On this appeal we consider whether an insuring agreement for computer systems fraud that applies to “a fraudulent entry ... of Electronic Data or Computer Program” encompasses losses caused by an authorized user’s submission of fraudulent information into the insured’s computer system. We conclude that the agreement is unambiguous and “fraudulent entry” refers to unauthorized access into plaintiff’s computer system, and not to content submitted by authorized users. Therefore, we affirm the order of the Appellate Division.
Plaintiff, Universal American Corp. (Universal), is a health insurance company that offers, as relevant to this appeal, a choice of federal government-regulated alternatives to Medicare, known as “Medicare Advantage Private Fee-For-Service” plans (Medicare Advantage).
The matter before us involves Universal’s demand for indemnification to cover losses resulting from health care claims for unprovided services, paid through Universal’s computer system. At issue is the coverage available to Universal pursuant to rider No. 3 (rider) of a financial institution bond (bond), issued by defendant National Union Fire Insurance Company of Pittsburgh, Pa. (National Union). The bond insured Universal against various losses, inclusive of certain losses resulting from dishonest and fraudulent acts. The rider amended the bond to provide indemnification specifically for computer systems fraud, and states, in part:
“COMPUTER SYSTEMS
“It is agreed that:
“1. the attached bond is amended by adding an Insuring Agreement as follows:
“COMPUTER SYSTEMS FRAUD
“Loss resulting directly from a fraudulent
“(1) entry of Electronic Data or Computer Program into, or
“(2) change of Electronic Data or Computer Program within
“the Insured’s proprietary Computer System . . .
“provided that the entry or change causes
“(a) Property to be transferred, paid or delivered,
“(b) an account of the insured, or of its customer, to be added, deleted, debited or credited, or
“(c) an unauthorized account or a fictitious account to be debited or credited.”
The rider, and the basic bond coverage, carry a $10 million limit and a $250,000 deductible for each “single loss,” which, as defined in the rider, includes “the fraudulent acts of one individual,” or of “unidentified individuals but arising from the same method of operation.” Universal’s annual premium during the relevant policy period was $170,500.
A few months after obtaining coverage, Universal suffered over $18 million in losses for payment of fraudulent claims for services never actually performed under its Medicare Advantage plans. When Universal sought payment from National Union for its post-deductible losses, National Union denied coverage on the ground that the rider did not encompass losses for Medicare fraud, which National Union described as losses from payment for claims submitted by health care providers.
Universal then commenced an action for damages and declaratory relief against National Union. Thereafter, Universal moved pursuant to CPLR 3212 for partial summary judgment, and an order declaring the losses to be covered under the policy. National Union cross-moved for summary judgment. Supreme Court denied Universal’s motion, granted National Union’s motion, and dismissed the complaint (
The Appellate Division unanimously modified the summary judgment order, on the law, to declare the policy does not cover the loss, and otherwise affirmed. The Court concluded the unambiguous language of the policy does not cover fraudulent content entered by authorized users, but rather “wrongful acts in manipulation of the computer system, i.e., by hackers” (
An insurance agreement is subject to principles of contract interpretation. “As with the construction of contracts generally, ‘unambiguous provisions of an insurance contract must be given their plain and ordinary meaning, and the interpretation of such provisions is a question of law for the court’ ” (Vigilant Ins. Co. v Bear Stearns Cos., Inc.,
Turning to the language of the rider, we conclude that it unambiguously applies to losses incurred from unauthorized ac
Other language in the rider confirms that the rider seeks to address unauthorized access. First, the rider is captioned “COMPUTER SYSTEMS,” and the specific language at issue is found under the subtitle “COMPUTER SYSTEMS FRAUD.” These headings clarify that the rider’s focus is on the computer system qua computer system. Second, under “EXCLUSIONS,” the rider exempts from coverage losses resulting directly or indirectly from fraudulent instruments “which are used as source documentation in the preparation of Electronic Data or manually keyed into a data terminal.” If the parties intended to cover fraudulent content, such as the billing fraud involved here, then there would be no reason to exclude fraudulent content contained in documents used to prepare electronic data, or manually keyed into a data terminal.
Nonetheless, Universal argues that in the context of the rider, “fraudulent entry” means “fraudulent input” because a loss due to a fraudulent entry by necessity can only result from the input of fraudulent information. This would render superfluous the word “a” before “fraudulent,” and the word “of” before “electronic data or computer program.” Universal’s proposed interpretation is easily achieved by providing coverage for a “loss resulting directly from fraudulent data.” Of
We are also unpersuaded by Universal’s reliance on Owens, Schine & Nicola, P.C. v Travelers Cas. & Sur. Co. of Am. (
“[t]he use of any computer to fraudulently cause a transfer of Money, Securities or Other Property from inside the Premises or Banking Premises:
“1. to a person (other than a Messenger) outside the Premises or Banking Premises; or
“2. to a place outside the Premises or Banking Premises” (2010 WL 4226958 , *4, 2010 Conn Super LEXIS 2386, *9-10).
The insurer argued that “computer fraud” within the meaning of the policy required manipulation of the computer system, i.e., hacking. It further argued that there was no actual computer fraud because the use of emails and a computer to create a fraudulent check, as part of a scheme to steal funds from the insured, did not cause the physical transfer of money out of the insured’s account. Instead, the loss resulted from the insured’s wiring of the funds out of the account. The court found the phrase “use of any computer” to be ambiguous as to “the amount of computer usage necessary to constitute computer fraud” (
Here, it is undisputed that use of Universal’s computer is absolutely essential to trigger coverage for a loss, and that its
We conclude that the “reasonable expectations of the average insured upon reading the policy” (Mostow,
Order affirmed, with costs.
Notes
Medicare, a hospital, medical, and prescription drug insurance program, is administered by the Centers for Medicare & Medicaid Services within the U.S. Department of Health & Human Services (see 42 USC § 1395 et seq.).