Pennsylvania Federal Court Finds No Coverage For Hacking Claim Under E&O Policy
On June 9, 2022, the U.S. District Court for the Eastern District of Pennsylvania held, on summary judgment, that an insured was not entitled to coverage under a Professional Errors and Omissions (E&O) policy for loss allegedly resulting from a hacking incident. See Construction Fin. Admin. Servs., Inc. v. Federal Ins. Co., No. 19-0020, 2022 U.S. Dist. LEXIS 103042 (E.D. Pa. June 9, 2022). Applying North Carolina and Pennsylvania law, the court reasoned that: (1) coverage was barred by the policy’s unauthorized computer access, or “breach,” exclusions; and (2) the insured violated a condition in the policy that required the insurer’s consent to settlements and the violation prejudiced the insurer.
The insured, Construction Financial Administration Services, Inc. (CFAS), was a third-party fund administrator for construction contractors. In April 2018, the CFAS received email requests from what it believed to be one of its clients, SWF Constructors (SWF), to disburse $1.3 million from an SWF account to a foreign company. CFAS authorized the payments, despite not having received a copy of any executed agreement between SWF and the foreign company. After the funds were disbursed, SWF advised that it had not authorized or requested the payments to the foreign company. In response, CFAS placed approximately $1.2 million of recovered and borrowed funds into the SWF disbursement account. SWF then sent a letter advising CFAS that the requests from the foreign company did not include documentation required under the contract between SWF and CFAS. It was later determined that the emails had been initiated by a fraudster who had gained unauthorized access to the sender’s email account.
CFAS initiated litigation in the Eastern District of Pennsylvania against its insurer seeking coverage for the $1.3 million disbursement under a claims-made-and-reported E&O policy. The policy provided for payment of covered loss resulting from a claim for “wrongful acts” committed by the insured solely in the performance of, or failure to perform, “insured services,” defined as consulting services performed for others for a fee, including those performed electronically via the internet or a computer network.
The district court held that, for two reasons, the insurer owed no coverage. First, it found coverage was barred by the policy’s exclusions for loss “based upon, arising from or in consequence of any unauthorized or exceeded authorized access to” any computer system or network. The court noted that North Carolina follows the “concurrent causation” theory, which provides that coverage exists where there are multiple causes of an injury and only one of the causes is excluded. The court disagreed with CFAS that its failure to require documentation, which it contended was a covered “wrongful act” that fell outside the exclusion, was an independently-occurring cause of injury. Id. at *21. The court reasoned that the existence of the loss (i.e., the fraudulently-induced money transfers) did not depend on the existence (or lack thereof) of the documentation, but rather upon the unauthorized emails because they contained the account information CFAS needed to make the disbursements. Id. at *21-22. The court also explained that the phrase “in consequence of,” as used in the exclusion, broadly expanded the excluded conduct “to include ‘a result that follows as an effect of something that came before.’” Id. at *23 (quoting Black’s Law Dictionary).
Second, the court agreed with the insurer that CFAS had breached the policy’s notice and consent provisions by failing to immediately forward SWF’s demand letter, and instead opting to unilaterally pay SWF. Examining the insurer’s assertion of the provisions collectively as a “late notice defense,” the court cited North Carolina and Pennsylvania cases requiring insurers to demonstrate prejudice from insureds’ untimely notice under occurrence-based policies. Id. at *27-28 (citing Nationwide Mut. Ins. Co. v. State Farm Mut. Auto. Ins. Co., 470 S.E.2d 556, 558 (N.C. 1996); Brakeman v. Potomac Ins. Co., 371 A.2d 193, 198 (1977)). The court concluded that, as a result of CFAS’s unilateral settlement payment to SWF, the insurer was prejudiced in that: (1) it lost the ability to assert defenses originating under the agreement between CFAS and SWF, such as a right to indemnification and a waiver of liability that ran in favor of CFAS; and (2) the insurer was unable to conduct a complete investigation of the alleged loss, including assessing any comparative fault of SWF or the events leading to the fraudulent transfers.
The Construction Financial Services decision properly applied the unambiguous language of the policy’s exclusions. Under the circumstances presented, however, it examined the insured’s breach of the consent provision as part of a “notice” issue instead of as solely a consent issue. In doing so, it grafted a prejudice requirement onto both the notice and consent provisions where there was none. Moreover, the decision does not discuss North Carolina or Pennsylvania cases declining to require an insurer to demonstrate prejudice from an insured’s breach of notice provisions in a claims-made-and-reported policy. Ultimately, however, the insurer was found to owe no coverage because there was no genuine dispute it was prejudiced by CFAS’s unilateral settlement payment.
If you have any questions or would like further information, contact Celestine Montague (email@example.com; 215.864.6813) or Paul A. Briganti (firstname.lastname@example.org; 215.864.6238).
 See, e.g., John Hiester Chrysler Jeep v. Greenwich Ins. Co., No. 5:17-CV-00140-FL, 2017 U.S. Dist. LEXIS 202327, at *8 (E.D.N.C. Dec. 8, 2017); ACE Am. Ins. Co. v. Underwriters at Lloyds & Cos., 939 A.2d 935, 941 (Pa. Super. Ct. 2007), aff’d, 971 A.2d 1121 (Pa. 2009); Pizzini v. Am. Int’l Specialty Lines Ins. Co., 210 F. Supp. 2d 658, 670 (E.D. Pa. 2002).