New York Court of Appeals Holds that a Financial Institutions Bond Covering Computer Systems Fraud Applies To Hacking Incidents, Not Fraudulent Entries By Authorized Users
Recently, the highest court in New York applied the language of a financial institution bond to deny coverage for losses that arose from the entry of fraudulent claims into an insured’s computer systems by authorized users. Universal Am. Corp v Nat’l Union Fire Ins Co of Pittsburgh, PA, No. 95, 2015 WL 3885816 (N.Y. June 25, 2015). Universal American Corp is a health insurer that allows health providers to submit claims directly into its computer system. It allegedly suffered over $18 million in losses for payments of fraudulent claims for services never actually performed. The subject financial institution bond contained a rider covering “Computer Systems Fraud,” which it defined as “losses resulting directly from a fraudulent (1) entry of Electronic Data or Computer Program into, or (2) change of Electronic Data or Computer Program within the Insured’s Proprietary Computer System”. However, the bond excluded “losses resulting directly or indirectly from fraudulent instruments which are used as source documentation in the preparation of Electronic Data, or manually keyed into a data terminal.” National Union Fire Insurance Company of Pittsburg, PA denied coverage. Like the lower courts, the Court of Appeals ruled in its favor. The Court of Appeals concluded that the rider provided coverage for losses incurred through unauthorized access to the computer system, i.e., acts of outside hackers, but not to fraudulent information entered by authorized users.