Friday, May 08, 2015

The Real Estate Brokerage Firm, Theft and the Computer Virus

This post examines an opinion the U.S. Court of Appeals for the 11th Circuit recently issued in a civil case:  Metro Brokers, Inc. v. Transportation Insurance Company, 2015 WL 925301 (2015) (per curiam).  It begins by explaining that
[i]n this insurance coverage dispute, Metro Brokers, Inc. (`Metro’) appeals the district court's (1) grant of summary judgment in favor of Metro's insurer, Transportation Insurance Company (`TIC’) and (2) denial of Metro's motion for reconsideration. . . .
Metro Brokers, Inc. v. Transportation Insurance Company, supra. 
As Wikipedia explains, in U.S. law, a summary judgment is a judgment entered by a
court for one party and against another party summarily, i.e., without a full trial. Such a judgment may be issued on the merits of an entire case, or on discrete issues in that case. . . .

A party moving . . . for summary judgment is attempting to avoid the time and expense of a trial when the outcome is obvious. A party may also move for summary judgment in order to eliminate the risk of losing at trial, and possibly avoid having to go through discovery . . .  by demonstrating to the judge, via sworn statements and documentary evidence, that there are no material factual issues remaining to be tried. If there is nothing for the factfinder to decide, then the moving party asks rhetorically, why have a trial? 

The moving party will also attempt to persuade the court that the undisputed material facts require judgment to be entered in its favor. . . .
(emphasis in the original).
The Court of Appeals then explains how the suit arose:
Metro is a real estate brokerage firm conducting business in Georgia. Metro maintained bank accounts with Fidelity Bank (`Bank’) and used the Bank's online system to make payments from Metro's accounts. On 10 December 2011, thieves logged into the Bank's online banking system using a Metro employee's access ID and password.

Then, using a randomly generated single-transaction security code, the thieves authorized various payments -- totaling over $188,000 -- from a Metro client escrow account to several other bank accounts. Over $154,000 of the stolen funds remains unrecovered.

Although the exact details of the theft are unknown, the parties agree that all available evidence suggests that the thieves used a key-logger virus known as `Zeus’ (which was found on several Metro computers) to gain access to Metro employee access IDs and passwords.

Metro filed a claim for the loss under Metro's insurance policy (`Policy’) with TIC. TIC denied coverage based on the Policy's malicious-code and system-penetration exclusions. Metro, on the other hand, contends that the loss is not excluded and is covered by the Policy's Fraud and Alteration (`F&A’) endorsement.
Metro Brokers, Inc. v. Transportation Insurance Company, supra.
The Court of Appeals goes on to explain that
[i]n two detailed and well-reasoned opinions, the district court concluded that the Policy did not cover Metro's loss and, thus, that TIC was entitled to summary judgment on Metro's breach of contract claim.

The district court determined that Metro's loss was not covered by the Policy's F&A endorsement for two reasons: (1) the fraudulent electronic transfers did not involve a `check, draft, promissory note, bill of exchange, or similar written promise, order or direction to pay a sum certain;’ and (2) Metro's loss fell within the Policy's exclusions for losses caused by malicious code or system penetration.

Because Metro's claim was not covered under the Policy, the district court granted summary judgment for TIC on Metro's claims for breach of contract and for bad faith.
Metro Brokers, Inc. v. Transportation Insurance Company, supra.
The court also notes that
[w]e review de novo a district court's grant of summary judgment, viewing the evidence and drawing all reasonable inferences in favor of the non-moving party. Harrison v. Benchmark Elecs. v. Huntsville, Inc., 593 F.3d 1206 (U.S. Court of Appeals for the 11th Circuit 2010).
Metro Brokers, Inc. v. Transportation Insurance Company, supra.
The Court of Appeals went on to explain that
[u]nder Georgia law, `[a]n insurance policy is governed by the ordinary rules of contract construction.’ Banks v. Bhd. Mut. Ins. Co., 686 S.E.2d 872, 874 (Georgia Court of Appeals 2009). Whether the language in an insurance policy is ambiguous is a matter of law for the court to decide. Banks v. Bhd. Mut. Ins. Co., supra. `Extrinsic evidence to explain ambiguity in a contract becomes admissible only when a contract remains ambiguous after the pertinent rules of construction have been applied.’ Claussen v. Aetna Cas. & Sur. Co., 380 S.E.2d 686 (Georgia Supreme Court 1989). 

`When the language of a policy is unambiguous and capable of but one reasonable construction, we enforce the contract as written.’ Banks v. Bhd. Mut. Ins. Co., supra.  `The words used in policies of insurance, as in all other contracts, bear their usual and common significance, and policies of insurance are, as in all other contracts, to be construed in their ordinary meaning.’ Lawyers Title Ins. Corp. v. Griffin, 691 S.E.2d 633 (Georgia Court of Appeals 2010).
Metro Brokers, Inc. v. Transportation Insurance Company, supra.
(You may wonder why a federal Court of Appeals is applying Georgia law, rather than federal law, in this case.  The answer is that this case is in federal court under the court’s diversity jurisdiction, which lets federal courts hear disputes that involve citizens of different states.  The U.S. Supreme Court has held that the law of the relevant state(s) applies in diversity jurisdiction cases.)
The Court of Appeals then noted that
Metro argues that its loss is covered by the Policy's F&A endorsement. We disagree. The Policy's F&A endorsement provides that TIC `will pay for loss resulting directly from ‘forgery’ or alteration of, on, or in any check, draft, promissory note, bill of exchange, or similar written promise, order or direction to pay a sum certain. . . .’ The term `forgery’ is defined in the Policy as `the signing of the name of another person or organization with intent to deceive.’

The electronic fund transfers in this case did not involve a `check, draft, promissory note, [or] bill of exchange.’ The transfers also cannot be characterized as involving a `written promise, order or direction to pay’ that was `similar’ to the three enumerated instruments.

Under both federal and Georgia law, electronic fund transfers are distinguished from -- and treated differently from -- fund transfers made by check, draft, or bill of exchange. See 15 U.S. Code § 1693a(7) (emphasis added) (the Electronic Fund Transfer Act defines an `electronic fund transfer’ as `any transfer of funds, other than a transaction originated by check, draft, or similar paper instrument, which is initiated through an electronic terminal, telephonic instrument, or computer or magnetic tape so as to order, instruct, or authorize a financial institution to debit or credit an account’); O.C.G.A. § 11–4A108 (providing expressly that Georgia's Uniform Commercial Code on fund transfers does not apply to electronic fund transfers governed by the federal Electronic Fund Transfer Act).
Metro Brokers, Inc. v. Transportation Insurance Company, supra (emphasis in the original).
The court also noted that
Metro has also failed to demonstrate that the theft involved the `signing of [a] name,’ as required under the Policy's `forgery’ definition. Although the thieves used the stolen access ID and password to access the Bank's online system (and then used a randomly generated security code to authorize the transfers), nothing establishes that doing so constituted the `signing of the name of another person or organization’ under the terms of the Policy.
Metro Brokers, Inc. v. Transportation Insurance Company, supra.
It went on to point out that
[f]irst, nothing about the Policy's provision that `signatures that are produced or reproduced electronically” will be considered “the same as handwritten signatures’ -- in and of itself -- establishes that an access ID and password constitute a `signature’ (electronic or otherwise) within the meaning of the Policy.

Second, contrary to Metro's argument, the Georgia Court of Appeals' decision in Allstate Ins. Co. v. Renshaw, 258 S.E.2d 744 (1979), does not control here. In Renshaw, the state court concluded a loss resulting from the theft of plaintiff's bank card and personal identification number (PIN) constituted a `forgery’ under plaintiff's homeowners insurance policy. 

Because the policy contained no definition of the term `forgery,’ the court relied on the definitions of `forgery’ and `writing’ found in Georgia's criminal code. The court concluded that the recording of plaintiff's PIN number was a `writing’ within the meaning of Georgia's criminal code. Here -- unlike in Renshaw -- the Policy defined expressly and unambiguously the term `forgery.’

Thus, we need not (and must not) rely on Georgia's criminal code to interpret the Policy's language. The question of whether the unauthorized use of Metro's access ID and password was a `writing’ under Georgia's criminal code has no significance to this case.
Metro Brokers, Inc. v. Transportation Insurance Company, supra.
The Court of Appeals therefore held that because
Metro has failed to demonstrate that its loss was covered under the Policy's F&A endorsement, TIC was entitled to summary judgment on Metro's breach of contract claim. See Allstate Ins. Co. v. Grayes, 454 S.E.2d 616 (Georgia Court of Appeals 1995) (`To establish a prima facie case on a claim under a policy of insurance the insured must show the occurrence was within the risk insured against’).
Metro Brokers, Inc. v. Transportation Insurance Company, supra.
It also explained that it agreed wit the
U.S. District Court Judge’s conclusion that Metro's claim fell under the Policy's malicious-code exclusion. That the thieves (in some way) used a computer virus to commit their theft is undisputed. The Policy defines `malicious code’ as including, among other things, `computer viruses.’ Although Metro argues that the computer virus did not in fact `cause’ the loss (because of the thieves' intervening conduct), the Policy states unambiguously that it does not cover losses `caused directly or indirectly’ by malicious code `regardless of any other cause or event that contributes concurrently or in any sequence to the loss.’ Based on this broad (but plain) exclusionary language, we conclude that Metro's loss is excluded.

Because Metro's loss is not covered by the Policy, Metro's claims for both breach of contract and for bad faith must fail. See Lawyers Title Ins. Corp. v. Griffin, 691 S.E.2d 633 (Georgia Court of Appeals 2010) (concluding that, to establish a bad faith claim under Georgia Code § 33–4–6, an insured must show, among other things, that his claim is covered under the insurance policy).
Metro Brokers, Inc. v. Transportation Insurance Company, supra.

The Court of Appeals therefore affirmed the U.S. District Court’s granting summary judgment for TIC.  Metro Brokers, Inc. v. Transportation Insurance Company, supra.

No comments:

Post a Comment