Unauthorized Debit Card Redemptions Are Not Covered by Computer Fraud Provision
Case: InComm Holdings, Inc. v. Great American Ins. Co.
Northern District of Georgia
Case No. 1:15-cv-2671-WSD
In a decision that is likely to fuel debate over what constitutes computer fraud for purposes of insurance coverage, the U.S. District Court for the Northern District of Georgia recently held in InComm Holdings, Inc. v. Great American Ins. Co. that losses resulting from unauthorized debit card redemptions are not covered under the computer fraud provision of a multi-risk insurance policy.
The case involved a policyholder, InComm, which provides a debit card processing service that enables customers to load funds onto bank issued prepaid debit cards by using chits purchased from InComm at retailers such as CVS or Walgreens. After a customer purchases a chit, the retailer transfers the payment amount to InComm. The customer can then redeem the purchased funds on its debit card by calling a telephone number printed on the back of the chit and entering information via InComm’s computerized interactive voice response (AVR) system and application processing servers (APS). Once the customer enters the required information, the chit amount is made immediately available on the debit card. Any purchases made using the debit card are covered by the bank that issued the card, which is in turn reimbursed by InComm.
A dispute arose after a vulnerability in the debit card processing system permitted cardholders to obtain more chit credit than they had purchased by redeeming a chit simultaneously from multiple telephone numbers. Claiming that the offending transactions resulted in approximately $11.4 million in unauthorized redemptions, InComm sought coverage under the computer fraud provision of its multi-risk insurance policy with Great American, which applied to “loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises.”
Although acknowledging that the chit redemptions were ultimately performed via InComm’s computerized AVR and APS systems, the district court determined that the subject claim did not involve “the use of any computer” so as to implicate the policy’s computer fraud provision because the offending cardholders used telephones—rather than computers—to perpetrate their scheme. The court further held that the policy’s computer fraud provision was inapplicable because even if the cardholders’ chit redemptions involved “the use of any computer,” the loss did not result “directly” from those redemptions, but occurred only later when the bank that issued the debit cards transferred funds to merchants where the cardholders made their purchases.