Hacking Not a Foreseeable Consequence of Employee Negligence, 8th Cir. Rules
In hacking cases, employee negligence is not a primary cause for insurance payouts -- even when an employee's negligence plays an "essential role" in the hacking incident. That's according to a recent ruling by the Eighth Circuit.
No doubt the court's ruling will cause many criminal insurance policies to re-examine their policies and to redefine what is covered under "indirect loss."
Employee Negligence
The circuit court's opinion affirms the lower district court opinion which found that the negligence of two bank employees did not foreclose coverage under a financial bond due to a hacker squirreling away funds fraudulently. In the opinion of both courts, the criminal activities of the hacker were the "efficient and proximate cause" of the loss to the bank and not the negligent activities of a bank employee who carelessly left two physical key-tokens in the computer that granted a hacker to access the bank's network in the first place.
The small Minnesota state bank, Bellingham, used a specialized system to make wire transfers. But in order to execute the transfers, the Fed network requires bank employees to insert actual physical tokens into a desktop computer setup, enter usernames, passwords and passphrases. But in the extant case, one of the employees left a token inside the computer and left it running all night. A hacker accessed the system and made two withdrawls.
Bellingham called its insurer and requested coverage for the loss. The ensuing investigation revealed that a hacker infected the system with a virus that would allow for fraudulent transfers in the future event that the computer might be left on with the proper authorization already entered.
Superceding Cause
The circuit's language is a wonderful example of the doctrine of superceding cause all wrapped up. "Even if the employees' negligent actions 'played an essential role' in the loss and those actions created a risk of intrusion into Bellingham's computer system by a malicious and larcenous virus, the intrusion and the ensuing loss of bank funds was not 'certain' or 'inevitable,'" the court wrote.
The theory probably stands because of the steps the hacker had to take beforehand in order to make the transfer viable. Layers of authentication have generally been implemented with the purpose of ensuring the validity of a bank-wire transfer and to fight employee fraud, not fraud by third parties hacking into the system -- a relatively new sort of threat.
Since the attack is novel, employee negligence and liability of the bank would be far clearer under facts in which another person within the bank physically makes a fraudulent transfer. But since the computer could have been anywhere, the time and preparation of the operation pushed the judges to the decision that even though the employee was careless, she couldn't have dreamed up a scenario in which a succession of hacks would hit the bank.
Related Resources:
- 8th Circuit Upholds Data Breach Coverage for Bank Loss Following Hacker's Fraudulent Transfer (AdLawAccess)
- Lack of Typicality Kills Class Action Against General Mills (FindLaw's U.S. Eighth Circuit Blog)
- State Inquiry Into Obama Critic, Tea Partier Didn't Chill Speech (FindLaw's U.S. Eighth Circuit Blog)
- 8th Circuit Clarifies When a Party Loses Arbitration Rights (FindLaw's U.S. Eighth Circuit Blog)