In First Commonwealth Bank v. St. Paul Mercury Ins. Co., No. 2:14-cv-00019-MPK (W.D. Pa.), St. Paul, the insurer for a bank, First Commonwealth, filed a motion to dismiss First Commonwealth’s breach of contract claim which sought coverage under a professional liability policy. St. Paul asserted First Commonwealth’s lawsuit should be dismissed as a matter of law because First Commonwealth reimbursed a customer for amounts lost in a fraudulent transaction without first notifying St. Paul as required under the policy.

Commonwealth sought coverage under its professional liability insurance policy issued by St. Paul for amounts it paid to reimburse one of its customers that became a victim of “malware” (malicious software installed without permission). After being installed on the customer’s computer, the malware allowed hackers to access the customer’s password and username for the customer’s account with Commonwealth. After gaining access, hackers completed multiple wire transfers totaling more than $3 million dollars to banks in Krasnodor, Russia, Pennsylvania and Belarus. Once the fraud was uncovered, Commonwealth immediately reimbursed its customer.

In its motion to dismiss, St. Paul took the position that Commonwealth’s coverage action should be dismissed because the bank’s payment violated the “voluntary payment” provision under the professional liability policy. This provision precluded coverage for any amounts Commonwealth paid to third-parties without first obtaining St. Paul’s consent.

On October 6, 2014, the District Court issued its Opinion and Order denying St. Paul’s motion to dismiss. The District Court reasoned that the reimbursement of the customer’s account for the fraudulent wire transfers was not voluntary when Pennsylvania law required the bank reimburse the customer for the fraudulent wire transfers. Specifically, the Pennsylvania Uniform Commercial Code requires all banks refund any funds paid without the customer’s authorization. Therefore, in light of the bank’s statutory obligation to reimburse the customer for the fraudulent wire transfers, the District Court held the payments could not be “voluntary.”

This decision demonstrates how the rapid development of malware and hackers’ techniques can outpace the development of certain laws. Here, we see a situation where the legislators may not have been able to consider the impact of malware when they drafted provisions of the Commercial Code. Likewise, we also see a court finding the terms and conditions of an insurance policy potentially conflict with an insured’s obligations under the Commercial Code. Consequently, this decision is further evidence of the need to obtain counsel that understands the intersection of malware, statutory obligations as well as obligations under insurance policies.