8th Circuit Upholds Data Breach Coverage for Bank Loss Following Hacker’s Fraudulent Transfer
Last week, the Eighth Circuit upheld a lower court’s ruling in State Bank of Bellingham v. BancInsure Inc., finding that a bank employee’s negligence in securing its computer network did not preclude coverage for a data breach resulting in a fraudulent funds transfer. The decision affirms the lower court’s ruling granting summary judgment in favor of the Bank of Bellingham, holding that the loss was covered even if employee negligence contributed to the loss.
The Underlying Breach: The underlying coverage action between BancInsure and the Bank stemmed from an October 2011 incident in which a hacker gained access to the bank’s network with a “Zeus Trojan horse” virus and fraudulently transferred funds to accounts in Poland, resulting in a $485,000 loss. The hacker was able to gain access because a bank employee inadvertently failed to remove two physical security tokens (which bank employees were required to insert into a computer in order to perform wire transfers via a specialized VPN device provided by the Federal Reserve) after performing a legitimate wire transfer.
Court Ruling: The Eight Circuit agreed with the trial court that an exclusion in the Bank’s financial institution bond for employee-caused losses did not apply based on Minnesota’s concurrent-causation doctrine, which states that when a loss results from multiple risks, some covered and some not covered, the loss is covered unless the excluded risk is the “overriding cause” of the loss. The Eighth Circuit concluded that the overriding cause of the loss was the hacker’s criminal conduct rather than employee negligence, even though the employee’s negligence “played an essential role” in the loss and created a risk of intrusion into the bank’s computer system. The court reasoned that an illegal wire transfer was not a “foreseeable and natural consequence” of the failure to follow proper computer security policies, procedures, and protocols.
The court also rejected BancInsure’s argument that the bond’s exclusions for loss due to the theft of confidential information or mechanical failure of a computer avoided application of the concurrent-causation doctrine, finding that the exclusions’ reference to “indirect” losses was not the type of “clear and specific” language needed to prevent the doctrine’s application.
The Takeaway: The Eighth Circuit’s ruling is a significant victory for policyholders. Fidelity bonds and commercial crime policies commonly exclude “indirect loss.” Insurance carriers frequently argue in disputes regarding such bonds or policies that the negligent actions of the policyholder’s employees converts an otherwise covered loss caused by a third party’s criminal acts into an “indirect,” uncovered loss. The Eighth Circuit’s holding provides policyholders helpful authority to argue that employee negligence does not bar coverage or render an otherwise covered loss uncovered.
Although the decision is favorable to policyholders, there are a number of important caveats. For instance, insurance policy language can vary substantially between carriers, and many commercial crime policies contains specific exclusions for data security breaches. Additionally, the Eighth Circuit recognized that courts will enforce “anti-concurrent causation” provisions where the language is clear and specific.