As published in The Chicago Daily Law Bulletin
Computers begot computer crime which begot risk and loss which begot insurance which begot claims which begot denials which begot litigation which begot a practice specialty no one imagined ten years ago.
Lisa Campisi works in that practice area.
I was impressed when I heard her speak at an insurance coverage conference in Phoenix. She represents policyholders in cyber insurance cases.
Computers begot computer crime which begot risk and loss which begot insurance which begot claims which begot denials which begot litigation which begot a practice specialty no one imagined ten years ago.
Lisa Campisi works in that practice area.
I was impressed when I heard her speak at an insurance coverage conference in Phoenix. She represents policyholders in cyber insurance cases.
“I've worked with all manner of insurance policies: cyber crime, as we've been talking about, ‘cyber coverage’/data breach coverage (which is distinct from cyber crime), environmental, D&O, general liability, product liability, crime, fidelity bonds. You name it, I've probably worked on it. Political risk, credit risk, et cetera. I have a broad familiarity with the way insurance works and insurance coverage principles and the law in the varying states and its favorability or non-favorability to policyholders.”
So, businesses buy insurance to protect against cyber crime and when a crime happens, they make claims which get paid. Easy, right? Not quite.
“When a policyholder is a victim of a phishing or a social engineering crime--which is where someone essentially tricks the policyholder, either via email, phone call, or some combination thereof to transfer the policyholder's monies to the fraudster--the policyholder will usually first think, ‘Well, my broker told me I have cyber coverage, so I should go to my cyber policy and try to get recovery under that.’
“What the policyholder quickly learns is that cyber policies are really designed to protect against liabilities involving data breaches. It could be losses that the policyholder has suffered because, like the Target example, the customers' data has been released when it shouldn't have been. Then the policyholder is going to have obligations to pay for credit monitoring and notifications to the policyholder’s customers, that the customers’ data has been released. It could also pay for lawsuits against the policyholder because the customers sue the policyholder, for example.
“What the policies generally don't protect against, is what one thinks of when one reads about these scary phishing incidents, namely the policyholder has been defrauded by somebody through the use of a computer, and the policyholder lost their money on account of that fraud.
“Instead, if the coverage for such an incident will be anywhere, it's likely to be in a crime policy. As I mentioned when you saw me on the panel, what phishing really is, is just a form of theft, right? It's just a way to steal money from people using a computer.
“Over the course of time, a lot of crime policies now have computer fraud riders, which purport to allow for coverage in the event of a ‘computer fraud.’ Again, when you think of what phishing is, from a layperson's perspective, one would think that something called a computer fraud endorsement or a computer fraud rider would cover such a thing. On the one hand, someone's using a computer and on the other hand, they are doing something fraudulent to the detriment of the policyholder.
“In reality, it often doesn't work that way. There's been a lot of litigation lately involving these computer fraud riders. The policyholders have had mixed results.”
In American Tooling Center, Inc. v. Travelers Casualty & Surety Co., No. 17-2014 (6th Cir. 2018), a district court in Michigan upheld an insurer’s denial of coverage for a computer fraud claim. Basically someone called up and said, ‘Give me the account information, and can you please send the money over here.’ The policyholder holder did it, and they lost their money.Relying on a line of Sixth Circuit cases concerning fidelity bonds, the district Court held that the loss was not “direct” as required by the policy because the insured transferred the money to someone fraudulently impersonating the insured’s customer and the insured did not discover the fraud until a few days after the fraudulent contact.
What exactly constitutes a “direct” loss is an issue with far reaching implications. In American Tooling the appellate court reversed and found coverage. The insurer asked for rehearing en banc which was denied. Was it still a direct loss despite the passing of a few days before the money was transferred?
In a Virginia case, an exclusion for ATM and debit card losses was used by the insurance company to deny a computer fraud claim made by a bank after the bank’s systems had been infiltrated by fraudsters who manipulated their ATM system for two million dollars.
Some policies have endorsements defining social engineering fraud only where someone is impersonating a vendor, client or employee. Crime committed by others not falling into those categories may not be covered. Campisi thinks that insurers may try to exclude many types of computer fraud on that basis.
Another exclusion is loss due to extension of any loan, credit or similar promise to pay, again potentially excluding quite a number of fraud scenarios, especially commercial institutions.
Some policies now have separate endorsements, in addition to computer fraud riders, for social engineering tailored to address phishing and social engineering.
Whether these endorsements truly add anything is a valid question. They still appear to rely on the same language about the loss having to be direct. Additionally, coverages under these riders may have lower limits and be subject to another endorsement which may say the insurer need only pay the lower of the coverage limits.
Campisi has four lessons for policyholders:
Lisa Campisi’s last words of advice: “Don’t take no for an answer. Call a lawyer.”
So, businesses buy insurance to protect against cyber crime and when a crime happens, they make claims which get paid. Easy, right? Not quite.
“When a policyholder is a victim of a phishing or a social engineering crime--which is where someone essentially tricks the policyholder, either via email, phone call, or some combination thereof to transfer the policyholder's monies to the fraudster--the policyholder will usually first think, ‘Well, my broker told me I have cyber coverage, so I should go to my cyber policy and try to get recovery under that.’
“What the policyholder quickly learns is that cyber policies are really designed to protect against liabilities involving data breaches. It could be losses that the policyholder has suffered because, like the Target example, the customers' data has been released when it shouldn't have been. Then the policyholder is going to have obligations to pay for credit monitoring and notifications to the policyholder’s customers, that the customers’ data has been released. It could also pay for lawsuits against the policyholder because the customers sue the policyholder, for example.
“What the policies generally don't protect against, is what one thinks of when one reads about these scary phishing incidents, namely the policyholder has been defrauded by somebody through the use of a computer, and the policyholder lost their money on account of that fraud.
“Instead, if the coverage for such an incident will be anywhere, it's likely to be in a crime policy. As I mentioned when you saw me on the panel, what phishing really is, is just a form of theft, right? It's just a way to steal money from people using a computer.
“Over the course of time, a lot of crime policies now have computer fraud riders, which purport to allow for coverage in the event of a ‘computer fraud.’ Again, when you think of what phishing is, from a layperson's perspective, one would think that something called a computer fraud endorsement or a computer fraud rider would cover such a thing. On the one hand, someone's using a computer and on the other hand, they are doing something fraudulent to the detriment of the policyholder.
“In reality, it often doesn't work that way. There's been a lot of litigation lately involving these computer fraud riders. The policyholders have had mixed results.”
In American Tooling Center, Inc. v. Travelers Casualty & Surety Co., No. 17-2014 (6th Cir. 2018), a district court in Michigan upheld an insurer’s denial of coverage for a computer fraud claim. Basically someone called up and said, ‘Give me the account information, and can you please send the money over here.’ The policyholder holder did it, and they lost their money.Relying on a line of Sixth Circuit cases concerning fidelity bonds, the district Court held that the loss was not “direct” as required by the policy because the insured transferred the money to someone fraudulently impersonating the insured’s customer and the insured did not discover the fraud until a few days after the fraudulent contact.
What exactly constitutes a “direct” loss is an issue with far reaching implications. In American Tooling the appellate court reversed and found coverage. The insurer asked for rehearing en banc which was denied. Was it still a direct loss despite the passing of a few days before the money was transferred?
In a Virginia case, an exclusion for ATM and debit card losses was used by the insurance company to deny a computer fraud claim made by a bank after the bank’s systems had been infiltrated by fraudsters who manipulated their ATM system for two million dollars.
Some policies have endorsements defining social engineering fraud only where someone is impersonating a vendor, client or employee. Crime committed by others not falling into those categories may not be covered. Campisi thinks that insurers may try to exclude many types of computer fraud on that basis.
Another exclusion is loss due to extension of any loan, credit or similar promise to pay, again potentially excluding quite a number of fraud scenarios, especially commercial institutions.
Some policies now have separate endorsements, in addition to computer fraud riders, for social engineering tailored to address phishing and social engineering.
Whether these endorsements truly add anything is a valid question. They still appear to rely on the same language about the loss having to be direct. Additionally, coverages under these riders may have lower limits and be subject to another endorsement which may say the insurer need only pay the lower of the coverage limits.
Campisi has four lessons for policyholders:
- Read your policy. Be sure you’re getting what you think you’re getting. Campisi says, “When you read an insurance policy, they’re dense. It’s not an accident. They’re very hard to understand. They’re rife with exceptions and exclusions and defined terms. Those terms are going to be what drives whether or not you have the coverage that you need and think you have.”
- Hire a lawyer before you buy. “If I had represented the bank in the above case, and I had seen this ATM exclusion, I would have been like, ‘Well what’s this? You’re a bank. How can you have an exclusion for ATMs when you’re a bank?”
A lawyer has to know and fully understand the insured’s business and consider all possible risks and acceptable exclusions.
The defined terms have to be carefully reviewed, the exclusions and endorsements and anything that might lower limits such as a social engineering endorsement must be thoroughly considered.
Also important is knowledge of jurisdiction and choice of law. A corporation may be headquartered in New Jersey but have core operations in New York, and, according to Campisi, the law in those two states could not be more different.
Campisi notes that a GC, risk manager or broker may not necessarily understand these complex issues. “It really does take a keen eye to look at the language and ensure that you’re getting something for your money.” - Shop around, get different quotes and don’t hesitate to negotiate terms. Get quotes from different carriers and consider that some terms may be negotiable. Don’t decide on price alone. If you ever need the coverage, it won’t be much comfort that you saved a few dollars.
- Know your insurer. There can be quite a bit of variety in claims handling practices.
Lisa Campisi’s last words of advice: “Don’t take no for an answer. Call a lawyer.”