Federal Court ‘Unauthorized Network Access Exclusion’ Rules Exclude Coverage of $1.3M Payment from Fraudulent Hacker Email | Carlton Fields
The U.S. District Court for the Eastern District of Pennsylvania ruled that an insurance policy issued by Federal Insurance Co. excluded coverage for the transmission of $1.3 million by the insured in response to an emailed request from a hacker claiming to be one of the insured’s business partners. .
The insured, Construction Financial Administration Services (CFAS), was a third-party construction fund administration company that disbursed funds to contractors whose clients required performance and payment bonds. CFAS has agreed to administer the project payments for another company, SWF Constructors. Their contract provided that CFAS would receive a detailed budget of project costs, including the name, subcontract price, and contact information for each subcontractor or vendor on the project. The SCFA should also receive copies of payment requests, a summary of the disbursement voucher for each payment, identification of the budget line funding the payment, and a signed and notarized waiver and release form for each subcontractor to be paid. from the disbursement account. The contract also contained two “indemnification” clauses: one indemnifying CFAS against all liabilities or losses “arising out of or relating to the activities of CFAS under this agreement” and a second stating that “CFAS shall not be liable for … any claim or remedy … arising out of any breach of this Agreement by CFAS, the disbursement or CFAS’s maintenance of the disbursement account. »
CFAS received an email request from a hacker claiming to be an employee of SWF. The email asked CFAS to make a payment of $600,000 from SWF’s disbursement account to a Hong Kong company named HK Canopy Technology Ltd. HK was not in the budget and CFAS had not received a copy of an agreement between HK and SWF, a disbursement supporting payment, any line identification associated with the payment, or a waiver or release signed by HK. Nevertheless, the CFAS authorized payment of $600,000 the same day the request was received. The next day, CFAS received another request for payment from HK, this time for $700,000. Again, the request did not include any of the documents required by CFAS’s agreement with SWF, and again, CFAS processed the payment the same day it received the request.
After authorizing the second payment, CFAS emailed SWF requesting additional documentation. SWF denied requesting or approving the transfers. Subsequently, CFAS contacted the bank and law enforcement, ultimately recovering approximately $127,000. Prior to contacting Federal, CFAS borrowed $1 million and placed it in the disbursement account to avoid default by SWF on payments due to actual subcontractors.
CFAS then made a claim under the policy issued by Federal for the $1.3 million. Federal dismissed the allegation, finding that because SWF alleged that CFAS “improperly transferred funds … based on a fraudulent email stream”, the case was therefore based on, arose out of, or was the consequence of “unauthorized access to or use of a computer program, software, computer and/or computer system. As such, Federal has indicated that coverage is excluded by the Access Exclusion Endorsement unauthorized to the police network CFAS filed a lawsuit alleging that Federal violated its contract by wrongfully denying coverage.
CFAS asserted that Federal’s denial was improper because the claim against it was not “based on, resulting from, or as a result of” any unauthorized access to or use of a computer system, as necessary to implicate the disclaimers of politics. CFAS argued that its failure to obtain the proper documentation was a proximate cause of the fraudulent transfer, in addition to the hacker’s unauthorized access to the computer system and emails addressed to CFAS. The CFAS argued that coverage is not excluded when “there are multiple causes of injury and only one of the causes is excluded”. The court disagreed that failure to obtain proper documentation was sufficient for the claim to be covered by the policy, finding that it was not an independent cause of the injury . “The existence of the loss was not dependent on the existence (or lack thereof) of the documentation, but rather the unauthorized emails.”
Additionally, the court noted the broad wording of the exclusion, which applied to injuries “based on, arising out of, or as a result of any unauthorized access” to any computer program or network. The court held that the plain and plain meaning of the phrase “as a result of” expanded the excluded perils to include “a result which arises from a prior event”. The court had “no doubt” that the transfers had been made through the fraudulent emails. Thus, “even under the narrowest interpretation,” the court concluded that the exclusion still applied to the insured’s claim.
Apart from the unauthorized access exclusion, the court also found no coverage for CFAS’s claim due to its failure to comply with its obligations to provide timely notice and refrain from entering into a settlement or make an admission without Federal’s consent. Federal argued that its ability to assert defenses to SWF’s claim under the indemnification clauses of CFAS’s contract with SWF was impaired by CFAS’s unilateral decision to pay SWF’s subcontractors. Rather than file a notice of potential claim with Federal, “CFAS filed a settled claim, giving [Federal] no chance to investigate or assess the options available given the situation, as agreed in the policy. The court ruled that Federal should not be liable for the obligation assumed by its insured for this additional reason.