What does your insurance company think "cyber" insurance really covers?
Posted on 09/06/2016 at 01:19 PM by John Lande
This blog has been following a number of lawsuits between insurance companies and their insureds over who is responsible for covering cyber-attack losses. Yet another example comes from Apache Corp. v. Great Am. Insurance Company.
The Apache Corporation purchased a “Crime Protection Policy” that included coverage for “computer fraud” defined as follows in the policy:
We will pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises:
- a) to a person (other than a messenger) outside those premises; or
- b) to a place outside those premises.
The events that led to the lawsuit started when an Apache accounts payable employee received a phone call from a vendor who did work for Apache. The person on the phone asked Apache to change the bank account where Apache sent that vendor’s payments. The Apache employee told the person on the phone that such a request had to come on the vendor’s letterhead addressed to Apache.
Approximately one week later the same Apache employee received an email with a letter attached that included the vendor’s letterhead. The letter was routed to a second Apache employee who called the phone number on the letterhead to verify the request. The new account information was verified, so the Apache employees changed the wire information for the vendor. All Apache payments to the vendor were wired to the new bank account.
Apache sent over $2.4 million to the “new” vendor account before anyone realized that Apache had been the target of fraud.
Apache was eventually forced to file a lawsuit against its insurance provider, Great American Insurance Company. Great American denied coverage under the computer fraud provision of the policy because, according to Great American, the fraudulent email did not cause Apache to send payments to a fraudulent bank account. Apache responded that while the fraudulent email alone would not have caused the $2.4 million loss, the fraudulent email was a substantial factor in the loss.
The court rejected Great American’s argument and concluded that the fraudulent email was a substantial factor in Apache’s loss. The court reasoned that even though there were intervening steps necessary for the loss to occur, none of the Apache employees’ voluntary acts would have occurred without the fraudulent email. Therefore, Great American had to provide coverage.
This case represents a victory for the insured but may not have far reaching effects. Great American appealed the district court’s decision to the United States Court of Appeals for the Fifth Circuit, and the case was set for argument the week of August 29, 2016.
This blog has covered other cases between insureds and insurance companies that have not ended well for the insureds. Even though Apache won the first round of litigation it may not prevail in the end. This case, and others covered by this blog, highlight the importance of understanding what your insurance does and does not cover.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
- John Lande
Categories: Cybersecurity Law, John Lande, Banking Law
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Law is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Law blog postings does NOT create an attorney-client relationship between you and Dickinson, Mackaman, Tyler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.