On May 10, the U.S. Court of Appeals for the Eleventh Circuit affirmed the decision of the U.S. District Court for the Northern District of Georgia in InComm Holdings, Inc. v. Great American Insurance Company. The Eleventh Circuit agreed that Great American's computer fraud coverage did not apply to holders of prepaid debit cards who exploited a coding error in the insured's computer system and fraudulently increased the balances on the cards which caused InComm to incur a loss of $11.4 million.
InComm operates a network that allows consumers to put money onto general-purpose reloadable debit cards issued by banks. In particular, InComm sells "chits" to consumers, which they can then use to transfer funds to their cards. After purchasing a chit at a retailer, a consumer can simply call InComm to redeem the chit and have its value moved over to his card. When a consumer dials InComm's 1-800 number to redeem a chit, he is connected to InComm's interactive voice response (IVR) computer system. The IVR system uses eight computers that process voice requests or telephone touch-tone codes. To redeem a chit through InComm's IVR, a consumer enters his debit card number and the PIN located on the back of the chit. The IVR then credits the value of the chit to the card, and the funds become immediately available to the cardholder. After making the funds available for use, InComm is contractually obligated to transfer money, equivalent to the value of the redeemed chit(s), to the bank that issued the debit card.
Fraudsters exploited a vulnerability in InComm's IVR system that enabled multiple redemptions of a single chit. Specifically, the fraudsters figured out that they could redeem a single chit multiple times by making two or more concurrent calls to the IVR system and simultaneously requesting the redemption of a particular chit. One call would transfer the funds from the chit to the debit card account, while the other would return the chit to an "unredeemed" state, allowing it to be redeemed again. Over seven months, InComm's system processed 25,553 fraudulent redemptions associated with 1,988 individual chits, totaling $11.4 million in fraudulent redemption.\
The Computer Fraud Coverage
InComm submitted a claim under the computer fraud coverage of an insurance policy issued to it by the defendant, Great American Insurance Company. The policy language at issue provides coverage for:
"loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises: (a) to a person (other than a messenger) outside those premises; or (b) to a place outside those premises."
The district court focused on whether a "computer" was "used" in connection with the fraud. First, the court analyzed whether a telephone counts as a "computer." Despite the successful hacking of NORAD by Mathew Broderick's character in the movie War Games from a pay phone, the district court held that a telephone was "a completely different device." It stated that a "telephone" is not a "computer" regardless of whether the phone may have been connected to a computer system. Next, the court analyzed whether a computer was "used" in connection with the fraud. It reasoned that "[a] person thus 'uses' a computer where he takes, holds or employs it to accomplish something. That a computer was somehow involved in a loss does not establish that the wrongdoer 'used' a computer to cause the loss."
Citing Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., 656 Fed. Appx. 332 (9th Cir. July 29, 2016), and Apache Corp. v. Great Am. Ins. Co., 662 Fed. Appx. 252 (5th Cir. Oct. 18, 2016), the court also held that the fraud did not result "directly" from the "use of any computer" since it was largely committed using telephones.
The district court stated:
In the end, InComm's loss resulted directly—that is, immediately—from InComm's decision to wire the funds to Bancorp, not from the cardholders' redemptions. Apache, and the cases it discusses, warn that to find coverage based on the use of a computer, without a specific and immediate connection to a transfer, would effectively convert a computer fraud provision into a general fraud provision. See Apache Corp. v. Great Am. Ins. Co., 662 F. App'x 252, 258 (5th Cir. 2016).
InComm Holdings, Inc. v. Great American Insurance Company, Case 1:15-cv-02671-WSD, May 10, 2018, p.35
The Eleventh Circuit affirmed, although it disagreed with the district court on whether the scheme involved the "use" of a "computer." The Eleventh Circuit Court stated that "the fraudsters interfaced directly with the IVR computer system to effectuate their duplicate redemptions. Thus, we conclude that the fraud against InComm was perpetrated through the 'use of a computer' within the terms of its insurance policy." Id. at 8.
It nevertheless affirmed, however, agreeing with the district court that the loss did not "directly" result from the use of a computer. Id. at 8-14.
The Beginning of a Trend?
While the InComm case does not involve a "social engineering" or "business email compromise" fraud, as many of the recent insurance coverage cases grabbing the headlines in this space have, it is nevertheless instructive on some of the key issues that are common in these coverage disputes. Both insurers and insureds alike must recognize the need to laser focus on the precise terms employed in these policies to determine the scope of coverage, particularly given the ever-changing schemes employed by fraudsters using phones, as in this case, or using unsuspecting employees, as in the case of social engineering losses, regardless of whether those targets are connected in some fashion to a company's computer system. Like the Fifth and Ninth Circuits before it, the Eleventh Circuit has now added to the chorus of appellate cases addressing what constitutes the "use" of a "computer," and what will be considered a loss flowing "directly" from such use. More particularly, the decision also provides some insight as to how the Eleventh Circuit may rule in a similar case now pending before it that does involve coverage for loss arising from a social engineering scheme under a similar computer fraud provision, captioned Principle Solutions Group, LLC v. Ironshore Indem., Inc., No. 1:15-CV-4130-RWS (N.D. Ga. Aug. 30, 2016). Stay tuned.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.