No More Chits to Call In: Computer Crime Policy Does Not Cover Fraudulent Transaction

In Interactive Communications International, Inc. v. Great American Insurance Company, a lawsuit closely monitored by those in the cyberinsurance space, the Eleventh Circuit affirmed a Georgia federal court’s decision, finding an insurance policy’s “Computer Fraud” coverage did not extend to certain losses caused by fraudsters. The decision comports with other recent decisions finding that social engineering fraud schemes do not satisfy the policy’s requirement of losses resulting directly from the use of a computer.

Here, the devil was in the details. InComm operated a business that sold “chits” to consumers containing a money value which could then be loaded onto a debit card. To redeem the value of the chits, consumers called InComm’s 1-800 number and were connected with an interactive voice response (IVR) computer system. The IVR system, which used eight computers, would then credit the value of the chit on the debit card after receiving the proper information. The consumer then had immediate access to the funds. Notably, InComm was contractually required to transfer the value of the funds to the card-issuing bank within 15 days.

A problem arose when fraudsters began to exploit a vulnerability in the IVR system by attempting multiple redemptions of the same card concurrently. As a result, InComm lost $11.4 million, including $10.7 million in connection with debit cards issued by Bancorp. InComm turned to its commercial crime policy, and specifically, its Computer Fraud coverage. That coverage applied to losses “resulting directly from the use of any computer to fraudulently cause a transfer . . . .” Great American disputed coverage for the loss, and a coverage action ensued.

The district court initially granted summary judgment in favor of Great American since: (1) the fraud was not accomplished through the “use of a computer,” and (2) the loss did not “result directly” from the computer fraud. In affirming the district court, the Eleventh Circuit agreed with the latter determination but not the former.

In reviewing the “use of a computer” requirement, the Eleventh Circuit concluded the manipulation of the IVR system fit comfortably within the plain meaning and dictionary definition of “use.” As a result, the Eleventh Circuit rejected the district court’s narrow reading of the “use of a computer” provision. Nevertheless, the Eleventh Circuit agreed that Incomm’s losses did not result directly from the fraudsters’ use of the IVR system. In so holding, the court concluded the phrase “resulting directly” meant to follow straightaway or immediately — a showing of proximate causation is insufficient. Because several intervening acts occurred between the fraud and the resultant loss of funds, Incomm’s losses did not result directly from the fraud. The court found compelling four steps in the transmission of the fraud which revealed that InComm had the ability to halt the fraudulent disbursements.

In sum, this decision is notable for its analysis of the Computer Fraud coverage part and the court’s in-depth reading of the relevant policy provisions. Most important, this decision shows how in the context of social engineering fraud, direct still means direct. As three other social engineering fraud coverage decisions remain pending before federal circuit courts, including one before the Eleventh Circuit, we will continue to monitor and report on this all-too-important line of cases.

Read the full decision here.