The U.S. District Court for the Eastern District of Pennsylvania ruled that an insurance policy issued by Federal Insurance Co. excluded coverage for the transmission of $1.3 million by the insured in response to an email request from a hacker purporting to be one of the insured’s business partners.
The insured, Construction Financial Administration Services (CFAS), was a third-party construction funds administration company that disbursed funds for contractors whose clients required performance and payment bonds from sureties. CFAS contracted to administer project payments for another company, SWF Constructors. Their contract provided for CFAS to receive an itemized budget of project costs, including the name, subcontract price, and contact information for each subcontractor or supplier on the project. CFAS was also to be provided copies of payment applications, a disbursement voucher summary for each payment, an identification of what line item funded the payment, and a waiver and release form signed and notarized for each subcontractor to be paid from the disbursement account. The contract also contained two “indemnification” clauses: one indemnifying CFAS against any and all liabilities or losses “arising out of or relating to CFAS’s activities pursuant to this agreement” and a second providing that “CFAS shall not be liable for … any claims or remedies … arising out of any breach of this Agreement by CFAS, CFAS’s disbursement or handling of the Disbursement Account.”
CFAS received an email request from a hacker purporting to be an employee of SWF. The email requested that CFAS make a payment of $600,000 from SWF’s disbursement account to a company in Hong Kong named HK Canopy Technology Ltd. HK was not listed in the budget, nor had CFAS received a copy of an agreement between HK and SWF, a disbursement voucher for the payment, any identification of the line item associated with the payment, or a waiver or release signed by HK. Nevertheless, CFAS authorized the $600,000 payment on the same day the request was received. The next day, CFAS received another request for payment to HK, this time for $700,000. Again, the request did not include any of the documentation required by CFAS’ agreement with SWF and, again, CFAS processed the payment on the same day it received the request.
After authorizing the second payment, CFAS sent an email to SWF requesting additional documentation. SWF denied requesting or approving the transfers. Thereafter, CFAS contacted the bank and law enforcement, eventually recovering approximately $127,000. Before contacting Federal, CFAS borrowed $1 million and placed it into the disbursement account to avoid SWF’s default on payments owed to actual subcontractors.
CFAS then made a claim under the policy issued by Federal for the $1.3 million. Federal denied the claim, reasoning that because SWF alleged CFAS “improperly transferred funds … based on a fraudulent email stream,” the matter was therefore based upon, arose from, or was in consequence of “the unauthorized access to or use of a computer program, software, computer, and/or computer system.” As such, Federal advised that coverage was excluded by the policy’s unauthorized network access exclusion endorsement. CFAS filed suit asserting that Federal had breached its contract by wrongfully denying coverage.
CFAS claimed Federal’s denial was improper because the claim against it was not “based upon, arising from or in consequence of” any unauthorized access or use of a computer system, as necessary to implicate the policy exclusions. CFAS argued that its failure to obtain the proper paperwork was a proximate cause of the fraudulent transfer, in addition to the hacker’s unauthorized access to the computer system and emails to CFAS. CFAS argued that coverage is not excluded where “there is more than one cause of an injury and only one of the causes is excluded.” The court disagreed that the failure to obtain the proper paperwork was sufficient to bring the claim within the policy’s coverage, holding that it was not an independently occurring cause of the injury. “The existence of the loss did not depend on the existence (or lack thereof) of the documentation, but rather upon the unauthorized emails.”
In addition, the court noted the broad language of the exclusion, which applied to injuries “based upon, arising from or in consequence of any unauthorized” access to any computer program or network. The court held that the plain and ordinary meaning of the phrase “in consequence of” expanded the excluded perils to include “a result that follows as an effect of something that came before.” The court had “no doubt” that the transfers were completed as a result of the fraudulent emails. Thus, “even under the narrowest construction,” the court found the exclusion still applied to the insured’s claim.
Separate from the unauthorized access exclusion, the court also found no coverage for CFAS’ claim due to its failure to comply with its obligations to provide timely notice and to refrain from entering any settlement or making any admission without Federal’s consent. Federal argued that its ability to assert defenses to SWF’s claim pursuant to the indemnification clauses in CFAS’ contract with SWF was prejudiced by CFAS’ unilateral decision to pay SWF’s subcontractors. Rather than presenting Federal with notice of a potential claim, “CFAS presented a settled claim, giving [Federal] no chance to investigate or evaluate any available options given the situation, as agreed upon in the Policy.” The court held that Federal should not be held liable for the obligation assumed by its insured for this additional reason.