Last week, the Eleventh Circuit in InComm Holdings, Inc. v. Great American Insurance Company affirmed a district court decision holding an insurer is not obligated to reimburse a prepaid debit card processer for a $10.7 million loss.
The insured operated a network that sells “chits,” each of which has a specific monetary value, to consumers who redeem those chits by loading their value onto a debit card. After purchasing a chit at a retailer like CVS or Walgreens, the consumer dials InComm’s 1-800 number to redeem the chit and have its value moved to a debit card. InComm used an interactive voice response computer system that processed consumers’ voice requests or telephone touch codes as part of the redemption transaction.
The Eleventh Circuit identified four steps in the process: (1) a call is made to the InComm 1-800 number to redeem a chit; (2) InComm transfers funds equivalent to the value of the redeemed chit to the bank that issued the debit card; (3) debit card users make purchases from a merchant, incurring a debt to be paid from the InComm-earmarked bank account; and (4) the bank transfers money from the account to the merchant to cover the purchase made by the card holder.
Between November 2013 and May 2014, fraudsters exploited a vulnerability in InComm’s computer system that allowed multiple redemptions for a single chit. The criminals would make two or more simultaneous calls to the IVR system, with one call requesting the transfer of funds from the chit to the debit card account, and another call requesting the chit be “unredeemed” so that it could be redeemed again on a future date. Over seven months, InComm’s system processed over 25,000 fraudulent redemptions associated with almost 2,000 chits. The fraudulent redemptions cost InComm $11.4 million, with a $10.7 million loss associated with one particular bank.
InComm sought coverage for the $10.7 million loss under a computer fraud policy that provided coverage for loss “resulting directly from the use of any computer to fraudulently cause a transfer of…property from inside the premises or banking premises….” The district court granted the insurer’s motion for summary judgment on grounds that the fraud was not accomplished through “the use of a[] computer” and that the loss did not “result[] directly” from the use of a computer.
The Eleventh Circuit disagreed with part of the district court’s reasoning, but it ultimately affirmed its decision. The Eleventh Circuit disagreed with the district court’s holding that the phone calls did not constitute “use” of a computer. The court determined there was nothing in the policy language requiring the use of the computers be knowing. Although phones and computers are different devices, the Eleventh Circuit determined that the fraudsters “us[ed] the phones to manipulate – and thereby use – the IVR computers.”
The Eleventh Circuit affirmed the district court opinion because the loss did not “result directly” from the use of the computer system. It determined “one thing results ‘directly’ from another if it follows straightaway, immediately, and without any intervention or interruption.” The court determined the temporal lag between when the fraud was committed and when the loss occurred resulted in a finding of no coverage. While InComm argued that it sustained loss in step 2, when it transferred the funds to the bank, the Eleventh Circuit relied on evidence indicating InComm had the ability to intervene and halt the disbursement of funds up until step 4, when the bank transferred the funds to the merchants. Because “days or weeks – even months or years – could pass between the fraudulent chit redemption [step 1] and the ultimate disbursement of the fraud tainted funds [step 4],” the loss was too remote in time to “result directly” from fraud.
The InComm decision demonstrates how each word in a policy can impact the scope of coverage available to an insured. As fraudsters continue to identify new schemes to take advantage of new technologies, it is important to understand the technical aspects of these fraudulent schemes and how they interact with the specific policy language.