New York’s Top Court Rules That Computer Fraud Coverage Applies To Unauthorized “Hacking,” But Not To Authorized Users Who Supplied Fraudulent Data

August 3, 2015

New York’s Top Court Rules That Computer Fraud Coverage Applies To Unauthorized “Hacking,” But Not To Authorized Users Who Supplied Fraudulent Data

The New York Court of Appeals, New York’s highest court, has ruled that an insurance agreement that provided coverage for “a fraudulent entry of Electronic Data or Computer Program” into the insured’s computer system did not encompass losses caused by an authorized user’s submission of fraudulent information into the system. Rather, the Court ruled in a unanimous decision that the agreement was “unambiguous” and “fraudulent entry” referred to unauthorized access into the insured’s computer system – that is, hacking – and not to content submitted by authorized users.

Background

Universal American Corp. is a health insurance company that offers a choice of federal government-regulated alternatives to Medicare, known as “Medicare Advantage Private Fee-For-Service” plans. These plans allow Medicare-eligible individuals to purchase health insurance from private insurance companies. Those companies are, in turn, eventually reimbursed by the U.S. Department of Health and Human Services’ Centers for Medicare and Medicaid Services for health care services provided to the plans’ members.

Universal’s computerized billing system allows health care providers to submit claims directly to the system. According to Universal, the great majority of claims submitted are processed, approved, and paid automatically, without manual review.

The company was insured under a financial institution bond issued by National Union Fire Insurance Company of Pittsburgh, Pa., for various losses, including certain losses resulting from dishonest and fraudulent acts. Rider #3 (the “Rider”) of the bond provided indemnification specifically for computer systems fraud, including loss resulting directly from “a fraudulent … entry of Electronic Data or Computer Program” into, or “a fraudulent … change of Electronic Data or Computer Program” within, its computer system. The Rider, and the basic bond coverage, carried a $10 million limit and a $250,000 deductible for each “single loss”.

After it purchased the bond, Universal claimed that it suffered over $18 million in losses for payment of fraudulent claims for services that had never actually been performed under its Medicare Advantage plans. When Universal sought payment from National Union pursuant to the Rider for its post-deductible losses, National Union denied coverage on the ground that the Rider did not encompass losses for Medicare fraud, which National Union described as losses from payment for claims submitted by health care providers.

The Lower Court Rulings

Thereafter, Universal sued National Union for damages and declaratory relief in a state court in New York, and National Union moved for summary judgment.

The trial court ruled in favor of the insurer, concluding that the Rider was not ambiguous and did not extend to fraudulent claims entered into Universal’s system by authorized users. The trial court determined, instead, that the intended coverage was for an unauthorized entry into the computer system by a hacker or through a computer virus.

The Appellate Division, First Department, modified the summary judgment order, on the law, to declare that the policy did not cover the loss, and otherwise affirmed. The appellate court concluded that the unambiguous language of the policy did not cover fraudulent content entered by authorized users but, rather, covered “wrongful acts in manipulation of the computer system” such as “by hackers.”

Universal appealed to the New York Court of Appeals.

The New York Court of Appeals Decision

The Court of Appeals affirmed the appellate court’s ruling, concluding that the Rider “unambiguously” applied to “losses incurred from unauthorized access to Universal’s computer system, and not to losses resulting from fraudulent content submitted to the computer system by authorized users.”

In its decision, the Court observed that the term “fraudulent” was not defined in the Rider, but it said that it referred to “deceit and dishonesty.” The Court also found that although the Rider also did not define the terms “entry” or “change,” the “common definition” of “entry” included “the act of entering” or “the right or privilege of entering, access,” and “change” meant “to make different, alter.”

Continuing its analysis of the language in the Rider, the Court ruled that the word “fraudulent” modified “entry” or “change” of electronic data or computer program, meaning it qualified the act of entering or changing data or a computer program. Thus, the Court held, the Rider covered losses “resulting from a dishonest entry or change of electronic data or computer program, constituting … ‘hacking’ of the computer system.”

The Court made it clear that the Rider’s reference to “fraudulent” did not also qualify what was actually acted on, namely the “electronic data” or “computer program” itself. In the Court’s view:

The intentional word placement of “fraudulent” before “entry” and “change” manifest[d] the parties’ intent to provide coverage for a violation of the integrity of the computer system through deceitful and dishonest access.

Although further analysis was not necessary, the Court reasoned that other language in the Rider confirmed that the Rider sought to address unauthorized access. The Court first noted that the Rider was captioned “Computer Systems,” and that the specific language the Court interpreted in its decision was found under the subtitle, “Computer Systems Fraud.” These headings, the Court said, clarified that the Rider’s focus was on “the computer system qua computer system.”

Next, the Court observed that under “EXCLUSIONS,” the Rider exempted from coverage losses resulting directly or indirectly from fraudulent instruments “used as source documentation in the preparation of Electronic Data, or manually keyed into a data terminal.” In the Court’s view, if the parties intended to cover fraudulent content, such as the billing fraud for which Universal sought coverage, “there would be no reason to exclude fraudulent content contained in documents used to prepare electronic data, or manually keyed into a data terminal.”

The Court concluded that the “reasonable expectations” of the average insured upon reading the policy were that the Rider applied to losses resulting directly from fraudulent access, not to losses from the content submitted by authorized users.

Issues related to cyber-security and the protection of sensitive information will undoubtedly increase in the coming years.  This will necessarily trigger an increase in claims under the Computer Fraud coverage in commercial property policies.  This important decision by New York’s highest Court helps to define, and in this case limit, the scope of this coverage.

The case is Universal American Corp. v. National Union Fire Ins. Co. of Pittsburgh, Pa., 2015 N.Y. Slip. Op. 05516 (N.Y. June 25, 2015).

Legal updates and news delivered to your inbox