The insured was not entitled to recovery under a professional errors and omissions policy for a loss resulting from a hacking incident. Considering both North Carolina and Pennsylvania law, the court found that coverage was barred by the insurance policy's unauthorized computer use exclusion as well as the insured's failure to comply with the condition to obtain insurer consent before finalizing all settlements. Constr. Fin. Admin. Servs. LLC v. Fed. Ins. Co., No. 2:19-CV-00020, Doc. 63 (E.D. Pa. June 9, 2022).
Facts of the Case
Construction Financial Administration Services, LLC (CFAS) is a third-party construction funds administration company. It disburses funds for contractors whose clients require performance and payment bonds for sureties. SWF Constructers (SWF) was a client of CFAS. SWF and CFAS entered into a Funds Administration and Disbursement Agreement in order to comply with the surety's requirement that payments be administered by an independent third party for a construction project SWF was working on.
On April 9, 2018, CFAS received an email requesting a payment from the disbursement account in the amount of $600,000. It sent the amount by wire transfer to the entity identified as HK Canopy Technology Ltd. (HK). HK was not listed in SWF's budget documents as a subcontractor or identified as a party to any agreement with SWF. A payment voucher was also not received for this transaction or any reference to a line item that the funds were expected to cover. Although an invoice was later received from HK, it neither identified the project nor indicated what work or materials were being supplied. Another request for $700,000 was received a few days later and CFAS also authorized payment on that request. After it was approved, CFAS requested additional documentation from HK, but it was too late.
SWF later submitted a disbursement voucher and requested payment from the disbursement account only to find that the funds were extinguished by the payments to HK. SWF claimed that it never authorized any payment to HK. At that point, CFAS reported the transaction to the authorities and began steps to recover the distributed money. It was able to recover $127,007, but the remainder was lost. Later it was found that hackers had comprised the computer system and were behind the HK transactions.
CFAS had an errors & omissions insurance policy in place with the Federal Insurance Company (FIC) during this period and submitted a claim under this policy for recovery of the lost money. FIC denied the claim stating, "The claimant alleges that improperly transferred funds from the disbursement account based on fraudulent emails. As this matter is based upon, arises from and/or is in consequence of the unauthorized access to or use of a computer and/ or computer system, it is excluded from coverage."
CFAS filed suit in Pennsylvania Federal District Court against FIC alleging wrongful denial of coverage for the losses from CFAS's transmission of $1.3 million dollars to an entity later discovered to be hackers. CFAS explained its transfer was initiated after it received emails from an account it believed to be a client, but later found the emails were sent by someone who had gained unauthorized access to the account. CFAS argued losses due to the transmission should be covered by its policy with FIC because the transfer was caused partially by CFAS's negligence in not properly following applicable policies and procedures. FIC refused to grant coverage stating that the policy did not include provisions for social engineering, or hackers. Both parties eventually filed for summary judgment.
Choice of Law & the Interpretation of Insurance Contracts in Pennsylvania and North Carolina
When more than one state's laws potentially apply to a matter, Pennsylvania’s courts will apply the substantive law of the state "with the most interest in the problem." Hammersmith v. TIG Ins. Co., 480 F.3d 220, 227 (3d. Cir. 2007). The parties in the case at hand agreed that North Carolina and Pennsylvania had the most interest in this claim where CFAS’s business address is in Pennsylvania and its principal office is in North Carolina. Further, the FIC policy was delivered to CFAS in North Carolina and the underlying transmission occurred in North Carolina
North Carolina and Pennsylvania employ similar methods in the interpretation of insurance contracts. North Carolina precedent states that "an insurance policy is a contract between the parties and must be so construed to carry out their intent." Allstate Inc. Co. v. Shelby Mut. Ins. Co., 152 S.E.2d 436, 440 (N.C. 1967). The court uses general contract principles to interpret intent. As such the court will look to the reasonable person standard to determine how the contract was understood and intended by the parties. Also, in North Carolina it is "well-settled law that insurance policies are construed strictly against the insurance companies and in favor of the insured." State Cap. Ins. Co. v. Nationwide Mut. Ins. Co., 350 S.E.2d 66, 73 (N.C. 1986). As such, coverage exclusions are generally disfavored and any gray areas are interpreted in favor of the insured.
In Pennsylvania, insurance contracts are "guided by the polestar principle that insurance policies are contracts between an insurer and a policyholder and traditional principles of contract interpretation will be applied in ascertaining the meaning thereof." Kurach v. Truck Ins. Ech., 235 A.3d 1106, 1166 (Pa. 2020). Courts in both states emphasize reading the contract in totality and not considering one word or phrase in isolation. If the policy language is clear on its face then the court will abide by the clear and ordinary language without delving deeper.
In both states, the insured carries the burden of showing that they are entitled to coverage under the policy. "If the dispute involves an exclusion in the insurance policy, the burden is upon the insured to show that a loss has occurred; thereafter, the burden is upon the insurer to defend by showing that the loss falls within a specific policy exclusion." United Nat'l Ins. Co. v. Indian Harbor Ins. Co., 160 F. Supp. 3d 828, 839 (E.D. Pa. 2016); accord Prod. Sys., Inc. v. Amerisure Ins. Co., 605 S.E.2d 663, 665 (N.C. App. 2004). Based on the similar principles and interpretations of contract law in North Carolina and Pennsylvania, the court found the applicable states’ laws were not in conflict. Even though normally the law of the state in which the state sits will be applied, both parties, and the Court, agreed to the application of North Carolina law, but nevertheless addressed the merits under Pennsylvania law as well.
Fraudulent Transfers Were Not Covered by the Insurance Policy
CFAS asserted that its failure to seek documentation as required by the Funds Administration and Disbursement Agreement with SWF before granting the disbursements to HK was a covered "wrongful act" under the policy and was an independent cause of the loss not subject to the Policy’s exclusions. FIC argued in response coverage was clearly excluded where SWF’s demand to CFAS to replenish the funds it lost was "based upon, arising from, or in consequence of" unauthorized access and use of the computer system.
CFAS’ argument was an attempt to take advantage of a vein of North Carolina case law narrowly applying “arising out of” language in an exclusion where excluded and covered causes combine to create a loss. In the absence of anti-concurrent causation language, North Carolina follows the "concurrent causation" theory, which provides that coverage under the policy must be honored where there are multiple causes of injury and only one of the causes is excluded. State Capital Ins., 350 S.E.2d at 546 (“the sources of liability which are excluded from [ ] policy coverage must be the sole cause of the injury in order to exclude coverage under the policy.”). Pennsylvania law is less demanding, were “arising out of” means "causally connected with, not proximately caused by." McCabe v. Old Republic Ins. Co. 228 A.2d 901, 903 (Pa. 1967). Accordingly, Pennsylvania law only required a causal nexus between the claim and the computer access for the exclusion to apply.
The Pennsylvania District Court engaged in a thorough and thoughtful analysis of applicable North Carolina law. Since State Capital, North Carolina courts have at times engaged in a deeper inquiry, only to find in fact one singular proximate cause as the true source of injury. See, e.g., Builders Mut. Ins. Co. v. North Main Const., Ltd., 637 S.E.2d 528 (N.C. 2006) (applying an owned automobile exclusion in a CGL policy despite the insured’s argument that claims of negligent supervision were not non-automobile causes of the loss because the employee’s actions were only harmful because he was required to drive the vehicle for work); Nationwide Mut. Ins. Co. v. Integon Indem., 473 S.E.2d 23 (N.C. App. 1996) (applying an owned automobile exclusion despite allegations the insured negligently attached the trailer to the car since the alleged negligence was not independent of the excluded risk).
The Court engaged in a similarly penetrating analysis as these decisions in concluding CFAS's failure to require documentation is not an independently occurring cause of injury. The Court reasoned CFAS's lack of receipt of proper documentation could not have caused the injury in question (here, the fraudulently-induced money transfers) without the emails precipitated by the hacker's unauthorized access to SWF's network. CFAS would not have sent the funds to the bank account included by the fraudster without first receiving the unauthorized emails. The existence of the loss did not depend on the existence (or lack thereof) of the documentation, but rather upon the unauthorized emails. Even more literally, CFAS would not have been able to transfer the funds to HK without the unauthorized emails because the emails contained the account information.
The Court went on to discuss the exclusionary language’s far broader application than in State Capital where the FIC Policy excludes damages “based upon, arising from or in consequence of” any unauthorized computer access, not just “arising out of.” See Nationwide Mut. Fire Ins. Co. v. Nunn, 442 S.E.2d 340 (N.C. App. 1994) (holding “in connection with” to have a much broader meaning than “arising out of.”). Although perhaps unnecessary to the Court’s holding based on its analysis recounted above, the Court held “[s]ince the hacker's unauthorized access precipitated the events that followed, the broadened language makes it clear that the transactions are excluded under the Policy.”
Failure to Provide Notice of Potential Settlement
The Court went on to bolster its holding by finding that, even had the breach exclusion not applied to this loss, CFAS also failed to provide notice of the loss to FIC before coming to a settlement agreement. CFAS’s failure to provide such notice or get FIC’s prior consent to settlement violated the Policy’s conditions, thus separately defeating coverage under either Pennsylvania or North Carolina law.
The Court’s plain language interpretation and application of this exclusion are notable in their practicality. This claim was for losses tangential to a hacking effort, not as a direct consequence. Similar language and causation issues will continue to arise as cyber-related claims increase. Plain language application of relevant policy language like in this decision will provide building blocks for the future across the country.
The Court’s thoughtful analysis of the actual cause of the loss was critical to the result. Insurance coverage issues are rarely as simple as they appear at first blush. Here, counsel ability to get the Court to engage in the deeper, often messier underpinnings of the loss was key. May we all be so engaging.