Sixth Circuit Cyber Coverage Opinion: Square Peg in Round Hole?
Advisen
Sixth Circuit Cyber Coverage Opinion: Square Peg in Round Hole?
Several years ago, I attended an Advisen Cyber Risks Insights Conference in New York. One of the speakers there was general counsel from a large, well-known insurance company. With some resignation in his voice, he told us he thought coverage litigation involving cyber insurance policies would probably be with him the rest of his career. And he was a pretty young man.
If recent litigation involving whether losses connected to spear phishing attacks are covered under computer fraud policy provisions is any indication, he may have been right: we are likely to see more and more litigation as courts and carriers grapple with what cyber policies mean. It’s a classic example of trying to apply insurance coverage concepts developed in an analogue world to new and different problems posed by technology.
Last year, a federal district court in New York ruled in Medidata Solutions v. Federal Insurance that losses due to phishing (where employees were duped into transferring money into fake accounts) were covered by that portion of a cyber policy that provided coverage for the direct or indirect loss of property due to the fraudulent transfer of property by a third party.
Previous cases in Fifth, Sixth and Ninth circuits had found similar language did not cover such losses. These courts have held that the fraud provisions do not apply where an employee of the company acts to transfer the funds to a criminal solicitation even if that employee was tricked in to using the computer to do the deed.
The Sixth Circuit Case
However, in American Tooling Center v. Travelers, decided on July 13 of this year, the Sixth Circuit changed direction and held such losses would be covered by the computer fraud provisions.
ATC paid a third party vendor in China for outsourced services. A malicious third party intercepted an email in which an ATC employee asked for all outstanding invoices from the vendor. The third party then duped the ATC employee into paying the invoices into a different account than that of the vendor. The lower court granted summary under the theory that the computer fraud provisions did not cover the loss.
Like many policies, the ATC policy promised the carrier would pay for direct loss due to computer fraud. Travelers argued that none of the three elements required by this clause were present: ATC’s loss was not direct; the actions were those of an employee not a compromised computer; and the loss was not caused by a computer fraud.
The Sixth Circuit first tackled the word “direct,” which was not defined in the policy. ATC’s loss, said the court, was both immediate and proximate. The transfer of the money was an immediate event.
The Court then tackled the meaning of computer fraud under the policy. The policy essentially defined the term as the use of a hijacked computer to fraudulently transfer money from inside the insured’s premises to a person outside the premises or to a place outside the premises. According to Travelers, the computer must cause the transfer as opposed to just being used in the transfer. Travelers said the provision was designed to cover losses where a system was hijacked and a third party began to manipulate the computer system itself.
The Court, however, rejected this argument saying if Travelers had intent to limit the definition of computer fraud to hacking or other situations where a criminal gains control of a computer and forces the computer to do something, it should have said so. Of course, Travelers thought that was exactly what it had done.
Finally, the Court made short shrift of Travelers causation argument: saying that the computer fraud was the immediate cause of the loss.
Why Is the Case Important?
What’s important about the case is that it turned the computer fraud provision on its head. Instead of the provision covering those situations where someone actually gains control of a computer through a hack, the mere use of a computer by a duped employee is enough. The former is a different type of risk entirely than the latter. The former depends to a large extent on strength of firewalls and the robustness of the back-up provisions of the system. The latter depends almost exclusively on the training of employees, something that the insured has more control over. The Court simply refused to recognize the fundamental difference between use of a computer by a duped employee and the hack of a computer by an outside entity. Again, technology poses new and different problems that knee jerk reliance on old concepts can’t solve.
The Court also failed to recognize an important causation dichotomy. The computer fraud section was designed to insure against a third party’s action with respect to a computer. That third party, by definition, is outside of the control of the insured. In ATC, the action was taken by an employee in the control of the insured—an employee who could have been better trained by the insured to prevent just kind of loss. Different risk, different mechanism of loss. Different causation. To lump them together ignores technical realities and the language of the policy.
In both ATC and the previously decided Medidata case, the Court fell back on standard principals of contract interpretation and the notion that if there is any ambiguity, the insured wins. While those are certainly sound principles, they have to be interpreted in light of how technology works and the risks that are being posed. Otherwise policy language becomes meaningless.
The Other Take-Away
Certainly other courts have and will disagree with the Sixth Circuit. But the ATC case makes it clear that coverage law with respect to cyber policies will need to be hammered out just like most coverage questions under more conventional policies—by laborious trial and error. The carriers try to write language they think is clear. The courts interpret it differently. The carriers try again until gradually the law gets developed.
That doesn’t mean different states may not interpret things differently. But as that becomes known, carriers can take that risk into account in writing polices.
Because cyber policies are so new, and because the language in many polices varies and in some cases can even be negotiated, we are going to go through a period of sausage making to hammer out what the policies mean and what carriers need to say in policies to reach the intended result.
That is why my general counsel friend believed with some resignation that cyber coverage litigation will be with us for a while.
Some Closing Advice
Advice to carriers: develop a legal team of well-versed cyber insurance coverage lawyers that know the law, keep up with developments and aren’t afraid to go to court. Trim your sails and be prepared to stay the course as you ride out the storm.
Advice to lawyers, particular those looking for a future specialty: Become an expert on cyber policies. Pursue the field with dogged determination. Write, speak and become known.
This litigation isn’t going anywhere and will indeed be with us for some time.
About the author: Stephen Embry is a frequent speaker, blogger and writer. He is publisher of TechLaw Crossroads, a blog devoted to the examination of the tension between technology, the law and the practice of law. He is also co-author of a book entitled Mass Tort Claims Resolution Facilities and the 2017 and 2016 editions of the American Bar Association’s TechReports.
Formerly a member of Frost Brown Todd LLC and the Firm's class action, privacy and mass tort groups, Stephen is a national litigator and advisor who is experienced in developing solutions to complex litigation and corporate problems. His mission is to find simple, successful and elegant solutions to civil litigation problems and dilemmas primarily in the mass tort, business and consumer class action, and privacy and data breach arenas.
Stephen recently successfully completed the certification program to earn the title of Technology Master Advocate by the Federation of Defense & Corporate Counsel. He now practices with his own firm, embryLaw LLC.
