Federal Court: Computer Fraud Provision Does Not Cover Fraudulent Debit Card Transactions Conducted Over the Telephone

April 12, 2017

Last month, the Northern District of Georgia issued a strongly pro-insurer decision holding that a policy insuring computer fraud did not provide coverage for $11.4 million in fraudulent debit card redemptions made over the telephone. In InComm Holdings, Inc. v. Great Am. Ins. Co., No. 1:15-cv-2671-WSD, 2017 WL 1021749 (N.D. Ga. Mar. 16, 2017), the court granted summary judgment for the insurer, Great American, concluding that the insured’s losses did not result “directly” from the “use” of a computer.

The insured, InComm Holdings, processes debit cards that allow consumers to purchase credits, called “chits,” from retailers, which can then be redeemed for actual dollars that are loaded onto prepaid debit cards to make everyday purchases. InComm’s redemption program works as follows: Third-party banks issue prepaid debit cards to consumers. Consumers buy “chits” from retailers like CVS or Walgreens for the value of the chit plus a service fee. Each chit represents the amount purchased, i.e., a $100 chit represents $100. The retailer then wires the consumer’s funds to InComm. To convert chits to actual dollars on the debit cards, a consumer calls InComm and uses voice or touchtone commands to “redeem” the chits. After a chit is redeemed, InComm wires the amount of the chit to the bank that issued the debit card, and the funds become available for the consumer’s use. Each chit can be redeemed only once.

Between November 2013 through May 2014, a coding error in InComm’s system for processing chit redemptions allowed cardholders to redeem single chits more than once, resulting in more funds being added to their prepaid debit cards than actually purchased from retailers. Fraudsters used multiple telephones simultaneously to access InComm’s redemption system to redeem single chits multiple times. InComm did not immediately identify the error, processed the fraudulent redemptions and wired funds to the issuing bank. In total, InComm processed more than 25,000 unauthorized redemptions, mistakenly transmitting more than $11.4 million to various debit card issuers.

After discovering the losses, InComm sought coverage from Great American under its policy’s computer fraud provision. After Great American denied coverage, InComm filed suit, asserting claims for breach of contract and bad faith.

In the computer fraud coverage grant at issue, Great American promised to “pay for loss of, and loss from damage to, money, securities, and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property.”

In interpreting the coverage grant, the court focused on the requirement that “the transfer was caused by the ‘use of a computer.’” The court observed that the parties did not dispute that the cardholders used telephones to provide information to InComm’s redemption system, which then processed the information incorrectly. InComm argued that its system was the “computer” that was “used” when the chits were fraudulently redeemed. However, the court disagreed, stating bluntly, “a telephone is not a computer.”

Finding that the unauthorized transactions at issue were accomplished using a telephone—and not a computer—the court concluded that the policy’s computer fraud provision did not cover InComm’s losses and granted summary judgment in Great American’s favor. The court explained that simply because “a computer was somehow involved in a loss does not establish that a wrongdoer ‘used’ a computer to cause the loss.” In the court’s view, to conclude otherwise would “unreasonably expand the scope” of the computer fraud provision, which limits coverage to “computer fraud,” and would convert these types of computer fraud provisions into “general fraud” provisions.

In the alternative, the court also held that InComm’s losses did not result “directly” from computer use. The court found that InComm did not incur actual losses immediately after the fraudulent redemptions. Rather, InComm incurred losses only after (1) it wired money to the issuing bank, (2) the cardholder used a card to make a purchase, and (3) the bank paid the seller. The court, citing Fifth Circuit precedent, stated that “directly” requires “an immediate relationship between the computer fraud and the loss.” Thus, the court concluded that, given the series of intermediate steps, InComm’s losses did not result “directly” from the fraudulent redemptions.

The court’s result is undoubtedly harsh, and may have been animated in part by the fault the court found with InComm for the loss. For example, the court noted that one chit was redeemed 271 times for a total of $135,000 and that InComm failed to recognize the fraudulent redemptions because it had programmed its computer systems incorrectly. However, the risk that criminals would exploit weaknesses in InComm’s systems is precisely the kind of risk that computer fraud coverage is for, something the court’s decision does not appreciate.