Court: Fraud exclusion renders Bank’s “Electronic Risk Liability” coverage illusory

by Christopher Graham and Joseph Kelly

Delaware

First Bank of Delaware, Inc. v. Fidelity and Deposit Company of Maryland, Case No. N11C-08-221 (Del. Super. Ct. Oct. 30, 2013

According to this Court, this was a case of an exclusion swallowing a coverage grant–so coverage was “illusory” and the exclusion shouldn’t apply. As explained below, the coverage in essence was for loss from certain unauthorized data use; and the exclusion applied to fraudulent data use. So this was problematic.

First Bank of Delaware contracted with Visa and Mastercard to provide debit card transaction services. First Bank processed those transactions using Data Access Systems’s (“DAS”) computers.

DAS’s servers were hacked resulting in millions of dollars in unauthorized customer withdrawals. Visa and Mastercard as a result imposed certain assessments on First Bank which First Bank paid.

First Bank then sought coverage for the assessments from Fidelity and Deposit Company of Maryland under a D&O SelectPlus Insurance Policy. Fidelity denied coverage, and First Bank sued.

Electronic Risk Coverage

First Bank sought coverage under the policy’s “Electronic Risk Liability” insuring agreement, which provided:

The Insurer will pay on behalf of the Insured all loss resulting from any electronic risk claim first made against the Insured during the policy period or the extended reporting period, if applicable, (1) for an electronic publishing wrongful act or (2) that arises out of a loss event.

“Electronic Risk Claim” meant “a written demand for monetary damages or nonmonetary relief.”

“Loss Event” included “any unauthorized use of, or unauthorized access to electronic data or software with a computer system.”

“Computer System” included “related communications networks including the internet, used by the Company or used to transact business on behalf of the Company.”

In considering summary judgment cross-motions, the Court found First Bank established that: Visa and Mastercard’s assessments were loss resulting from an electronic risk claim, namely, by Visa and MasterCard; against the Insured, namely, First Bank; during the policy period; and that arises out of a loss event, namely, unauthorized access to electronic data with a computer system, DAS’s computers. Fidelity argued the unauthorized access on DAS’s computers wasn’t with a “computer system” used to transact bsuiness on First Bank’s behalf. The Court disagreed, explaining that the DAS computers were used to transact business on behalf of First Bank because First Bank earned fees from debit card transactions conducted on DAS’s computers.

So First Bank’s loss was within the scope of the insuring agreement.

Fraud Exclusion

The Court’s analysis then shifted to Exclusion M which excludes coverage under the “Electronic Risk Liability” insuring agreement for any claim against First Bank “based upon or attributable to or arising from the actual or purported fraudulent use by any person or entity of any data or in any credit, debit, charge, access, convenience, customer identification or other card, including, but not limited to the card number.”

The Court found that First Bank’s loss fell within the scope of the exclusion because “the fraudulent use of data and subsequent Visa and MasterCard assessments are meaningfully linked in a way that qualifies as ‘arising from’ under Exclusion M.”

Illusory Coverage

But then First Bank argued that Exclusion M rendered the Electronic Risk Liability’ coverage part illusory.

The Court agreed stating:

…[W]hen the burden shifts back to First Bank to prove that Exclusion M should not be applied, the Court considers that a grant of coverage should not be swallowed by an exclusion. The principle that a grant of coverage should not be rendered illusory protects the reasonable expectations of the purchaser.

and

The Court finds that applying Exclusion M would swallow the coverage granted…for “any unauthorized use of, or unauthorized access to electronic data…with a computer system.” It is theoretically possible that an example of non-fraudulent unauthorized use of data exists. However, in the context of this Policy, all unauthorized use could be, to some extent, fraudulent. The abstract possibility of some coverage surviving the fraud exclusion is not sufficient to persuade the Court to apply an exclusion that is almost entirely irreconcilable with the Loss Event coverage. The Court finds that First Bank met its burden to prove that an exception prevents the application of Exclusion M.

Tags: D&O, illusory coverage, electronic risk liability, bank, fraud

Category: D&O Digest, Financial Institution Bond Blog Comment »


Leave a Reply



Back to top