Cyber Insurance is a fairly new product with no standardization between insurance carriers, much of the cyber policy language has yet to be subjected to a ‘real world’ review in the courts. Not all cyber policies are created equal and great care needs to be taken to make sure that the coverages selected and the language in the policy meet the insured’s needs. A case in point is InComm Holdings, Inc. v. Great Am. Ins. Co; where a Cyber policy was issued by Great American Insurance Co (GAIC).
The GAIC policy provides for the following coverage:
[GAIC] will pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises:
a. to a person (other than a messenger) outside those premises; or
b. to a place outside those premises.
InComm Holdings is a tech company that processes debit cards that allow consumers to purchase credits called chits. These chits are purchased from retailers in stores which can then be redeemed for the actual dollar amount purchased on the loaded prepaid debit cards. Each chit is only supposed to be redeemed once. Consumers can convert chits to actual dollars by using a touchtone phone or voice commands. Unfortunately for InComm, their systems had a programming error that allowed chits to be redeemed many times. Between November 2014 and May 2014 25,000 unauthorized redemptions were processed for over $11.4 million to various debit card issuers.
After the loss was discovered, InComm turned in a claim to GAIC under its computer fraud policy. GAIC denied coverage and InComm sued for breach of contract and bad faith.
The US District Court in the Northern District of Georgia granted a summary judgment to GAIC finding that the loss did not ‘directly’ result from the ‘use’ of a computer it was not covered by the GAIC Cyber Fraud Policy.