The Eleventh Circuit Court of Appeals has upheld a finding that a computer fraud policy issued by Great American Insurance Co. did not cover an $11.4 million loss sustained when the policyholder’s reloadable debit-card product was exploited by fraudsters, as the loss was not a sufficiently “direct” result of computer fraud to fall within the policy’s terms.

The insured, Interactive Communications International, Inc. (InComm), sold “chits,” units with assigned monetary value that consumers could purchase to add funds to reloadable debit cards. In order to redeem the chits, purchasers would call an InComm 1-800 telephone number, which connected them to a computerized interactive voice response (IVR) system that processed voice and touch-tone requests. When the consumer entered his or her debit card information into the IVR system, along with a PIN number for the chit, the system credited the chit value to the card and the funds became available for the consumer’s use.

A vulnerability existed in the IVR system, however: if two or more calls were made seeking to redeem a chit at the same time, the system would credit the chit value to the corresponding debit card but would fail to record the chit as having been redeemed, thus allowing multiple redemptions to be made. Fraudsters took advantage of this glitch and initiated over 25,000 fraudulent chit redemptions. InComm, which was contractually obligated to transfer funds to cover the fraudulently-redeemed chits, lost over $11 million.

InComm sought coverage under its computer fraud policy, which insured against loss of money or property “resulting directly from the use of any computer to fraudulently cause a transfer” of the property. A District Court in Georgia granted summary judgment for Great American, finding that the policy did not cover the loss, and the Eleventh Circuit affirmed. The appellate court found that the fraudsters’ telephone calls constituted “use” of a computer, as the plain meaning of that term—to employ something as a means of accomplishing a result—described what the fraudsters had done when they interfaced with the computerized IVR system. But the court found that InComm’s loss did not “result directly” from that computer use, as was required for coverage.

The ordinary meaning of “direct,” the court found, was something that followed immediately and without any intervention or interruption. In the court’s view, InComm’s loss did not occur immediately upon chit-redemption, but rather several steps later, after InComm had transferred money to the fraudster’s bank, the fraudster had made a debit card purchase, and the funds had been transferred from the bank to cover the purchase. It was only then, the court concluded, that InComm had truly lost control over the funds. Given the intermediate chain of events between the telephone calls and that “point of no return,” the court held that the loss did not result “directly” from the fraud and that there was no coverage.

With this decision, the Eleventh Circuit joins a number of courts that have declined to find computer-fraud coverage for schemes in which other events intervened in some fashion between the fraudulent use of the insured’s computer system and the resulting loss. See, e.g., Apache Corp. v. Great American Ins. Co., 662 Fed. Appx. 252 (5th Cir. 2016); American Tooling Center v. Travelers Cas. & Surety Co. of America, 2017 WL 3263356 (E.D. Mich. 2017). Such holdings suggest that efforts to seek coverage for losses involving multi-step schemes, as opposed to those resulting directly from hacking or system intrusion, may face an uphill battle, at least under the type of policy language at issue here.

Related People

John G. O'Neill

Partner

617.227.3030 Email John

Jessica H. Park

Partner

617.227.3030 Email Jessica