When Is Hacking Covered by Insurance?

When Is Hacking Covered by Insurance?

Hacking and other cybercrimes often cost millions of dollars. When financial losses can’t be recovered from the perpetrators, insurance coverage becomes critically important.

Unfortunately, insurance companies often deny claims, and the law regarding coverage in cybercrime suits is still evolving. Most recently, a New Jersey federal court refused to dismiss a suit seeking insurance coverage for nearly $1 million in losses caused by a social engineering scheme.

Computer Fraud Insurance Claim

In The Children’s Place, Inc. v. Great Am. Ins. Co., The Children’ Place, Inc. (TCP) is seeking to recover losses totaling $967,714.29 that the company mistakenly made to an unauthorized third party (the “Hacker”) instead of to TCP’s vendor, Thailand-based Universal Apparel Co., Ltd. As described by TCP in its complaint, the Hacker “intercepted an email conversation between TCP and Universal;” “inserted itself into the conversation;” “requested a change of bank information;” and fraudulently “direct[ed] TCP to pay Universal using [the] new bank account number.”

On July 14, 2017, TCP made a $498,753.58 payment to the altered bank account operated by the Hacker. Three days later, TCP made a second payment to the same account in the amount of $468,960.71. TCP was unable to recover any of the funds transferred, resulting in a loss of $967,714.29.

At the time of the transfers, TCP was insured by a Crime Protection Policy (Policy), including coverage for computer-related crime and social engineering schemes, issued by Great American Insurance Company (GAIC). TCP submitted the loss to GAIC for coverage under the Policy. After GAIC denied coverage, TCP filed suit.

District Court Refuses to Dismiss Suit

The District Court denied GAIC’s motion to dismiss, concluding that TCP had stated claims for declaratory relief and breach of contract under the Policy’s “Computer Fraud” coverage. The policy defined computer fraud as:

loss resulting directly from the use of any computer to impersonate you, or your authorized officer or employee, to gain direct access to your computer system, or to the computer system of your financial institution, and thereby fraudulently cause the transfer of money, securities or other property from your premises or banking premises to a person, entity, place or account outside your control.

In reaching its decision, the district court rejected these reasons proffered by GAIC for denying coverage:

• “First, although the complaint alleges that the [Hacker] accessed Universal’s email system, it does not allege facts to show that the [Hacker] ‘gain[ed] direct access’ to a computer system that belonged to TCP or its financial institution.” (Def. Br. at 12).
• “Second … TCP’s loss would not be covered because the [Hacker] did not ‘thereby fraudulently cause the transfer of money … from [TCP’s] premises or banking premises to a person, entity, place or account outside [TCP’s] control.’ ”

According to the court, “neither of these reasons persuades the Court that Plaintiff has not stated a claim on the basis that the Loss is not covered under the Policy’s coverage for ‘Computer Fraud.’”

With regard to GAIC’s first argument, the court highlighted that TCP alleged: “The Hacker, through the use of a computer, … accessed and infiltrated Universal’s web email service;” “intercepted emails sent between Universal and TCP;” and “inserted itself into [TCP’s email] conversation.” In addition, TCP also stated that when “the Hacker redirected [email] messages to go to him,” he “effectively gained access to TCP’s email system” because “an email system that does not send the messages to the intended recipient is no longer under the control of the sender.” While GAIC argued that these allegations “do[ ] not mean the [Hacker] actually accessed TCP’s email system,” the court noted that GAIC “failed to cite any legal authority in support of that proposition.” Rather, the court was persuaded by TCP’s legal authority to the contrary, including Medidata Sols., Inc. v. Fed. Ins. Co., 268 F. Supp. 3d 471, 478 (S.D.N.Y. 2017) and Medidata Sols Inc. v. Fed. Ins. Co., 729 F. App’x 117, 118 (2d Cir. 2018)). The court also added that any factual disputes could not be resolved against the plaintiff at the motion to dismiss stage.

The court also rejected GAIC’s argument that TCP had not plausibly alleged satisfaction of the causation requirement in the policy’s computer fraud coverage. In support, the court emphasized that TCP alleged that “TCP’s employees transferred [the Loss] to the Hacker as a direct result of the Hacker’s access to TCP and Universal’s emails, the forged letter, and altered Vendor Setup Form.” According to the court, these “allegations do not lack plausibility,” and further questions as to the “cause of the loss … should be left for a jury” or summary judgment.

Message for New Jersey Businesses

Email-based cyberattacks, including “social engineering” schemes, are on the rise. Should your company’s cybersecurity measures fail to thwart an attack, a body of favorable court decisions suggests that insurance coverage may well be available to cover your losses. Nonetheless, it is always wise to review your crime and other relevant insurance policies and to address any additional requirements your carrier may be placing on the coverage, so that you can minimize potential gaps in coverage, particularly with respect to growing cybersecurity threats.

If you have any questions, please contact us

If you have any questions or if you would like to discuss the matter further, please contact me, Charles Yuen, or the Scarinci Hollenbeck attorney with whom you work, at 201-806-3364.