A Georgia federal district court has held that a fraudulent scheme using telephones to exploit a computer coding vulnerability in the insured’s system that ultimately led to a loss was not covered under a computer fraud provision in a commercial crime policy.  Incomm Holdings, Inc. v. Great Am. Ins. Co., 2017 WL 1021749 (N.D. Ga. Mar. 16, 2017).

The insured managed a prepaid card program.  As part of the program, cardholders would load funds onto prepaid cards issued by banks.  To load funds, the cardholders called a designated telephone number and inputted certain information.  As a result of the coding error in the insured’s computer system, cardholders were able to call into the system from multiple phones at the same time and make multiple loads, which enabled them to access more funds than they purchased.  Before the insured fixed the coding error, cardholders made approximately $10.3 million in unauthorized redemptions.  As required by contract, the insured paid that amount to the issuing bank.

The insured sought coverage under a computer fraud provision in its commercial crime policy, which afforded coverage for “loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises: a. to a person (other than a messenger) outside those premises; or b. to a place outside those premises.”  The insurer denied coverage, and coverage litigation ensued.

The district court granted summary judgment in favor of the insurer, holding that the loss did not fall within the scope of the crime policy’s coverage.

First, the court ruled that the loss was not caused by the “use[] of a computer.”  The court noted that each cardholder used a phone – which is not a “computer” – to make fraudulent redemptions.  The court also rejected the notion that the cardholders “used” the insured’s computer system, observing that “[l]awyerly arguments for expanding coverage to include losses involving a computer engaged at any point in the causal chain – between the perpetrators’ conduct and the loss – unreasonably strain the ordinary understanding of ‘computer fraud’ and ‘use of a[] computer.’”

As an alternate basis for its ruling, the court determined that the incident did not involve the “loss of … money … resulting directly from” computer fraud.  The court reasoned that the “loss” at issue was not the insured’s payment to the issuing bank, but instead occurred when the payments were made to merchants from the cardholder funds.  As such, the court ruled that the “loss” was not caused “directly” by the fraudulent customer loads, but instead the loss was caused “directly” by the insured’s decision to transfer funds to the bank, as required by its contract.