Unambiguous Language in Rider Covered Loss Caused by Hackers Gaining Unauthorized Access to the Insured’s Computers, Not Loss Caused by Fraudulent Billing Entries by Authorized Users
The Court of Appeals, in a full-fledged opinion by Judge Rivera, determined the rider in a financial institution bond covered loss caused by hackers gaining access to the insured’s computer system, not loss caused by the entry of fraudulent billing information into the computer system by authorized users. Here fraudulent medical claims made by authorized users of the computer system cost the insured (Universal) $18 million. The language of the relevant rider was deemed unambiguous:
… [W]e conclude that it unambiguously applies to losses incurred from unauthorized access to Universal’s computer system, and not to losses resulting from fraudulent content submitted to the computer system by authorized users. The term “fraudulent” is not defined in the Rider, but it refers to deceit and dishonesty (see Merriam Webster’s Collegiate Dictionary [10th ed 1993]). While the Rider also does not define the terms “entry” and “change,” the common definition of the former includes “the act of entering” or “the right or privilege of entering, access,” and the latter means “to make different, alter” (id.). In the Rider, “fraudulent” modifies “entry” or “change” of electronic data or computer program, meaning it qualifies the act of entering or changing data or a computer program. Thus, the Rider covers losses resulting from a dishonest entry or change of electronic data or computer program, constituting what the parties agree would be “hacking” of the computer system. The Rider’s reference to “fraudulent” does not also qualify what is actually acted upon, namely the “electronic data” or “computer program” itself. The intentional word placement of “fraudulent” before “entry” and “change” manifests the parties’ intent to provide coverage for a violation of the integrity of the computer system through deceitful and dishonest access.
Other language in the Rider confirms that the Rider seeks to address unauthorized access. First, the Rider is captioned “Computer Systems,” and the specific language at issue is found under the subtitle “Computer Systems Fraud.” These headings clarify that the Rider’s focus is on the computer system qua computer system. Second, under “EXCLUSIONS,” the Rider exempts from coverage losses resulting directly or indirectly from fraudulent instruments “which are used as source documentation in the preparation of Electronic Data, or manually keyed into a data terminal.” If the parties intended to cover fraudulent content, such as the billing fraud involved here, then there would be no reason to exclude fraudulent content contained in documents used to prepare electronic data, or manually keyed into a data terminal. Universal Am. Corp. v National Union Fire Ins. Co. of Pittsburgh, PA., 2015 NY Slip Op 05516, CtApp 6-25-15