The United States Court of Appeals for the Eleventh Circuit, applying Georgia law, has held that no coverage exists under a business owner’s policy for the online theft of funds from an insured’s bank account.  Metro Brokers, Inc. v. Transportation Ins. Co., 2015 WL 925301 (11th Cir. Mar. 5, 2015).  In so holding, the Eleventh Circuit concluded that coverage was precluded for the online theft both because the electronic transfers did not fall within the policy’s forgery provision, and the policy contained an exclusion for losses caused by malicious code.

The insurer issued a business owner’s policy to the insured, a real estate brokerage firm.  The policy contained a forgery provision, providing specified coverage for loss “resulting directly from ‘forgery’ or alteration of, on, or in any check, draft, promissory note, bill of exchange, or similar written promise, order or direction to pay a sum certain,” and defined “forgery” as “the signing of the name of another person or organization with intent to deceive.”  The policy also contained a malicious code exclusion, precluding coverage for loss “caused directly or indirectly” from “malicious code,” which was defined in the policy to include, among other things, “computer viruses.”  The insured real estate brokerage firm maintained bank accounts with a third-party bank and used that bank’s online system to make payments from its accounts.  Thieves logged into the bank’s online system with login credentials they obtained from an employee of the insured using a key-logger computer virus.  The thieves authorized over $188,000 in payments from a client escrow account to several other bank accounts.  The insured filed a claim under the policy, seeking coverage for the unrecovered amounts stolen from its bank accounts.   The insurer denied coverage, citing the policy’s forgery provision and malicious code exclusion.  In this subsequent coverage action, the district court granted summary judgment in favor of the insurer, and the insured appealed.

On appeal, the Eleventh Circuit held that the policy’s forgery provision did not provide coverage for the stolen funds.  The court held that the electronic fund transfers by the thieves did not involve a “check, draft, promissory note, [or] bill of exchange,” nor did the transfers constitute a “written promise, order or direction to pay” that was “similar” to the enumerated instruments.  Specifically, the court observed that both federal and Georgia law distinguish electronic fund transfers from traditional banking transfers made by check, draft, or bill of exchange, citing the federal Electronic Transfer Fund Act and the Georgia Uniform Commercial Code.  In addition, the court found that the theft did not involve the “signing of [a] name,” even though the policy provided that electronic signatures would be considered the same as handwritten signatures, because there was no evidence that the login credentials constituted a “signature.”  In so holding, the court declined to apply Allstate Insurance Co. v. Renshaw, 258 S.E.2d 744 (Ga. Ct. App. 1979), which held that the theft of an insured’s bank card and PIN constituted a “forgery” under the homeowner’s policy at issue because that policy did not define “forgery.”

The appellate court also concluded that coverage was precluded by the policy’s malicious code exclusion.  In so holding, the court rejected the insured’s argument that the computer virus did not in fact “cause” its loss because of the intervening conduct of the thieves.  The court concluded that the broad, unambiguous language of the exclusion precluded coverage “regardless of any other cause or event that contributes concurrently or in any sequence to the loss.”