The United States Court of Appeals for the Eleventh Circuit, applying Georgia law, has affirmed a district court’s ruling that a fraudulent scheme using telephones to exploit a computer coding vulnerability in the insured’s system that ultimately led to a loss was not covered under a computer fraud provision in a commercial crime policy.  Interactive Commc’ns Int’l v. Great Am. Ins. Co., 2018 WL 2149769 (11th Cir. May 10, 2018).  Unlike the district court, however, the appellate court held that the scheme involved the “use of a[] computer.”  A summary of the district court opinion can be found here.

The insured managed a prepaid card program.  As part of the program, cardholders would load funds onto prepaid cards issued by banks.  To load funds, the cardholders called a designated telephone number and inputted certain information.  As a result of the coding error in the insured’s computer system, cardholders were able to call into the system from multiple phones at the same time and make multiple loads, which enabled them to access more funds than they purchased.  Before the insured fixed the coding error, cardholders made approximately $10.3 million in unauthorized redemptions.  As required by contract, the insured paid that amount to the issuing bank.

The insured sought coverage under a computer fraud provision in its commercial crime policy, which afforded coverage for “loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises: a. to a person (other than a messenger) outside those premises; or b. to a place outside those premises.”  The insurer denied coverage, and coverage litigation ensued.  The district court granted summary judgment in favor of the insurer, holding that the loss did not fall within the scope of the crime policy’s coverage.

On appeal, the court affirmed the decision in favor of the insurer on the grounds that the loss did not “result directly” from the use of a computer.  The court disagreed with the district court, however, and found that the scheme in fact involved the “use of a[] computer” in the first place.

With regard to the threshold issue, the appellate court noted that the insured’s redemption system was comprised of eight computers that processed transactions from cardholders.  The court also described how certain cardholders manipulated the computer system through use of telephones.  Looking to dictionary definitions of “use,” the court reasoned that the cardholders “used” the computer system at issue because they “interfaced directly with the … computer system to effectuate their duplicate redemptions.”  The court thus ruled that the fraud was perpetrated through the “use of a[] computer” as required by the policy.

The court then analyzed whether the loss “result[ed] directly” from the cardholders’ use of the computer system.  On that issue, the court applied the plain language and found the “direct” language to be “unmistakable” – holding that “one thing results ‘directly’ from another if it follows straightaway, immediately, and without any intervention or interruption.”  Applying that test to the facts at hand, the court determined that, while the cardholders’ manipulation of the computer set into motion the chain of events that led to the insured’s loss, the use of computers did not do so “directly” – or immediately and without intervention or interruption – as there were several steps between the fraudulent manipulation and the insured’s ultimate loss.  The court also concluded that the “loss” occurred not when the insured transferred money to an account at the issuing bank, but instead when the issuing bank transferred those funds to the merchant to cover purchases made with fraudulently-obtained funds.  For that reason, the court affirmed the district court ruling that no coverage was available under the policy.