A Louisiana car dealership’s Cyber Liability policy does not cover contractual reimbursements owed to a lender by that dealership following a “touchless” online vehicle purchase utilizing identity theft. During the pandemic, the dealership created a “touchless” process whereby an online buyer would submit a credit application to a lender. If approved, the buyer and the dealer would complete the paperwork electronically or by mailing documents. Once all documents were executed, the lender would then tender the purchase price to the dealer, who would then assign the credit agreement to the lender. The buyer would then arrange transport of the newly purchased vehicle via a third party.
Eventually, after no payments were made on certain transactions, the lenders discovered that those transactions were made with fake or stolen identities and sought reimbursement from the dealer under the terms of their agreements. The dealership then sought coverage for these payments from two carriers under certain Cyber Liability policies who denied coverage. Ruling on a Rule 12(b)(6) Motion to Dismiss, Judge Cain of the United States District Court for the Western District of Louisiana agreed that there was no coverage under the Cyber Liability policy provisions as to third-party and first-party coverage.
Regarding the third-party coverage, the Cyber Policy stated that it provided coverage for “…claim expenses and damages that you become legally obligated to pay resulting from a claim against you…” Allegations that the dealership was contractually obligated to remit the purchase price to the lender were not “facts that can be construed as indicating there is a claim against it causing it to be legally obligated to pay.”
As to the first-party claims, the carriers argued that the policy did not provide coverage for what was essentially a vehicle theft and that the allegations did not meet the necessary coverage triggers for any of the numerous fact-specific coverage sections of the policy. In particular, the dealership argued that the loss could be considered a “Funds Transfer Loss” under the Cyber Policy’s coverage for “Funds Transfer Fraud.” That policy defined “Funds transfer loss” as “loss of money… directly resulting from funds transfer fraud…” “Fund transfer fraud” is defined as:
Funds transfer fraud means a fraudulent instruction transmitted by electronic means, including through social engineering, to you or your financial institution directing you, or the financial institution, to debit an account of the named insured or subsidiary and to transfer, pay, or deliver money or securities from such account, which instruction purports to have been transmitted by an insured and impersonates you or your vendors, business partners, or clients, but was transmitted by someone other than you, and without your knowledge or consent. The financial institution does not include any such entity, institution, or organization that is an insured.
The dealership’s position was that the contractual reimbursement owed by the dealer to the lender was a “Funds transfer loss” because the “loss” because it was a “loss” of money as to the dealership. The court read the language in the policy’s definition of “Funds transfer fraud,” as necessarily requiring a “fraudulent instruction” directing the insured to debit its account. As such, the court found that the claims did not fall within the first-party coverage provisions of the Cyber Policy and that there was no coverage for the loss.
The matter is entitled Benoit Ford LLC et al v. Lexington Insurance Co. et al., 22-CV-06024 and is pending in the United States District Court for the Western District of Louisiana, Lake Charles Division. The Memorandum Ruling was issued on October 2, 2023.
The Fifth Circuit has previously ruled that a substantially similar provision did not cover a loss stemming from a cybercrime whereby false information was provided to an insured changing vendor payee information and subsequent payments issued to the false vendor account were made with the insured’s knowledge and consent. Mississippi Silicon Holdings, LLC v. Axis Insurance Company, 843 Fed. Appx. 581 (5th Cir. 2021). But see, Medidata Solutions, Inc. v. Federal Insurance Co., 268 F.Supp. 3d 471, 480 (S.D.NY 2017) (finding coverage under a Fund Transfer Fraud provision for identity theft of a corporate executive: “The fact that the accounts payable employee willingly pressed the send button on the bank transfer does not transform the bank wire into a valid transaction. To the contrary, the validity of the wire transfer depended upon several high-level employees’ knowledge and consent which was only obtained by trick. As the parties are aware, larceny by trick is still larceny.”)