed, the court pointed out many policies do restrict coverage in this way using language absent from Travelers’ policy.
The ATC decision underscores the emerging issues in cybercrime coverage disputes and the bases insurers will use to deny coverage for phishing, hacking and other computer crime causing losses to businesses.