Not long ago, there was a kerfuffle over the use of the term “OK, Boomer,” which I guess is a pejorative term aimed at my generation for being out-of-touch with the modern world. (See the Vox article here.) Truth be told, maybe we are out of touch, at least about some things. As someone who grew up without a laptop or an iPhone, and whose family had a rotary phone on the wall, with the handset connected by a curly cord, I’m not sure I’ll ever be fully comfortable with technology. Part of that, of course, could be the result of being a trial lawyer. I’m not against technology in the courtroom by any means, but I always have poster boards handy as backup. I’ve cringed a few times while watching another lawyer’s high-tech presentation come crashing down. A few years ago, it actually happened to me, while I was giving a talk to a group of business executives. Unbeknownst to me, my IT consultant, in an effort to save me a few bucks, had installed some kind of knockoff version of Windows on my laptop, with predictable results. But, once again, I was saved by the miracle of poster board (or, as we Boomers used to call it, “oaktag”).
There’s a famous quote attributed to Joseph Heller (the author of Catch-22) that goes: “Just because you’re paranoid doesn’t mean they aren’t after you.” Being suspicious of technology can be a healthy trait. For one thing, we’ve handled our share of cyber-insurance claims at our firm, and there seems to be no doubt that the insurance industry is going to continue to fight coverage. There hasn’t been a lot of litigation yet over the terms of stand-alone cyber-liability policies, but there continue to be disputes over whether standard business-owners’ policies provide any protection against cyber-claims.
Federal courts generally aren’t famous for being policyholder-friendly, so I’m always pleasantly surprised when I see a federal court decision favoring coverage. SS&C Technology Holdings v. AIG Specialty Insurance was such an event, and it involved a cyber-claim. (The case was handled by Robin Cohen and her folks at McKool Smith, a top-notch policyholder-side coverage practice.) You can read the SS&C decision here.
The factual scenario was pretty familiar, cyber-wise. SS&C sells software and software-related services, and one of its clients was a company called Tillage. Crooks using stolen credentials emailed money transfer requests to SS&C, falsely claiming to be acting on behalf of Tillage. As a result, SS&C transferred $5.9 million from Tillage’s accounts to certain bank accounts in Hong Kong.
Tillage wasn’t happy about that, and sued SS&C, arguing that SS&C had been negligent in handling Tillage’s funds.
SS&C notified its errors & omissions carrier, AIG, of the incident. AIG agreed that the lawsuit fell within coverage, and agreed to cover SS&C’s defense costs. Confusingly, though, AIG disclaimed any liability for indemnity coverage, arguing that the lawsuit fell within an exclusion that removed coverage for claims “alleging, arising out of, based upon or attributable to a dishonest, fraudulent, criminal or malicious act, error or omission, or any intentional or knowing violation of the law.”
Now, a normal human being looking at this exclusion might justifiably think: “This means that if the policyholder does something fraudulent, there’s no coverage.” But insurance company claim departments don’t always act in a normal way. Here, AIG contended that the exclusion applied if anyone committed fraud – even if that “anyone” was outside of the policyholder’s control.
Think about the precarious situation into which this put SS&C . AIG is paying for the defense, but won’t engage in settlement discussions. So…do we settle and try to cut our losses? Or do we roll the dice on a trial, since AIG is paying the lawyers’ fees? Taking this one step further, what if a smaller company faced this issue? SS&C has over 20,000 employees and might be able to fund a settlement, but what if the carrier took this position with a mom-and-pop operation? This isn’t the way that insurance is supposed to work.
The court fortunately disagreed with AIG, writing: “The very rationale of such exclusionary provisions is that a tortfeasor may not protect himself from liability by seeking indemnity from his insurer for damages, punitive in nature, that were imposed upon him for his own intentional or reckless wrongdoing.” In other words, removing coverage for wrongful acts committed by others, not in the policyholder’s control, is somewhat ridiculous.
Meanwhile, the Eleventh Circuit (the appeals court that sits above federal district courts in Florida, Georgia and Alabama) also recently grappled with cyber-liability coverage, this time under a commercial crime policy. The case is Principle Solutions Group v. Ironshore Indemnity, Inc., which you can read here. (The Principle Solutions case was handled by my friend Scott Godes, one of the leading experts in the country on insurance coverage for cyber-fraud, and an excellent attorney with whom I’ve worked in the past. Scott was way out ahead of this issue when it first started to develop.)
Once again, a familiar fact pattern: The controller of Principle Solutions Group (an IT services firm) supposedly got an email from Nazarian, a managing director at the company. The email told the controller that Principle had been working on a “key acquisition,” and asked her to wire money “in line with the terms agreed… as soon as possible.” She would receive instructions from an attorney named Mark Leach, and the email told her to “treat the matter with the upmost [sic] discretion and deal solely with” Leach. “Leach” (what a great name in this context) sent remittance details for a bank in China. Wells Fargo asked the controller for verification that the wire transfer was legitimate. The controller confirmed, and $1.7 million disappeared into the scam-o-sphere.
The “Computer and Funds Transfer Fraud” section of Principle’s policy covered “loss directly resulting from a fraudulent instruction directing a financial institution” to transfer or pay funds. The insurance company argued that there had been no “fraudulent instruction,” because the initial fraudulent email only asked the controller to work with a third party to wire funds later in the day, not to wire a specific amount of money to a specific recipient. Of course, the policy language doesn’t require that there be an instruction to wire a specific amount of money to a specific recipient, but I guess you can’t fault the carrier for trying. The Court held that the initial fraudulent email, combined with the later email from the supposed attorney, provided enough detail to constitute a “fraudulent instruction.”
The insurance company also argued that the loss did not result “directly” from a fraudulent instruction. Basically, the insurance company tried to get off the hook by blaming the controller for authorizing the transfer of funds when she should have known better. But the Court held that “directly” only requires “proximate causation,” a concept that has bedeviled law students forever. The Court essentially ruled that a “fraudulent instruction” necessarily contemplates that an unwitting employee will negligently transfer money, and that, under the policy language, that was good enough.
Although, after much time, expense and aggravation, the policyholders in these two cases eventually succeeded in obtaining recovery, the basic lessons here are clear. First, the key is to prevent these losses from happening in the first place. Do your employees know how to recognize a potentially fraudulent transaction? And second, although you may succeed in establishing coverage for cyber-losses under your basic business-owners’ policy, you’d be wise to explore stand-alone cyber-liability coverage with your broker or insurance advisor. The average cost of that coverage is $1,501 per year per $1 million in limits, with a $10,000 deductible. Given the potential downside if you don’t have the coverage, it’s worth a look.