A source of computer fraud is the rogue employee or authorized user whose abuses access into a network system for unlawful purposes. Readers of The Coverage Inkwell will know that the Inkwell has addressed the meaning of unauthorized access in the context of cyber insurance for a few years.
In the context of the Computer Fraud and Abuse Act, 18 U.S.C. §1030, the United States Court of Appeals for the Ninth Circuit, in U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012), in essence limited the meaning “exceeds authorized access” to hackers, not inside corporate personnel accessing a computer network for unauthorized (i.e., illegal) purposes. Yesterday, the New York Court of Appeals, in Universal American Corp. v. National Union Fire Ins. Co. of Pittsburgh, PA, 2015 N.Y. Slip Op. 05516, 2015 WL 3885816 (N.Y. June 25, 2015) held that the phrase “fraudulent entry” into a computer system was limited to instances of outside hackers, not fraudulent content submitted by authorized users.
In the case, the insured Universal American Corp. (“Universal”) was a health insurance company that offers a choice of federal government-regulated alternatives to Medicare, known as medical advantage plans. (Please note, because the decision was published only yesterday, page references currently are unavailable.) Universal had a computerized billing system that allowed health care providers to submit bills for the medical advantage plans directly into the system. A majority of such claims were approved and paid by Universal automatically and without manual review. Universal ultimately suffered over $18 million in losses for payments of fraudulent claims for services that were never performed under the plans.
Universal sought coverage under had an insurance, which provided coverage by endorsement for computer systems fraud. The endorsement stated as follows:
COMPUTER SYSTEMS
It is agreed that:
-
the attached bond is amended by adding an Insuring Agreement as follows:
COMPUTER SYSTEMS FRAUD
Loss resulting directly from a fraudulent
(1) entry of Electronic Data or Computer Program into, or
(2) change of Electronic Data or Computer Program within the Insured’s proprietary Computer System
…
provided that the entry or change causes
(a) Property to be transferred, paid or delivered,
(b) an account of the insured, or of its customer, to be added, deleted, debited or credited, or
(c) an unauthorized account or a fictitious account to be debited or credited[.] (Emphasis added)
The insurer denied coverage on the ground that the endorsement did not cover Medicare fraud, i.e., losses from payment for fraudulent claims submitted by authorized health care providers.
In the ensuring coverage litigation, the trial court granted the insurer summary judgment. Focusing on the words “fraudulent” “entry,” and “change,” the court concluded that coverage did not extend to fraudulent claims entered into Universal’s system by authorized users; instead, coverage extended only to unauthorized entries into the computer system by a hacker or through a computer virus. The New York Appellate Division affirmed, stating that the policy did not cover fraudulent content entered by authorized users, but instead covered “wrongful acts in manipulation of the computer system, i.e., by hackers.”
The New York Court of Appeals affirmed, holding that the policy endorsement was clear and unambiguous. The Court held that the policy “unambiguously applies to losses incurred from unauthorized access to Universal’s computer system, and not to losses resulting from fraudulent content submitted to the computer system by authorized users.” The Court based its conclusion on the fact that the term “fraudulent” modified the terms “entry” or “change” to mean that coverage applied to a dishonest entry or change of electronic data or computer program by “hacking” into the computer system:
The term “fraudulent” is not defined in the Rider, but it refers to deceit and dishonesty (see Merriam Webster’s Collegiate Dictionary [10th ed. 1993] ). While the Rider also does not define the terms “entry” and “change,” the common definition of the former includes “the act of entering” or “the right or privilege of entering, access,” and the latter means “to make different, alter” (id.). In the Rider, “fraudulent” modifies “entry” or “change” of electronic data or computer program, meaning it qualifies the act of entering or changing data or a computer program. Thus, the Rider covers losses resulting from a dishonest entry or change of electronic data or computer program, constituting what the parties agree would be “hacking” of the computer system. The Rider’s reference to “fraudulent” does not also qualify what is actually acted upon, namely the “electronic data” or “computer program” itself. [Emphasis added.]
According to the Court, “[t]he intentional word placement of ‘fraudulent’ before ‘entry’ and ‘change’ manifests the parties’ intent to provide coverage for a violation of the integrity of the computer system through deceitful and dishonest access.”
In so holding, the Court rejected Universal’s argument that “‘fraudulent entry’ means ‘fraudulent input’ because a loss due to a fraudulent entry by necessity can only result from the input of fraudulent information.” The Court reasoned that such a conclusion would render the words “a” and “of” in the sentence “a fraudulent (1) entry of Electronic Data or Computer Program into” superfluous:
This would render superfluous the word “a” before “fraudulent,” and the word “of” before “electronic data or computer program.” Universal’s proposed interpretation is easily achieved by providing coverage for a “loss resulting directly from fraudulent data.” Of course, that is not what the [endorsement] says.
Because the losses suffered by Universal were not the result of hacking, there was no coverage under the policy.
Questions are welcome.