Written on January 25, 2011.
Back from the Fidelity conference in NY just in time to answer the question – why are there only nine cases on computer fraud coverage in the US?
When the presenter at the Fidelity and Surety conference in New York began her presentation on computer fraud coverage by saying there were only nine cases in the US dealing with computer fraud coverage, I must admit I was shocked. I would have thought that since computers are now being used more frequently in the commission of crimes, we would see a lot more computer fraud coverage cases coming out of the courts.
After listening to the presentation, it dawned on me, all the reasons given by the presenter make sense, but for me, the primary reason, although not the primary reason given by the presenter, is simply reputation. The reputational risk to the financial institution or the organization in having to acknowledge that someone hacked into their secure network and stole data or transferred money, is a business killer. The public wants to feel secure in knowing that their money or precious belongings are being stored in a safe place and this trust can be easily destroyed with the admission that “our computer system was hacked”.
Does it matter whether it’s an outside job or carried out by someone on the inside? From where I stand, as a member of the “public”, no. But it does matter for the definition of what a computer fraud is under most insuring agreements in the US.
Of the reported cases in the US on computer fraud coverage, there are some general principles that can be drawn that explain why there are so few cases. The primary reason given by the presenter was the fact that the definition used in many insuring agreements as to what constitutes a computer fraud is very narrow, thereby making it difficult for an insured to fall within the covered definition of computer fraud. In particular, most coverage forms require the fraud to be perpetrated by a third-party who has unauthorized access to the system, the “hacker” and, the property being stolen must be “tangible”. Since most of the what is stolen is information, an intangible asset, the insured would likely not have coverage. Even if the insured, could get past the first two hurdles, there still remains the requirement that the loss must result directly from the computer fraud. Just because a computer was involved in the fraud, does not satisfy this requirement. Most courts in the US are of the opinion that direct means direct. There is a recent US case, Owens, Schine & Nicola, P.C. v. Travelers Casualty and Surety Company of America, No. CV95024601, 2010 WL 4226958, where the court veered away from the “direct loss” requirement and instead said the insured only had to show that the computer was the proximate cause of the loss. However, this case stands alone on this point, and only time will tell whether the courts in other “direct loss” jurisdictions can be swayed to this side of the fence.
Although this article is by no means a complete picture of the computer fraud coverage issues in the US, it does provide a flavour for the issues that an insured must turn their minds to if they are indeed going to try and claim a loss under the computer fraud form of their policy, if they have one. In the interim, we will continue to watch as the law on computer fraud coverage evolves in the US as a sign of what is to come in Canada on this topic. As we continue to rely on computers to manage many facets of our lives, one would expect to see computer crime continue to rise and it will be interesting to see how the courts interpret what constitutes a computer crime.