Careful Claim Analysis Saves Insurers from $6 Million Loss

In a case showing the importance of careful claim analysis, a Texas federal court just denied insurance coverage to a company that lost $6 million in a phishing scheme.

In RealPage Inc. v. National Union Fire Insurance Company of Pittsburgh, PA, Civ. No. 3:19-CV-1350-B (N.D. Tex. February 24, 2021), the company, RealPage, collected rents on behalf of landlords through its web portals. In fact, RealPage's vendor, Stripe, operated the portals. Stripe would also collect the rents, which it would commingle with other funds in its own account, and disburse the money as appropriate.

In May 2018, cybercriminals deployed a phishing scheme, by which they obtained and altered a RealPage employee’s credentials. Using these altered credentials, the cybercriminals diverted $10 million from Stripe’s account that had not yet been disbursed to RealPage’s clients. RealPage was able to recover about $4 million, but it ended up reimbursing its clients for the $6 million that it had lost. RealPage then sought coverage for the $6 million loss.

The policies in question only covered property that the insured owned, leased, or held for others. The Court noted that RealPage did not own, lease, or hold the money it lost. Rather, Stripe “held” the money, which RealPage’s clients “owned.” Thus, the court held: “[F]unds that are maintained in a commingled account in a third party’s name, at a third-party bank, which the insured can direct but not access, are not funds ‘held’ by the insured.” The court also noted that “RealPage could have contracted for a broader definition of covered property. But it did not. Accordingly, the Court concludes that the client funds are not covered property under the Policy . . . .”

For cyber insurers, the RealPage case shows the importance of understanding insureds’ business practices, to ensure that the insureds’ practices do not take them out of coverage. At first glance, it would appear that a cyber insurance policy would clearly cover losses from a phishing scheme, but a rigorous review of RealPage’s operations showed otherwise. With the clock of possible bad-faith and/or prompt payment litigation always ticking, insurers may feel pressure to pay claims, particularly if the insured is sympathetic, but this case shows that taking the time to conduct a thorough review always pays off.

Previous
Previous

Maryland Court Breaks New Fourth Circuit Standing Ground in Data Breach Suit

Next
Next

Minnesota Court Dismisses Target’s Insurance Claim for Data Breach