United States District Court, D. Minnesota
State Bank of Bellingham, Plaintiff and Counterclaim Defendant,
BancInsure, Inc., Defendant and Counterclaim Plaintiff.
Jonathan M. Bye and Bryan R. Freeman, Lindquist & Vennum, PLLP, 4200 IDS Center, 80 South Eighth Street, Minneapolis, MN 55402, for Plaintiff.
Joseph A. Nilan, Mark J. Johnson, T. James Power, and Joshua A. Dorothy, Gregerson, Rosow, Johnson & Nilan, Ltd., 650 Third Avenue South, Suite 1600, Minneapolis, MN 55402, for Defendant.
MEMORANDUM OPINION AND ORDER
SUSAN RICHARD NELSON, District Judge.
This matter is before the Court on Plaintiff State Bank of Bellingham's Motion for Partial Summary Judgment, for Attorney's Fees and for Punitive Damages [Doc. No. 15], as well as the parties' cross-motions for summary judgment [Doc. Nos. 76, 88]. For the reasons stated below, the Court grants in part and denies in part Plaintiff's Motion for Partial Summary Judgment [Doc. No. 15], grants Plaintiff's Motion for Summary Judgment [Doc. No. 76], and denies Defendant BancInsure Inc.'s Motion for Summary Judgment [Doc. No. 88].
A. The Parties and the Bond
Plaintiff is a "Minnesota state bank with five employees and one location in Bellingham, Minnesota." (Carman Decl. [Doc. No. 80], ¶ 2.) Defendant is an insurance company that is incorporated in Oklahoma. (Compl. [Doc. No. 1], ¶ 5; Amended Answer and Counterclaim [Doc. No. 36], ¶ 5.) In October 2010, Defendant issued Financial Institution Bond No. FIB0011607 (the "Bond") to Bellingham Corporation, with coverage effective from October 17, 2010, to October 17, 2013. (Bye Decl. dated April 25, 2014 [Doc. No. 79] ("Second Bye Decl."), Ex. A (BancInsure Financial Institution Bond), at 166.) Plaintiff is a named insured on the Bond. ( Id. at 168.) Under the Bond, Defendant agrees to indemnify Plaintiff in various circumstances, collectively referred to as "Insuring Agreements, " including-relevant to this case-in the case of "computer systems fraud." ( Id. at 166.) Under that provision, referred to as "Insuring Agreement (H)":
Loss resulting directly from a fraudulent
(1) entry of Electronic Data or Computer Program into, or
(2) change of Electronic Data or Computer Program within
any Computer System operated by the Insured, whether owned or leased, or any Computer System identified in the application for this Bond, or a Computer System first used by the Insured during the Bond Period, provided the entry or change causes
(1) property to be transferred, paid or delivered,
(2) an account of the Insured or of its customer to be added, deleted, debited or credited, or
(3) an unauthorized account or a fictitious account to be debited or credited.
In this Insuring Agreement (H), fraudulent entry or change shall include such entry or change made by an employee of the Insured acting in good faith
(1) on an instruction from a software contractor who has a written agreement with the Insured to design, implement or service programs for a Computer System covered by this Insuring Agreement (H), or
(2) on an instruction transmitted by Tested telex or similar means of Tested communication identified in the application for this Bond purportedly sent by a customer, financial institution, or automated clearing house.
(Id. at 173.) Coverage under Insuring Agreement (H) provides a single loss limit of liability of $500, 000, with a $5, 000 deductible. ( Id. at 166.)
The Bond also includes numerous exclusions. Relevant to the present motions, Section 2 of the Bond states that it "does not cover":
(h) loss caused by an Employee, except when covered under Insuring Agreement (A) or when covered under Insuring Agreement (B), (C) or (R) and resulting directly from misplacement, mysterious unexplainable disappearance or destruction of or damage to Property;
(bb) under Insuring Agreements (H), (I), (J), (K), (L), (M), (N) and (O), in addition to all of the other Exclusions
(4) loss resulting directly or indirectly from theft of confidential information,
(12) loss resulting directly or indirectly from
(a) mechanical failure, faulty construction, error in design, latent defect, fire, wear or tear, gradual deterioration, electrical disturbance or electrical surge which affects a Computer System,
(b) failure or breakdown of electronic data processing media, or
(c) error or omission in programming or processing,
(17) loss caused by a director or Employee of the Insured or by a person in collusion with any director or Employee of the Insured... except when loss is caused by an Employee and covered under Insuring Agreement (L) or (M)....
(Id. at 186, 188.) Section 5 of the Bond requires the following in the event of a loss:
(a) At the earliest practicable moment, not to exceed sixty (60) days, after discovery of loss, the Insured shall give the Company notice of the loss.
(b) Within 6 months after such discovery, the Insured shall furnish to the Company proof of loss, duly sworn to, with full particulars.
(Id. at 190.) Finally, Section 7 states:
(d) Upon the Company's request and at reasonable times and places designated by the Company the Insured shall
(1) submit to examination by the Company and subscribe to the same under oath,
(2) produce for the Company's examination all pertinent records, and
(3) cooperate with the Company in all matters pertaining to the loss.
(e) The Insured shall execute all papers and render assistance to secure to the Company the rights and causes of action provided for in this Section 7. The Insured shall do nothing after discovery of loss to prejudice such rights or causes of action.
(Id. at 191.)
B. Wire Transfers at the Bank
The loss at issue stems from a fraudulent wire transfer. At the time the loss occurred, Plaintiff made its wire transfers through the Federal Reserve's FedLine Advantage Plus system ("FedLine"). (Carman Decl. ¶ 4.) Plaintiff used a desktop computer that was connected to a Virtual Private Network device ("VPN") provided by the Federal Reserve. (Id.) The VPN was both a modem and an encryptor. (Id.) It encrypted the information entered on the computer and transmitted it over the internet to the Federal Reserve, where the information was then decrypted. (Id.) In order to complete a wire transfer on FedLine, a user had to enter an authorized user name and three passwords. ( Id. ¶ 5.) One of the passwords was provided by a security token issued by FedLine that had to be inserted into a USB port on the computer. (Id.) The other two passwords were typed in by the user. (Id.) And, although it was not required by FedLine, wire instructions had to be verified by entry of a second user name and set of passwords. (Id.)
C. The Day Before the Loss
On October 27, 2011, one of Plaintiff's employees, Sharon Kirchberg, accessed FedLine in order to complete a wire transfer. (Nilan Aff. [Doc. No. 90], Ex. 4 (Kirchberg Dep. 49:2-6).) Ms. Kirchberg's token, password, and pass phrase, as well as the token, password, and pass phrase of another employee, were used to complete the transfer. (See id., Ex. 4 (Kirchberg Dep. 49:13-53:15).) When Ms. Kirchberg left the Bank for the day, she left both tokens in the computer and left the computer running. ( Id., Ex. 4 (Kirchberg Dep. 53:18-54:13).)
D. The Loss
On October 28, Ms. Kirchberg arrived at work and accessed Fedline's Account Information Management application, which shows Plaintiff's account balance with the Federal Reserve. (Second Bye Decl., Ex. H (Proof of Loss), at 444.) At approximately 8:12 a.m. CST, she noticed that $940, 000 had been transferred out of the bank using Fedwire Funds, which is part of FedLine. (Id.) She began investigating the entry and discovered that someone had attempted to initiate two wire transfers from a Demand Deposit Account at the bank to two different banks in Poland. ( Id. at 444-45.) The first transfer, to a Citibank account in Warsaw, was in the amount of $485, 000 and was initiated at 7:12 a.m. CST ( Id. at 444.) That transfer was completed at 7:25 a.m. CST using the user name and passwords of Ms. Kirchberg and one other employee. ( Id. at 444-45.) However, neither of those employees authorized or verified the transfer or had access to FedLine at the time of the transfer. ( Id. at 445.) The second transfer, to an ING Bank account in Katowice, was in the amount of $455, 000 and was initiated at 7:21 a.m. CST and completed at 7:25 a.m. CST. (Id.) The same user names and passwords were used, but, again, neither employee even had access to FedLine at the time of the transfer. (Id.) Both transferee accounts were in the name of Markus Vorreas. (Id.)
Ms. Kirchberg immediately attempted to reverse the wire transfers using FedLine. (Id.) However, shortly after 8:00 a.m., Plaintiff's internet service provider experienced a distributed denial-of-service attack ("DDoS"), which disabled internet service near Plaintiff. (Id.) Accordingly, Ms. Kirchberg was unable to electronically request reversal of the transfers. (Id.) She then called the Federal Reserve and requested the reversals, but her request was denied. (Id.)
On October 31, the Federal Reserve notified the two intermediary institutions for the transfers that the transfers were fraudulent. ( Id. at 446.) While the intermediary institution for the second transfer was able to revert the transferred funds to Plaintiff, the $485, 000 that was transferred to the Citibank account in Warsaw has never been credited or reverted. (Id.)
E. The Investigation
Plaintiff notified Defendant of the loss on October 28-the day it occurred-by faxing a copy of the transaction details of the two transfers. (See Nilan Aff., Ex. 21 (Fax Transmittal).) On November 3, BancInsure acknowledged receipt of Plaintiff's notice and advised Plaintiff that the claim had been assigned to Karbal Cohen Economou Silk Dunne ("KCESD") for investigation. (Dorothy Aff. [Doc. No. 22], Ex. 5 (Letter), at 272.) In a letter dated November 9, KCESD reminded Plaintiff of its obligation under Section 5(b) of the Bond to provide Defendant with "proof of loss, duly sworn to, with full particulars, '" within six months of discovering the loss. (Nilan Aff., Ex. 22, at 381.) The letter included a Proof of Loss form and requested that the proof of loss include documentation of the loss, "full details concerning the transactions involved, " "as detailed a narrative as possible regarding the circumstances surrounding the Bank's discovery of [the] loss, " contact information for any law enforcement authorities investigating the matter, pleadings in any legal proceedings that were initiated, and any other relevant documents. ( Id. at 382.) The letter also requested that the proof of loss "detail the Bank's security procedures" and that Plaintiff provide copies of the transaction records involving the transfers at issue. (Id.) Defendant reserved the right to make further inquiries and requests. (Id.)
Defendant received Plaintiff's Proof of Loss, in which Plaintiff claimed a net loss of $485, 100, on December 27, 2011. (Second Bye Decl., Ex. H (Proof of Loss), at 442-43.) In the "Details of Loss" section of the form, Plaintiff stated that "an unknown individual or individuals gained unauthorized access to the FedLine Advantage Plus service on the State Bank of Bellingham's computer systems and fraudulently authorized two wire transfers." ( Id. at 444.) Plaintiff went on to describe Ms. Kirchberg's discovery and attempted reversal of the transfers. (See id. at 444-45.) Plaintiff stated that, in addition to the Federal Reserve, it had notified various law enforcement agencies and that the FBI had examined Plaintiff's computers but Plaintiff was not aware of the status of any investigations. ( Id. at 446.) As for its security measures, Plaintiff provided as follows:
... Internally, the Bank follows standard security procedures with respect to user names and passwords for its systems in accordance with the Federal Reserve Banks' Password Practice Statement. All systems on the internal network have Symantec Small Business Endpoint Protection 12.5, with not only antivirus and antispyware features but a desktop firewall and intrusion detection/protection. This security suite is centrally managed by the network server for definitions and threat management and updates automatically.
Additionally, the native Windows firewall is activated on computers on the internal network and the computers are configured to limit the software that can be installed on the device.
As for external threats, the Bank uses a Sonic WALL NSA 240 firewall. The firewall has Gateway Antivirus and Gateway Anti-Spyware inspecting all traffic before passing through the gateway and uses Gateway Intrusion Protection. This security suite likewise is updated automatically on a daily basis, meaning no user accesses or modifies the firewall or the settings of the software overall.
The Bank also has surveillance cameras on premises. The recordings of October 27 and October 28 show no one entered the Bank between the time it closed on October 27 and the time employees returned on the morning of October 28.
(Id. at 446-47.) Plaintiff attached a print-out of its account balance activity with the Federal Reserve banks as of 8:12 a.m. CST on October 28, 2011; the transaction details for each of the two wire transfers; a letter from Plaintiff's internet service provider explaining the service outage on October 28, 2011; communications from the intermediary institutions involved in the transfers; and ...