The risk of loss due to some form of cyberattack should prompt employers to consider insuring against those losses. But, not all cyberinsurance policies are created equal. That point is made abundantly clear in the recent 6th Circuit case, American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of America.
The plaintiff, American Tooling Center, Inc. (ATC) is a Michigan-based manufacturer that subcontracts some of its manufacturing work to a Chinese vendor. During a time period that it had business insurance coverage through Travelers, ATC received a series of emails from an impostor pretending to be its Chinese vendor. These emails advised ATC that the vendor had changed its bank accounts and that ATC should wire transfer its payments to these new accounts. After ATC had transferred approximately $834,000 to these fraudulent accounts, it learned that it had been duped. ATC then made a claim on its Travelers business insurance policy. Travelers denied the claim and litigation followed.
The Travelers policy at issue stated as follows:
- Computer crime
- Computer fraud
The Company will pay the insured for the Insured’s direct loss of, or direct loss from damage to, money, securities and other property directly caused by computer fraud.
- Computer fraud
Each of the bold terms were defined terms under the policy. Travelers contended that the policy did not cover ATC’s losses because (1) ATC did not suffer a “direct loss;” (2) this was not a case of “Computer Fraud;” and (3) the loss was not “directly caused by Computer Fraud.”
The court rejected each of these contentions. First, the court considered competing definitions of the word “direct” under Michigan law and concluded that regardless of the definition, ATC’s loss was direct because it “immediately lost its money when it transferred the approximately $834,000 to the impersonator, there was no intervening event.” Second, the court rejected Travelers’s contention that the definition of “Computer Fraud” under the policy was limited to “hacking and similar behaviors in which a nefarious party somehow gains access to and/or controls the insured’s computer.” Instead, the policy definition of “computer fraud” was:
- Computer fraud means:
The use of any computer to fraudulently cause a transfer of money, securities or other property from inside the premises or financial institution premises:
- To a person (other than a messenger) outside the premises or financial institution premises
- To a place outside the premises or financial institution premises
As the court noted, the policy definition does not require, as Travelers argued, that the fraud “cause any computer to do anything.”
Finally, the court had little trouble, based on the chain of events, in finding that the “computer fraud” was the “direct cause” of ATC’s “direct loss.”
When shopping for insurance to cover potential losses due to cyber activity, businesses will need to make sure that they understand exactly what the policy terms mean and what events will trigger coverage under the policy and which will not. In addition, it is important to know what the policy will pay once a triggering event occurs. For instance, will it pay for regulatory fines, the cost of sending data breach notices, the cost of identity theft services for customers, or business interruption? You don’t want to have to go through years of litigation to find out. Using an insurance broker will help businesses sort through the best policies for their specific needs.