In the world of insurance, computers are the new “environmental.”
Let me explain. Back in the 1980s, the insurance industry, recognizing the magnitude of exposure it faced for environmental liabilities, embarked on a public relations campaign to convince courts and policyholders that no coverage existed for environmental problems under comprehensive general liability insurance policies. (The industry later changed the name of “comprehensive general liability policies” to “commercial general liability policies,” apparently concerned about the way judges and juries might view the word “comprehensive.”) Part of the public relations campaign involved the marketing and sale of a product called “environmental impairment liability insurance,” which provided coverage on a claims-made bases for certain environmental issues. The pitch was, “Look, although our CGL policies don’t cover pollution liability, we’ve now developed a new product specifically for that purpose, which you can buy for a reasonable premium! Aren’t we awesome?”
Of course, it came to light that CGL policies were designed to cover long-term pollution related liabilities all along, as was confirmed by insurance industry representatives both in internal memoranda and in representations made to state regulators. You can read a lot of this history in Morton Int’l v. General Accident Ins. Co., 134 N.J. 1 (1993), available here.
Similarly, many business owners’ policies contain coverage for “computer fraud.” As commonly understood (and as can be seen in this summary of “computer fraud” from the Legal Information Institute at Cornell Law School), computer fraud can take many forms, including, for example, “emails requesting money in return for small deposits, also known as an advance-fee scam, such as the infamous Nigerian prince scam.” The federal Computer Fraud and Abuse Act, 18 U.S.C. §1830 (“CFAA”), also defines certain types of computer fraud, including “knowingly and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing] authorized access, and by means of such conduct further[ing] the intended fraud and obtain[ing] anything of value.” The CFAA defines “protected computer” broadly, to include any computer “which is used in or affecting interstate or foreign commerce or communication.”
But, according to the insurance industry, the term “computer fraud,” as used in standard business policies, actually means something other than “computer fraud.” So, if you really want “computer fraud” coverage that’s worth anything, you need to buy one of the newer cyber-insurance policies designed for that purpose. (Kind of like the environmental impairment liability insurance marketing tactic.)
As one example of this unfortunate (for policyholders) phenomenon, in InComm Holdings v. Great American, holders of prepaid debit cards exploited a coding error in the policyholder’s computer system and fraudulently increased the balances on the cards, which caused InComm to incur a loss of $11.4 million. (You can read the District Court opinion here.) That sure sounds like “computer fraud”…right? The Court, now affirmed by the U.S. Court of Appeals for the Eleventh Circuit (which handles cases from Alabama, Florida, and Georgia) said “no.”
The intellectual gymnastics used by the panel to get around coverage are quite impressive. Basically, the Court held that, because a telephone was used to break into the computer system, the computer itself wasn’t actually “used” to commit the fraud. Also, according to the Court, the loss did not “result directly” from the initial computer fraud. The Court wrote: “Far from being immediate, the result was temporally remote: days or weeks – even months or years – could pass between the fraudulent chit retention and the ultimate disbursement of fraud-tainted funds from InComm’s [bank] account.” Of course, there is no requirement in the policy that the loss of funds be “immediate,” and if the insurance company had wanted such a qualification, it could have included one. It reminds me of Paul Newman’s comment to the difficult judge in The Verdict (1982): “Your Honor, with all due respect, if you’re going to try my case for me, I wish you wouldn’t lose it.”
But insurance companies don’t always win computer-related cases under standard (non-cyber) policies. In another recent decision, WoodSpring Hotels LLC v. National Union (which you can read here), for example, employees of a hotel chain, Extended State America (ESA), went to work for a competitor, WoodSpring. ESA contended that the employees stole its electronic information, including a customer database, and ESA sued both the employees and WoodSpring. National Union, which had sold Directors’ and Officers’ liability insurance to WoodSpring, denied coverage. The underlying case eventually settled, with WoodSpring paying ESA $1,160,000, and one of the employees (Ruby) paying ESA $40,000 from her own assets.
One of the claims in the underlying case alleged a violation of the CFAA, contending that the former employees had unlawfully accessed the ESA computer system. But National Union disclaimed coverage for the entire case, including the CFAA claim, based upon an exclusion for the misappropriation of trade secrets.
Wrong, said the Court, applying the proper standard relating to the duty to defend (namely, whether there is any ultimate possibility of coverage). The Court noted that the CFAA count “depends on unlawful access to ESA’s computers and obtaining anything of value – i. e., [ESA’s former employee] may have violated the CFAA by using a computer to take anything of value – not just trade secrets.” Therefore, National Union should have provided a defense.
The bottom line here is that enforcing coverage for alleged computer-related offenses is far from a sure thing. Especially if the amounts involved are large, you can bet that your insurance company will comb its policy for reasons to avoid paying. With computer fraud on the rise every day (because, to analogize to what Willie Sutton supposedly said about robbing banks, “that’s where the money is”), preventing computer-related insurance claims from ever happening is Job One. And, yes, you should buy stand-alone cyber-insurance coverage. It’ll increase your chances of insurance recovery if, despite your best efforts, a problem happens.