On May 20, 2016, the U.S. Court of Appeals for the Eighth Circuit affirmed breach-of-contract claims brought by Minnesota-based State Bank of Bellingham (“Bellingham Bank”) against BancInsure Inc. (“BancInsure”), an insurance company that refused to provide coverage when the bank suffered losses after a criminal third party hacked the bank’s computer system and transferred funds to a foreign bank account.
Bellingham Bank used the Federal Reserve’s FedLine Advantage Plus system to make wire transfers. On October 27, 2011, a Bellingham Bank employee used protected information, as well physical tokens (inserted in the computer), to complete a wire transfer on this system. But the employee left the tokens in the computer and left the computer running at the end of the day. When she returned to work the next day, she discovered that two unauthorized transfers were made from Bellingham Bank’s Federal Reserve account to a bank in Poland, resulting in a loss for the bank of $485,000.
In 2010—before the fraudulent transfer—BancInsure sold Bellingham Bank a financial institution bond, “which provided coverage for losses caused by such things as employee dishonesty and forgery as well as computer system fraud.” BancInsure completed an investigation of the fraudulent transfer and discovered that Bellingham Bank’s computer system had been infected with a virus (the “Zeus” virus). BancInsure then refused to cover the fraudulent transfer because the bond excluded coverage for “employee-caused loss.” In other words, because the employee negligently left the tokens in the computer, allowing the hacker to gain access to the computer system, BancInsure believed that the employee “caused” the bank’s losses.
The Eighth Circuit disagreed with BancInsure, holding that, although the employee may have been negligent, the hacker’s fraudulent transfers were not a “foreseeable and natural consequence” of that negligence. The court considered the facts in the context of the Minnesota concurrent-causation doctrine, which seeks to distinguish the “overriding cause” from other concurrent causative factors. According to the court: “Even if the employee’s negligent actions ‘played an essential role’ in the loss and those actions created a risk of intrusion into Bellingham’s computer system by a malicious and larcenous virus, the intrusion and the ensuing loss of bank funds was not ‘certain’ or ‘inevitable.’” Instead, the court concluded: “The ‘overriding cause’ of the loss Bellingham suffered remains the criminal activity of a third party.”
The court’s decision will benefit cyber policyholders that are the victims of hacking incidents whose cyber coverage is denied for alleged “failure to maintain adequate security measures.” It’s important to note, however, that the court limited its decision to bonds and insurance policies covered by the Minnesota concurrent-causation doctrine, and indeed, certain insurance policies in other jurisdictions may exclude coverage for similar situations. For example, in Metro Brokers, Inc. v. Transportation Ins. Co., the U.S. Court of Appeals for the Eleventh Circuit held that an insurance policy did not cover losses resulting from the use of the same malware (the “Zeus” virus) to hack an escrow bank account because the insurance policy contained a “malicious code” clause that stated that the policy did not cover losses “caused directly or indirectly” by malicious code “regardless of any other cause or event that contributes concurrently or in any sequence to the loss.” 603 F. Appx. 833, 836 (11th Cir. 2015).
The case is State Bank of Bellingham v. BancInsure Inc. n/k/a Red Rock Insurance Co., case number 14-3432, in the U.S. Court of Appeals for the Eighth Circuit.
Reporter, Bethany Rupert, Atlanta, +1 404-572-3525, brupert@kslaw.com.
