In the following guest post, David Bergenfeld, a Senior Associate in D’Amato & Lynch, LLP’s Fidelity Bond Practice Group, takes a look at key court decisions during the first quarter of 2016 analyzing cybercrime insurance. I would like to thank David for his willingness to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is David’s guest post.
The courts in analyzing Cybercrime insurance in the beginning of 2016 began with a bang by ruling losses from the hacking of a vendor’s computer system are not covered. The courts also precluded coverage for insureds because of the applicability of non-assignability and termination clauses. Lastly, the courts strictly construed the payments under prior insurance clauses to negate coverage.
Cyber Insurance Does not Cover Hacking into Vendor’s Computer System
In Kraft Chemical Company, Inc. v. Federal Insurance Company, the court held that the Computer Fraud insurance provisions contained in the applicable general liability insurance policy did not provide coverage for hacking of a vendor’s computer system.
In Kraft, the insured received an order from a customer, Abbott, in March 2013 and the insured then placed a purchase order with Salicylates through Salicylates’ general email address (email@example.com). On May 1, 2013, the insured received an email purportedly from Salicylates stating that Salicylates had changed bank accounts and directed that all payments be made to the new bank account at Natwest Bank. However the email originated from firstname.lastname@example.org rather than email@example.com. On May 7, 2013, the insured received another email purportedly from Salicylates emanating from firstname.lastname@example.org attaching the bill of lading related to the insured’s purchase of product for the legitimate Abbott sale and shipment. The insured wire transferred the payment for the bill of lading to the Natwest Bank account. On May 21, 2013, the insured received an email from info.salicylates.net stating “that it had shipped the chemicals to Abbott, it had not received the wire transfer.” Further, Salicylates sent a separate email indicating that the “‘Above [Natwest] bank account detail are of hackers and we are no way concerned with the above account.’”
The insured submitted a claim under its Computer Fraud insurance clauses of its general liability insurance policy to its insurer with respect to the funds wired to Natwest Bank and the insurer denied coverage. The insured then brought suit against the insurer claiming breach of contract and a seeking a declaratory judgment with respect to its rights under the insurance policy.
On summary judgment, the insured argued that hackers worked their way into the insured’s computer system in order to “camouflage client email contacts” and caused the insured to wire $63,793.20 to the Natwest Bank account rather than to its client bank account. The insurer argued that the insured cannot show any hacking of its computer system and that only an email with incorrect information was sent to the insured and the insured wire transferred funds without verifying the bank account information.
The relevant Computer Fraud insuring provisions state:
The [insurer] shall pay the [insured] for direct loss of Money . . . sustained by an insured resulting from [the unlawful taking of Money resulting from the unauthorized entry into or deletion of Data from a Computer System or change of Data elements or program logic of a Computer System] committed by a Third Party.
In reviewing deposition testimony of the insured’s computer expert and the insured’s chief financial officer, the court noted that neither proffered evidence of unauthorized access into the insured’s computer system. In addition, Salicylates admitted that “its system had been ‘hacked.’” Ultimately, the court found “that the mere sending of an email is not an unauthorized entry or change therein to a computer system.” Therefore, the court found no coverage.
In the context of the connection between the fraudulent emails and the insured’s wire transfer of funds to the Natwest Bank account, the court noted that the funds transfer “occurred eight days after receiving the emails” and that the insured’s employees logged into its bank’s website to create, process, review, authorize and release the wire transfer. In applying the facts to the insuring clause, the court noted that the “direct loss” requirement of the insuring clause is a much narrower concept than the proximately caused loss standard. Therefore, the court held the Computer Fraud insuring clause did not provide coverage for the wire transfers because they did not occur immediately after the insured’s receipt of emails. The court’s findings thus show how courts are strictly construing the direct and contemporaneous loss requirements. Therefore, coverage under general liability insurance policies for data breaches must meet the strict definition of loss.
Non-Assignment Clauses are Enforceable
In Western Alliance Bank v. National Union Fire Insurance Company of Pittsburgh, PA, the court held the commercial crime insurance policy’s non-assignment clause barred the insured from assigning its rights under the policy prior to the incurrence of the a loss.
The insured in Western Alliance was Sorrento Netowrks I, Inc. and its related subsidiaries. In January 2014, Sorrento’s “CEO and president announced that the company was going out of business, but the executives asked all of their employees worldwide to leave company property where it was.” About a month later at Sorrento’s Stuttgart offices, the company’s president discovered that almost all of the property was missing.
Western Alliance claims to have a security interest in the commercial crime policy issued by National Union. Western Alliance’s claim emanates from its predecessor in interest, Bridge Bank, having issued a loan to Sorrento and Bridge Bank receiving from Sorrento “a continuing security interest in [Sorrento’s] inventory, test equipment, computer equipment, commercial tort claims and insurance proceeds.” Such security interest was perfected through a financing statement filed with the Delaware Department of State on February 11, 2011. The loan agreement also “authorized Bridge Bank to act on Sorrento’s behalf in collecting any money owed to Sorrento and prosecuting any claims that Sorrento might have.” Therefore, Western Alliance sought to prosecute the insurance claim that Sorrento had with respect to the missing equipment in the Stuttgart office.
The commercial crime policy issued by National Union that names Sorrento as an insured took effect on September 1, 2012 and provided for $1,000,000 of coverage per occurrence for several different forms of crime, including employee theft and theft of money and securities inside the premises. The policy’s non-assignability clause provided: “the insured’s ‘rights and duties under this policy may not be transferred without [National Union’s] written consent . . . . [The policy] provides no rights or benefits to any other person or organization. . . . . [A]ny claim for loss that is covered under this policy must be presented by’ the insured.”
In its action against National Union, Western Alliance claimed a right in the insurance policy. In analyzing Western Alliance’s claim in the context of National Union’s motion to dismiss, the court noted that an insurance policy is a personal contract between an insured and an insurer. Therefore a secured creditor has no interest in the policy absent the insured naming the secured creditor as an additional insured or loss-payee on the policy. The court went on to note that Bridge Bank, Western Alliance’s predecessor in interest, was not named as an additional insured or loss payee on the policy.
In analyzing whether the non-assignment clause was enforceable under Colorado or California law, the court noted that under Colorado law the non-assignment clause was enforceable whether the assignment took place before or after the incurrence of a loss. However, in California the non-assignment clause is not enforceable if the assignment took place after the loss happened. Considering that the assignment occurred in 2011 and the loss occurred in 2014, the court held that under either California or Colorado law the non-assignment clause was enforceable. Therefore, Western Alliance’s claim for coverage failed because the commercial crime policy prohibited the insured, Sorrento, from assigning its claim against National Union to Bridge Bank, predecessor in interest to Western Alliance. The court’s ruling thus reinforces the strict interpretation of the contract provisions in an insurance policy, and demonstrates that insureds’ actions taken in contravention of explicit policy terms entails significant risk.
Termination Clauses are Broadly Interpreted to Only Require Dishonest Acts
The court in National Credit Union Administration Board v. Cumis Insurance Society, Inc., held that the applicable fidelity bond ceased to provide coverage for the insured’s chief operating officer upon a board member learning of misrepresentations in the chief operating officer’s reports to the insured’s board of directors.
The insured in National Credit Union, was St. Paul Coation Credit Union. In 1989 Athony Raguz began working as a teller for St. Paul. In 1995 St. Paul’s manager, Joseph Plavac, retired from his manager position, but retained his position on St. Paul’s board. At that time Raguz became manager. In 2004 Raguz was elevated to chief operating officer. Beginning in 2000, Raguz began accepting bribes for issuing fraudulent loans. Between 2000 and 2010 Raguz received approximately $1 million in bribes for the fraudulent loans.
In order to conceal the fraudulent loans, Raguz put the fraudulent loans in the “share-secured loans” area because such loans did not have to be reported to the board for approval and were reviewed very lightly by the auditors and bank examiners. In a normal share-secured loan, the borrower would deposit an amount equal to the loan with St. Paul and such funds would be frozen and attached in the event of a default upon the loan.
Raguz further concealed problems with the fraudulent loans that would become delinquent by manipulating the delinquency rate. When the loans would be 90 days late, Raguz would roll over the principal and accrued interest into a new note to keep the loan off the delinquency list. Raguz would also create bogus loans to use the funds to pay off the prior fraudulent loans. Further, Raguz used the bogus loan money to pay off smaller fraudulent loans to take them off St. Paul’s books. During the time period of Raguz fraudulent scheme, 2001 to 2010, St. Paul’s loan portfolio grew from $42 million (assets of $52 million) to $240 million (assets of $250 million).
During the time period that Raguz was with St. Paul, St. Paul would experience delinquencies. However, between 2002 and 2010 Raguz was reporting no delinquencies to the board and the relevant authorities. Between 2005 and 2009 the board began asking questions and requesting more detailed information from Raguz regarding the loans. However, Raguz refused to provide the requested information. The board did not discipline Raguz. Further, a board member, Robert Calevich, who previously was St. Paul’s treasurer, seem concerned that the delinquency rate was zero because he recalled delinquencies when he was treasurer.
In early 2010, the National Credit Union Administration Board, became concerned regarding St. Paul and on April 23, 2010, placed St. Paul into conservatorship, naming itself, the National Credit Union Administration Board, as the conservator.
In October 2010, National Credit Union filed a claim and its proof of loss with the fidelity bond insurer, Cumis Insurance Society, Inc., which denied the claim. National Credit Union instituted an action seeking (i) a declaration of its rights under the fidelity bond; (ii) coverage for its claim relating to Raguz’s defalcation; and (iii) compensatory damages and attorneys fees.
In its defense, Cumis argued that the fidelity bond terminated as to coverage for Raguz’s acts before the inception of the fidelity bond in 2010 because Calevich knew Raguz had committed dishonest acts when Raguz reported a zero delinquency rate to the board. Such knowledge of Raguz’s dishonesty was based on the following: (i) Calevich knew that there had to be some delinquent loans based on his own experience as treasurer of St. Paul; (ii) St. Paul’s board had concerns regarding the zero delinquency rate; (iii) the St. Paul Board of Directors raised the delinquency issue with Raguz on numerous occasions; and (iv) Raguz never provided a “solid answer” in response to the Board.
The fidelity bond’s termination clause states:
the Bond’s coverage for an “employee” . . . terminates immediately when one of [the insured’s] “directors” . . . not in collusion with such person learns of:
- Any dishonest or fraudulent act commiteed by such “employee” . . . at any time, whether or not related to [the insured’s] activities or of the type covered under this Bond
* * *
- Termination of coverage for an “employee” . . . terminates [the insurer’s] liability for any loss resulting from any act or omission by that “employee” . . . occurring after the effective date of such termination.
In reaching its holding that the fidelity bond terminated when Calevich learned of Raguz’s dishonesty regarding the reported zero delinquency rate, the court analyzed the definition of “dishonesty” as contained in the termination clause. The court reasoned that the term “dishonest act,” for purposes of triggering the termination clause, “should be construed broadly and consistent with its plain and ordinary meaning to encompass conduct that shows a want of integrity or breach of trust.” Specifically, the court noted that “the submission of false financial information (either to an institution’s directors or officers and/or to state or federal examiners) may constitute a ‘dishonest’ or ‘fraudulent act’ for purposes of a fidelity bond.” In finding that Calevich’s knowledge of Raguz’s false delinquency rate report of zero to be sufficient to terminate the fidelity bond, the court reasoned that Calevich did not need to connect such false reporting to Raguz’s overall fraudulent loan scheme. Therefore, the court held that the fidelity bond terminated as to Raguz prior to its inception in 2010.
Payment Under Prior Insurance Clauses are Strictly Construed
In Emcor Group, Inc. v. Great American Insurance Company, the court held that the clause providing for payment for loss sustained under a prior policy is unambiguous.
Emcor, the insured, had commercial crime insurance policies issued by Factory Mutual Insurance Company from December 1, 1999 through December 1, 2002. From December 1, 2002 through December 1, 2005, Great American Insurance Company issued crime insurance policies to Emcor. Each of the Great American policies was effective for one year and terminated at the time of the commencement of the successive insurance policy.
In 2005, during the December 1, 2004 to the December 1, 2005 policy period for the 2004 Great American policy, Emcor notified Great American of a loss of more than $10 million resulting from fraudulent acts committed by Emcor employees between December 1, 1999 and December 1, 2003. Great American denied Emcor’s claim because the loss occurred outside the December 1, 2004 to December 1, 2005 policy period for the effective 2004 policy. Emcor then filed suit against Great American claiming breach of contract.
Both parties filed summary judgment motions. Great American argued that that loss under a prior policy provision contained in the 2004 policy only required that Great American pay for losses occurring after December 1, 2003. Emcor argued that Great American was required to provide coverage for the time period when Factory Mutual was Emcor’s insurer.
The loss under a prior policy clause provides:
If [the insured] . . . sustained loss during the period of any prior insurance that [the insured] . . . could have recovered under that insurance except that the time within which to discover loss had expired, [the insurer] will pay for it under this insurance provided:
(1) this insurance became effective at the time of cancellation or termination of the prior insurance; and
(2) this loss would have been covered by this insurance had it been in effect when the acts or events causing the loss were committed or occurred.
In limiting coverage under the “Loss Under Prior Insurance” clause, the court reasoned that Great American agreed to provide coverage “for losses based on acts occurring during ‘any prior insurance’ period, but only if ‘this insurance became effective at the time of cancellation or termination of the prior insurance.’” The court strictly construed subparagraph (1) to refer to only the December 1, 2003 to December 1, 2004 Great American policy period. Contrary to Emcor’s reasoning, subparagraph (1) does not include any and all crime insurance Emcor held prior to the 2004 policy. The court further reasoned that the term “this insurance” only includes the 2004 policy and not all insurance policies issued by Great American. Therefore, coverage under the 2004 policy does not extend to the time period prior to December 1, 2003 when the loss was incurred.
The courts interpreted insurance policies, whether strictly or broadly, in favor of insurers during the first quarter of 2016. Thus, it appears that courts are moving towards an insurer favored environment. However, such doctrine may be used by insureds in arguing for coverage in other parts of the insurance policy. Furthermore, insureds may negotiate for the broadening of the insuring clauses to counteract the courts’ interpretation of insurance policy provisions. Necessarily, we shall see the ever moving developments in insurance policy construction throughout the year.
 No. 13 M2 002568 (Ill. Cir. Ct. Cook County Jan. 5, 2016)
 Case No. 15-cv-03429-PSG, 2016 WL 641648 (N.D. Cal. Feb. 18, 2016)
 Case No. 1:11 CV 1739, 2016 WL 165379 (N.D. Ohio Jan. 14, 2016)
 No. 14-1682, 2016 WL 304106 (4th Cir. Jan. 26, 2016)
 Factory Mutual Insurance Company is not affiliated with Great American Insurance Company.