Opinion
Civil Action 19-0020
06-09-2022
CONSTRUCTION FINANCIAL ADMINISTRATION SERVICES LLC d/b/a CFAS v. FEDERAL INSURANCE COMPANY
MEMORANDUM
JOHN MILTON YOUNGE, JUDGE
In this insurance action, Plaintiff Construction Financial Administration Services, LLC (“CFAS”) filed suit against its insurer, Defendant Federal Insurance Company (“FIC”), after FIC denied coverage for CFAS's transmission of $ 1.3 million dollars to a foreign account. CFAS's transfer was precipitated by its receipt of emails from the account of a CFAS client, though later revealed to have been sent by someone who gained unauthorized access to the account. According to CFAS, its transmission should be covered under the policy because the transfer was caused in part by its own negligence in failing to follow its policies and procedures. FIC denied coverage in part because CFAS's policy did not cover losses caused by “social engineering.” After extensive discovery, CFAS and FIC both moved for summary judgment. (ECF Nos. 27, 31). Upon consideration of the parties' briefing and arguments therein, we grant FIC's motion, and deny CFAS's.
The factual background is derived from the parties' statements of undisputed material facts (“SUMF”) and other summary judgment submissions, including the exhibits attached thereto.
CFAS is a third-party construction funds administration company. (Plaintiff's Statement of Undisputed Material Facts (“PSUMF”), ECF No. 27-1 ¶ 1; see also Defendant's Statement of Undisputed Material Facts (“DSUMF”), ECF No. 32 ¶ 1.) In its capacity as a funds administrator, CFAS disburses funds for contractors whose clients require performance and payment bonds from sureties. (DSUMF ¶ 2.) One of CFAS's clients is SWF Constructors (“SWF”). (PSUMF ¶ 6, DSUMF ¶ 4.) SFW is a joint venture between Coastal Environmental Group and another entity. (DSUMF ¶ 3.) In 2017, SWF agreed to perform construction work in California for the U.S. Army Engineer District - Fort Worth on a project described as “D/B Calexico Fence Replacement 2 Miles Calexico, California.” (PSUMF ¶ 6, DSUMF ¶ 4.) SWF was required to provide performance and labor and material payment bonds from a surety approved by the United States. (PSUMF ¶ 7, DSUMF ¶ 5.) The surety issued the bonds but required that SWF deposit all payments received from the project owner into a disbursement account administered by an independent third-party in order to facilitate receipt and disbursement of funds to the various suppliers and subcontractors furnishing labor and materials. (PSUMF ¶ 8, DSUMF ¶ 5.) SWF entered into a Funds Administration and Disbursement Agreement (“the FADA”) with CFAS in order to meet the surety's requirement that project payments be administered by an independent third party. (PSUMF ¶ 9, DSUMF ¶ 5.)
In the FADA, SWF was required to provide an itemized budget of project costs, including the name, subcontract price, and contact information for each subcontractor or supplier on the project. (PSUMF ¶ 11.) It was also required to provide copies of payment applications to the project owner, a disbursement voucher summary for each requires for payment, an identification of what line item within the application for payment to the project owner funded the payment, and a waiver and release form signed and notarized for each subcontractor to be paid from the disbursement account. (PSUMF ¶ 11.) The FADA also contained two clauses under the heading “Indemnification”:
5.1: [SWF] agrees to defend, hold harmless, and indemnify CFAS and its employees, officers and directors from and against any and all liabilities, losses, costs, expenses (including but not limited to attorney's fees), claims actions, or causes of action arising out of or relating to CFAS's activities pursuant to this agreement.
5.2: CFAS shall not be liable for, and [SWF] waive[s] any claims or remedies [SWF] may have against CFAS . . . arising out of any breach of this Agreement by CFAS, CFAS's disbursement or handline of the Disbursement Account.(See CFAS's Motion for Summary Judgment (“CFAS MSJ”), ECF No. 27 at Exhibit D; see also DSUMF, at Exhibit 4.)
In order to execute these payments, CFAS established a disbursement account and arranged for project payments from the owner to be directly deposited into the disbursement account. (PSUMF ¶ 12.) In order to disburse a payment from the disbursement account, SWF provided CFAS a disbursement voucher summary for each payment request, a disbursement voucher, an identification of what line item within the application for payment to the project owner funded the payment to the subcontractor. (PSUMF ¶ 15.) John Follmer, an executive at CFAS, was the sole person authorized to sign a check or authorize wire transfers from the disbursement account. (PSUMF ¶ 13.)
On April 9, 2018, CFAS received a request from what he believed to be SWF to make a payment from the disbursement account in the amount of $600,000 by wire transfer to a company in Hong Kong named HK Canopy Technology Limited (“HK”). (PSUMF ¶ 17, DSUMF ¶ 12.) HK was not listed in SWF's budget as a subcontractor, nor had CFAS received a copy of any executed agreement between HK and SWF. (PSUMF ¶ 17.) Follmer also did not receive a disbursement voucher for this payment, nor any identification of what line item within the application for payment to the project owner funded the payment, nor any waiver or release form signed by HK. (PSUMF ¶ 17.) He received a copy of an invoice from HK, but the invoice did not refer to the project nor identify what work or materials were supplied. (PSUMF ¶ 17.) Follmer authorized payment of the request on the same date he received it. (PSUMF ¶ 19, DSUMF ¶ 12.)
The next day, on April 10, Follmer received another request from what he believed to be SWF to make a payment from the disbursement account for $700,000 by wire transfer to HK. (PSUMF ¶ 20, DSUMF ¶ 19.) Again, Follmer received no disbursement voucher, no waiver, nor any line item identification. Follmer authorized payment of the request on the same date he received it. (PSUMF ¶ 20, DSUMF ¶ 19.) Thereafter, Follmer sent an email requesting additional documentation supporting the wire transfers. (DSUMF ¶ 30.) SWF denied approving the transfers. (DSUMF ¶ 31.)
On April 11, 2018, SWF submitted a disbursement voucher and related documents requesting payment from the disbursement account. (PSUMF ¶ 23.) Follmer advised SWF that the two payments to HK had left insufficient funds to make the requested distribution. (PSUMF ¶ 23.) SWF advised that they had not authorized or requested the payments to HK. (PSUMF ¶ 23, DSUMF ¶ 31.) Follmer contacted the bank and law enforcement to try to stop or recover the payments. (PSUMF ¶ 24, DSUMF ¶ 41.) After several weeks of effort, Follmer received back $127,007. (PSUMF ¶ 24.)
Following the fraudulent disbursements and before contacting FIC, CFAS borrowed $1,000,000 and placed those funds into the disbursement account in order to avoid SWF's default of payment to its actual subcontractors and suppliers. (PSUMF ¶ 25, DSUMF ¶ 48.) CFAS also deposited into the account the recovered funds, and deferred receipt of its fee otherwise due under the FADA. (PSUMF ¶ 25.) On April 13, 2018, Follmer, on behalf of CFAS, received a claim letter from SWF stating that neither of the requests from HK included any documentation required under the FADA. (PSUMF ¶ 27, DSUMF ¶ 46.)
Following an investigation, it was revealed that a Coastal Group employee's email had been hacked by an unknown “threat actor.” (PSUMF ¶ 28, DSUMF ¶ 32-36.) The threat actor had, in some way, gained access to Coastal Group's network prior to the unauthorized transfers. (PSUMF ¶, DSUMF ¶ 37.) Posing as a Coastal Group employee, the threat actor fraudulently sent emails to CFAS requesting the transfers. (DSUMF ¶ 39.)
At the time of the wire transfer to HK, CFAS had an effective PROE&E insurance policy with FIC (“the Policy”). (PSUMF ¶ 28, DSUMF ¶ 49.) The policy was effective from August 21, 2017, through August 21, 2018. (PSUMF ¶ 29.)
In relevant part, the Policy stated as follows:
MISCELLANEOUS CONSULTING FIRM ENDORSEMENT
In consideration of the premium charged, it is agreed that the Policy is amended as follows:
(3) Section III. EXCLUSIONS is amended by adding the following Exclusion:
No coverage will be available under this Policy for any Claim against an Insured based upon, arising from or in consequence of any:
(e) unauthorized access to, or use or alteration of, any computer program, computer, computer system or communication facilities that are connected thereto;
[. . .]
UNAUTHORIZED NETWORK ACCESS EXCLUSION ENDORSEMENT
In consideration of the premium charged, it is agreed that Section III, Exclusions, of the Policy is amended to include the following exclusion:
No coverage will be available under the Policy for any Claim against an Insured based upon, arising from or in consequence of any unauthorized or exceeded authorized access to, use of or alteration of, any computer program, software, computer, computer system or any input, output, processing, storage and communication devices that can be connected thereto.(See CFAS MSJ, Exhibit 1 at *123-24, Exhibit 2 at *5; FIC MSJ Exhibit 14 at p. 23-24, 30 (collectively, “Breach Exclusions”).)
In addition to the breach exclusions, the Policy also included a relevant notification provision:
XI. DEFENSE AND SETTLEMENT
(C) No Insured shall settle or offer to settle any Claim, incur any Defense Costs, or otherwise assume any contractual obligation or admit any liability with respect to any Claim without [FIC]'s prior written consent, which shall not be unreasonably withheld. [FIC] shall not be liable for any settlement, Defense Costs, assumed obligation or admission to which it has not given its prior written consent.(See CFAS MSJ, Exhibit 1 at *115; FIC MSJ Exhibit 14 at p. 15) (“Notification Provision”).)
CFAS made a claim under the PROE&O Policy by letter on April 17, 2018 for the full amount it transferred to HK. (PSUMF ¶ 34, DSUMF ¶ 51.) On June 6, 2018, FIC denied CFAS's claim. (PSUMF ¶ 36.) In its letter, FIC stated that “[t]he claimant alleges that CFAS improperly transferred funds from the Disbursement Account based on a fraudulent email stream. As this matter is based upon, arises from and/or is in consequence of the unauthorized access to or use of a computer program, software, computer, and/or computer system, it is excluded from coverage pursuant to Section III(A) as amended by the Miscellaneous Consulting Firm Endorsement and the Unauthorized Network Access Exclusion.” (PSUMF ¶ 37-39.)
CFAS filed suit on January 3, 2019. (“Complaint, ” ECF No. 1.) In its Complaint, CFAS asserted one count for breach of contract, stating that it complied with all the terms and conditions of the Policy, that it made a timely claim for the losses it sustained, and that it was wrongfully denied coverage. (Complaint at ¶¶ 52-59.) FIC filed its Answer on March 8, 2019, denying that it materially breached the terms of the policy. (ECF No. 9).
Following a protracted period of discovery, CFAS and FIC cross-filed motions for summary judgment on March 11, 2020. Both parties filed responsive briefs, replies, and sur-replies. (See ECF Nos. 34, 35, 39, 40, 44, 45, 47, and 50.) On May 1, 2020, FIC filed a Motion to Strike CFAS's reply brief and amended reply brief. (ECF No. 48.) CFAS filed a response, ECF No. 51, and FIC filed a reply. (ECF No. 53.)
II. LEGAL STANDARD
“The court shall grant summary judgment if the movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law.” Fed.R.Civ.P. 56(a). When making this determination, we must weigh all facts in the light most favorable to the non-moving party and draw all reasonable inferences in favor of the non-moving party. Jutrowski v. Twp. of Riverdale, 904 F.3d 280, 288 (3d Cir. 2018). “For its part, ‘[t]he non-moving party must oppose the motion and, in doing so, may not rest upon the mere allegations or denials [in] his pleadings' but, instead, ‘must set forth specific facts showing that there is a genuine issue for trial. Bare assertions, conclusory allegations, or suspicions will not suffice.'” Id. at 288-89 (quoting D.E. v. Central Dauphin Sch. Dist., 765 F.3d 260, 268-69 (3d Cir. 2014)).
“A factual dispute is genuine ‘if the evidence is such that a reasonable jury could return a verdict for the nonmoving party.'” Id. at 289 (quoting Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986)). “Conversely, ‘where a non-moving party fails sufficiently to establish the existence of an essential element of its case on which it bears the burden of proof at trial, there is not a genuine dispute with respect to a material fact and thus the moving party is entitled to judgment as a matter of law.'” Goldenstein v. Repossessors Inc., 815 F.3d 142, 146 (3d Cir. 2016) (quoting Blunt v. Lower Merion Sch. Dist., 767 F.3d 247, 265 (3d Cir. 2014)). “The same standards and burdens apply on cross-motions for summary judgment.” Allah v. Ricci, 532 Fed.Appx. 48, 50 (3d Cir. 2013) (citing Appelmans v. City of Phila., 826 F.2d 214, 216 (3d Cir. 1987)).
III. DISCUSSION
A. Choice of Law
Since this Court sits in diversity, this Court must “apply the substantive law as decided by the highest court of the state whose law governs the action.” Orson, Inc. v. Miramax Film Corp., 79 F.3d 1358, 1373 (3d Cir. 1996). CFAS's business address is in Pennsylvania, with its principal office located in North Carolina. The insurance policy was executed by CFAS in North Carolina, and the fraudulent transmission occurred in North Carolina. FIC's principal place of business is in Indiana. FIC is a member company of the Chubb Group of Insurance Companies, which has its principal place of business in Connecticut.
This Court is charged with applying the choice of law rules of Pennsylvania. Klaxon v. Stentor Electric Mfg. Co., 313 U.S. 487 (1941). In Griffith v. United Airlines Inc., 203 A.3d 796, 805 (Pa. 1964), the Pennsylvania Supreme Court adopted a “more flexible rule which permits analysis of the policies and interests underlying the particular issue before the court.” Courts are directed to apply the substantive law of the state with the “most interest in the problem.” Hammersmith v. TIG Ins. Co., 480 F.3d 220, 227 (3d Cir. 2007). Under Griffith, the first step is to determine whether a conflict exists between the laws of the competing states. The parties agree North Carolina and Pennsylvania have the most significant interests in the resolution of this matter.
In this case, we are charged with interpreting the language of the requisite insurance policy and determining whether coverage is provided based on the particular facts before us. North Carolina and Pennsylvania share similar law in interpreting insurance contracts. In North Carolina, an insurance policy “is a contract between the parties” and “must be construed so as to carry out their intent.” Allstate Ins. Co. v. Shelby Mut. Ins. Co., 152 S.E.2d 436, 440 (N.C. 1967). Determining the meaning of insurance policy language presents questions of law governed by general contract interpretation principles. Accardi v. Hartford Underwriters Ins. Co., 838 S.E.2d 454, 456 (N.C. 2020). “The party seeking coverage under an insurance policy bears the burden ‘to allege and prove coverage.'” North Carolina Farm Bureau Mut. Ins. Co., Inc. v. Martin, 851 S.E.2d 891, 895 (N.C. 2020). A court must construe an insurance contract as a reasonable person in the position of the insured would have understood the insurance contract. See Register v. White, 599 S.E.2d 549, 553 (N.C. 2004); Marriott Fin. Servs., Inc. v. Capitol Funds, Inc., 217 S.E.2d 551, 565 (N.C. 1975). Courts should strive to arrive at the coverage the parties intended at the issuance of the policy. Id. (citing Wachovia Bank & Tr. Co. v. Westchester Fire Ins. Co., 172 S.E.2d 518, 522 (N.C. 1970)). Terms left undefined by the policies must be given ordinary meanings consistent with the context in which they appeared. Id.
It is “well settled in North Carolina that insurance policies are construed strictly against insurance companies and in favor of the insured.” State Cap. Ins. Co. v. Nationwide Mut. Ins. Co., 350 S.E.2d 66, 73 (N.C. 1986). Because coverage exclusions are disfavored, courts also “strictly construe[ ]” ambiguities in a policy against the insurer. Id. When “the meaning of words or the effect of provisions is uncertain or capable of several reasonable interpretations, ” we resolve any doubt in favor of coverage. Gaston Cnty. Dyeing Mach. Co. v. Northfield Ins. Co., 524 S.E.2d 558, 563 (N.C. 2000).
Under Pennsylvania law, courts interpreting insurance policies “are guided by the polestar principle that insurance policies are contracts between an insurer and a policyholder.” Kurach v. Truck Ins. Exch., 235 A.3d 1106, 1116 (Pa. 2020). We thus “apply traditional principles of contract interpretation in ascertaining the meaning of the terms used therein.” Id. A court must consider the insurance policy in total, giving each term its plain meaning and giving effect to all of the provisions, and must not view any one provision or word in isolation. See Delaware Cnty. Const. Co. v. Safeguard Ins. Co., 502 A.2d 15, 17 (Pa. Super. 1967) (citing Newman v. Massachusetts Bonding & Ins. Co., 361 Pa. 587, 65 A.2d 417 (Pa. 1949)). If the policy terms are clear and unambiguous, we must give effect to the plain and ordinary meaning of those terms. See Kurach, 235 A.3d at 1116.
“In Pennsylvania, the insured has the burden ‘to establish coverage under an insurance policy.'” Easy Corner, Inc. v. State Nat'l Ins. Co., 154 F.Supp.3d 151, 154 (E.D. Pa. 2016) (quoting Nationwide Mut. Ins. Co. v. Cosenza, 258 F.3d 197, 206 (3d Cir. 2001).) Then, “[if] the dispute involves an exclusion in the insurance policy, ‘the burden is upon the insured to show that a loss has occurred; thereafter, the burden is on the insurer to defend by showing that the loss falls within a specific policy exclusion.'” United Nat'l Ins. Co. v. Indian Harbor Ins. Co., 160 F.Supp.3d 828, 839 (E.D. Pa. 2016) (quoting Wexler Knitting Mills v. Atl. Mut. Ins. Co., 555 A.2d 903, 905 (Pa. Super Ct. 1989)). Based on the above, we are satisfied that North Carolina and Pennsylvania law regarding the broad tenets of insurance contract interpretation does not conflict. While normally such an outcome would suggest that we apply the law of the state in which this Court sits, in this particular case, we apply North Carolina law. Throughout both parties' briefing, North Carolina law is extensively relied upon, and its applicability is not disputed by either party. (See CFAS MSJ at 10; FIC MSJ at 10.) Since both parties are in apparent agreement regarding its application, and since no real conflict exists, we apply the laws of that jurisdiction.
B. The Policy Does Not Cover CFAS's Claim
We conclude FIC has not breached the Policy as it does not cover the current scenario for which CFAS seeks coverage. CFAS is not entitled to coverage because its claims are excluded under the Breach Exclusions. The language of both exclusions clearly contemplates losses precipitated by social engineering events such as hacking. Even if the Breach Exclusions did not apply, CFAS failed to provide notice of the loss to FIC before settling the claim, as set forth in the Policy. Under the terms of the Policy, CFAS was required to notify FIC of any pending claims before their resolution. Since CFAS failed to do so, it failed to meet the criteria for coverage as agreed to under the terms of the Policy.
a. The Fraudulent Transfers are Not Covered Under the Policy
CFAS argues FIC wrongfully denied its claim because the claim against CFAS was not “based upon, arising from or in consequence of” an unauthorized access or use of a computer system. (CFAS MSJ at 9-10.) CFAS argues that its failure to obtain proper paperwork was a proximate cause of the fraudulent transfer, in addition to the hacker's access to SWF's computer system. (Id. at 11-15.) Under North Carolina precedent, there will be coverage where “there is more than one cause of an injury and only one of the causes is excluded.” (Id. at 12 (citing State Capital Ins. Co. v. Nationwide Mut Ins. Co., 350 S.E.2d 66 (N.C. 1986).) Since CFAS's failure to obtain the necessary paperwork contributed to the company's actions, CFAS concludes the exclusion does not apply. (Id. at 14.) Since FIC's own underwriting notes admit that the only allegation made against CFAS was “that CFAS failed to follow the disbursement process outlined in the [FADA]” and as a result made the fraudulently-induced transfers, CFAS argues that it suffered damages due to the failure to obtain required documents rather than “social engineering.” (Id. at 14-15.)
FIC argues that when the Policy's Breach Exclusions are applied, coverage is clearly unwarranted. (FIC MSJ at 12 -17.) FIC argues it is clear that the SWF demand was “based upon, arising from or in consequence of” an unauthorized access and use of a computer system. (Id. at 14.) FIC explains that “arising out of” means “causally connected with, not proximately caused by.” (Id. at 18 (citing McCabe v. Old Republic Ins. Co., 228 A.2d 901, 903 (Pa. 1967).) FIC explains that this standard does not require a direct nexus between the claim and the computer access; it need only prove a causal nexus, even if indirect. (Id. (citing Countryway Ins. Co. v. Slaugenhoup, 360 Fed.Appx. 348, 352 (3d Cir. 2010).) In North Carolina, “the exclusionary language [‘arising out of'] requires only that the injuries ‘arise out of' the excluded cause.” (Id. (citing Wilkins v. Am. Motorists Ins. Co., 388 S.E.2d 191, 194 (N.C. App. 1990).) The presence of other contributing factors does not impact the application of an exclusion. (Id. at 19.) The phrase applies as long as the excluded conduct played a role in the claimed loss. (Id.) Moreover, FIC argues that courts routinely conclude hacking events constitute “unauthorized access” to computer systems. (Id. at 13.) Since the fraudulent user logged into SWF's email accounts and posed as one of its employees, FIC argues the facts of this case clearly fall under the exceptions.
We agree with FIC that even under the narrowest construction, the Policy's language excludes CFAS's claim. While nothing under North Carolina law is exactly on point, we turn to similar cases in order to inform our decision. Both parties argue that State Capital Ins. Co. v. Nationwide Mut. Ins. Co., 350 S.E.2d 66 (N.C. 1986), bears upon the current analysis. In State Capital, the policyholder stored a rifle in the back of his truck. Id. at 67. While the car was parked, the policyholder spotted a deer and ran to the truck to retrieve his gun. Id. As he touched the rifle, it fired, and the bullet struck his companion in the leg. Id. A claim was made under the policyholder's automobile and homeowners' policies. Id. As it pertains to the instant case, the homeowners' policy excluded coverage for injury “arising out of the ownership, maintenance, use, loading, or unloading” of a motor vehicle. Id. at 68. The North Carolina Supreme Court considered in part the meaning of the phrase “arising out of” in a homeowner policy exclusion. Id.
The Court determined that, based on the “arising out of” language, a policyholder is not excluded from coverage where there is more than one cause of an injury and only one of the causes is excluded. Id. at 73. Drawing support from other jurisdictions as well as its own prior precedent, the court explained that “this Court has held that when an accident has more than one cause, one of which is covered by an ‘all risks' insurance policy and the other which is not, the insurer must provide coverage.” Id. at 74. Thus, it concluded that the homeowner's policy in this instance “provide[d] coverage for injuries so long as a non-excluded cause is either the sole or concurrent cause of the injury giving rise to liability. Stating the second principle in reverse, the sources of liability which are excluded from homeowners policy coverage must be the sole cause of the injury in order to exclude coverage under the policy.” Id. at 73. Since the policyholder's negligent handling of the rifle was a proximate cause of the injury, the court held the exclusion would not apply to preclude coverage. Id.
North Carolina courts have continued to apply this precedent where separate but concurrent proximate causes contribute to an injury. See, e.g, Nationwide Mut. Ins. Co. v. Davis, 118 N.C.App. 494 (N.C. App. 1995) (finding that coverage existed under an automobile policy where use of a van and negligent supervision of a child both contributed to child's injuries after child was struck by another car exiting the vehicle). However, since State Capital, several North Carolina courts have engaged in a deeper inquiry, only to find in fact one singular proximate cause as the true source of injury.
In Builders Mut. Ins. Co. v. North Main Const., Ltd., 637 S.E.2d 528 (N.C. 2006), the North Carolina Supreme Court considered whether defendant's commercial general liability policy covered the serious injuries sustained by another driver and caused by an employee while driving a company vehicle. The policy contained an exclusion for “‘bodily injury' . . . arising out of the ownership, maintenance, use or entrustment” of any automobile owned by the insured. Id. at 86. At the time of the accident, defendant's employee was intoxicated and had several prior moving violations. Id. at 87. Plaintiff insurance company filed a declaratory judgment action stating it had no duty to defend or indemnify the negligent hiring and negligent supervision claims pending in the underlying matter because the policy did not cover for injuries arising out of the use or entrustment of a motor vehicle. Id. The court agreed, and concluded plaintiff owed no coverage. Id. at 89. It concluded that the employee's actions were only harmful because he was required to drive the vehicle for work; thus, claims of negligent supervision were not non-automobile causes of the underlying plaintiff's injuries for purposes of determining liability. Id.
Similarly, in Nationwide Mut. Ins. Co. v. Integon Indem., 473 S.E.2d 23 (N.C. Ct. App. 1996), the North Carolina court of appeals considered whether coverage applied after an insurer denied coverage for injuries caused by a trailer improperly attached to a vehicle. Id. at 24. The policy in question contained an exclusion for “bodily injury . . . arising out of the ownership, maintenance, [and] use . . . of motor vehicles . . . owned or operated . . . by an insured.” Id. Despite allegations that the insured negligently attached the trailer to the car, the court of appeals held that the exclusion applied since the alleged negligence was not independent of the excluded risk. Id. at 25 (“[T]he defendant Estate's damages are alleged to have resulted solely from . . . ‘use' of the truck . . . and not any independent ‘non-automotive' cause. [The underlying defendant's] alleged negligence in attaching, securing and towing the trailer could not have caused damages that were independent of the ‘use' of the truck itself.”); see also Wilkins v. American Motorists Ins. Co., 97 N.C.App. 266 (N.C. App. 1990); Erie Ins. Exchange v. St. Stephen's Episcopal Church, 153 N.C.App. 709 (N.C. App. 2002).
Similar to the progeny of Builders Mutual and Integon, we conclude CFAS's failure to require documentation is not an independently occurring cause of injury. As in the above cases, CFAS's lack of receipt of proper documentation could not have caused the injury in question (here, the fraudulently-induced money transfers) without the emails precipitated by the hacker's unauthorized access to SWF's network. CFAS would not have sent the funds to the bank account included by the fraudster without first receiving the unauthorized emails. The existence of the loss did not depend on the existence (or lack thereof) of the documentation, but rather upon the unauthorized emails. Even more literally, CFAS would not have been able to transfer the funds to HK without the unauthorized emails because the emails contained the account information.
The fact that the instant Policy contains even broader language than the policies discussed in the above cases informs our decision. Instead of confining the Breach Exclusions to injuries “arising out of” unauthorized access, it excludes injuries “based upon, arising from or in consequence of any unauthorized or exceeded authorized access to” any computer program or network. The fact that this language casts a wider net cannot be ignored. In Nationwide Mut. Fire Ins. Co. v. Nunn, 442 S.E.2d 340 (N.C. App. 1994), the North Carolina court of appeals interpreted a policy that excluded coverage for a loss “arising out of or in connection with a business engaged in by an insured.” Id. at 342 (emphasis added.) There, a policyholder sought coverage for a dog bite sustained by a guest at the policyholder's property, which was being used as a wedding venue. Id. The court determined the injury was “in connection with” the business, since the guest would not have been on the property but for the event it had been hosting. Id. at 344. In so doing, the court determined that, given the broadened language of the policy, its inquiry did not simply stop at whether the injury arose out of an excluded peril; rather, it must inquire whether there was a proximate cause of the injury that was not “in connection with” the business. Id. at 344. The court concluded that, given the broad definition of “in connection with, ” all of the possible proximate causes of the guest's injury were in connection with the policyholder's business because, but for the business, the guest would not have been on the property. Id.
In the current Policy, we similarly interpret the phrase “in consequence of any . . . unauthorized access.” Under its plain and ordinary meaning, the phrase “in consequence of” expands the excluded perils to include “a result that follows as an effect of something that came before.” Black Law Dictionary (11th ed. 2019). There is no doubt that here, the transfers completed by Follmer were the result of the fraudulent emails. Unless Follmer was personally involved in this fraudulent transaction-and we have seen no evidence up to this point that he was so involved-without the emails initiating his actions, he would have no need to partake in the transaction in which CFAS argues he negligently undertook by failing to follow the process outlined in the FADA. Since the hacker's unauthorized access precipitated the events that followed, the broadened language makes it clear that the transactions are excluded under the Policy. See, e.g., Bancorpsouth, Inc. v. Fed. Ins. Co., 873 F.3d 582 (7th Cir. 2017) (holding that the exclusionary language “based upon, arising from, or in consequence of any fees or charges” excluded any fees, whether or not they were payable to or by a party); Lenko Corp. v. Fed. Ins. Co., 70 F.Supp.3d 905 (N.D.Ill. 2014) (holding that claims “based upon, arising from, or in consequence of any actual or alleged infringement of copyright, patent, trademark, trade name, trade dress, service mark or misappropriation of ideas or trade secrets” includes claims brought under a non-IP legal theory if the claim would not have arisen but for the IP claims); TranSched Systems Ltd. V. Fed. Ins. Co., 958 F.Supp.2d 331 (D.RI. 2013) (holding that the exclusionary language “based upon, arising from, or in consequence of any actual or alleged liability of an Insured Organization under any written or oral contact or agreement . . .” included any claim for conduct arising from any liability under a contract).
b. CFAS Failed to Provide Notice of its Claim
Though we conclude the fraudulent transfers were not covered under the Policy's Breach Exclusions, we further examine CFAS's failure to notify FIC regarding its claim. We conclude that FIC has likely shown CFAS's failure to notify was a sufficient basis to deny coverage.
We are not persuaded that, as CFAS argues, FIC has waived this argument. When interpreting an insurance policy, our job is to ascertain the meaning of the parties based on the plain language of the contract. Meyer v. CUNA Mut. Ins. Soc'y, 648 F.3d 154 (3d Cir. 2011) (citing Madison Constr. Co. v. Harleysville Mut. Ins. Co, 735 A.2d 100 (Pa. 1999); Woods v. Nationwide Mut. Ins. Co., 246 S.E.2d 773 (N.C. 1978). While it was certainly asserted at a very late juncture, FIC expressly “reserve[d] the right to deny coverage based upon grounds other than those expressly set forth” in its denial of coverage letter. We read this to include CFAS's failure to follow the terms of the Policy's notification provision. Thus, FIC has not indicated, expressly or impliedly, that it intentionally relinquished or abandoned a known right or privilege, nor can it be said that FIC's conduct led CFAS to believe that it had dispensed with such a right since it preserved its ability to contest coverage on different grounds than those indicated in its letter. See Prime Medica Associates v. Valley Force Ins. Co., 970 A.2d 1149 (Pa. Super. 2009); Bombardier Capital, Inc. v. Lake Hickory Watercraft, Inc., 632 S.E.2d 192, 196 (N.C. 2006). We note that FIC first asserts this argument in its responsive briefing. Though we are not obligated, we consider both parties' arguments regarding this issue due to the extensive briefing provided by both parties, as well as the alternative grounds upon which this decision rests. See Frankentek Residential Systems, LLC v. Buerger, 15 F.Supp.3d 574, n.11 (E.D.Pa. 2014).
FIC argues that CFAS failed to immediately forward the SWF demand, and instead opting to unilaterally pay SWF without complying with the terms of the Policy. (FIC Memorandum in Response to CFAS's Motion for Summary Judgment, ECF No. 40 at 7.) FIC argues that the Policy precludes such unilateral decision-making based on its plain terms. (Id. 13.) It argues that, as set forth above, the Policy included as Notification Provision that states the following:
No Insured shall settle or offer to settle any Claim, incur any Defense Cost, or otherwise assume any contractual obligation or admit any liability with respect to any Claim without [FIC]'s prior written consent, which shall not be unreasonably held. [FIC] shall not be liable for any settlement, Defense Cost, assumed obligation or admission to which it has not given its prior written consent.(Id.)
FIC argues that after enforcing the plain terms of the contract, CFAS cannot demand coverage where it prejudiced FIC's ability to respond to a demand. (Id. at 14 (citing Royal Ins. Co. of Am. v. Cato, 481 S.E.2d 383, 386 ( N.C. App. 1997) (denying coverage based on the terms of a policy where an insured failed to notify insurer of settlement to resolve a default judgment entered against it).) Specifically, FIC argues it was precluded from asserting at least two defenses based on the terms of the FADA. (Id. at 13-15.) FIC argues that the FADA contains two provisions under the heading “Indemnification” that generally bear upon its liability in the present situation. (Id. at 7.)
In response, CFAS argues FIC's belated assertion of this argument amounts to waiver, and that it should be estopped from asserting this defense after extensive and costly discovery and litigation. (CFAS Reply to FIC's Memorandum in Response, ECF No. 47 at 6.) Even considering the merits, CFAS argues FIC's claims fail since neither the indemnification clause nor the exculpatory clause are valid defenses. (Id. at 7.) CFAS argues the FADA indemnification clauses are unenforceable since they are best construed as a protection against third-party claims and not against CFAS's own negligence. (Id.) Further, CFAS claims the clauses do not apply since they were not the product of fair bargaining. (Id. at 8 (citing Employers Liability Assurance Co., Ltd. v. Greenville Bus. Men's Assoc., 224 A.2d 620 (Pa. 1966)).
We agree CFAS failed to follow the terms of the Policy when it did not notify FIC of the claims pending against it. Through its failure to alert FIC of the pending claim, it materially prejudiced FIC's ability to assert any defenses under the FADA and otherwise. Since FIC did not give its written consent to CFAS's unilateral resolution of the hacking issue, CFAS is unable to now obtain indemnification under this Policy.
In both relevant jurisdictions, an insured may not demand coverage where it prejudiced an insurer's ability to respond to a demand. In North Carolina, “The purpose and intention of an insurance contract's notice provision is to enable the insurer to begin its investigation and to initiate other procedures as soon as possible after a claim arises, and to avoid any prejudice that might be caused by a delay in receiving notice.” South Carolina Ins. Co. v. Hallmark Enterprises, 364 S.E.2d 678, 680 (N.C. App. 1988). “[U]nless the insured or his judgment creditor can show compliance with the requirement, the insurer is relieved of liability.” Davenport v. Travelers Indemnity Co., 195 S.E.2d 529, 532 (N.C. 1973). However, mere failure or a failure caused by legitimate delay may be excused under the appropriate circumstances. North Carolina courts have stated that where an insured fails to give timely notice of a suit against the insured, the insurer must show material prejudice in order to be relieved of its obligation to pay the claim. See, e.g., Nationwide Mut. Ins. Co. v. State Farm Mut. Auto. Ins. Co., 470 S.E.2d 556, 558 (1996) (where notice was given as soon as practicable or insured shows good faith for delay, insurer must show that its ability to investigate and defend was materially prejudiced).
In Pennsylvania, in order to prevail on a late notice defense, an insurer must prove that notice was untimely and that the delay caused prejudice to the insurer. Brakeman v. Potomac Ins. Co., 371 A.2d 193, 198 (1977). “Provision of prompt notice to both law enforcement and the insurance company enables those entities to promptly investigate the accident, thus making it less likely a claimant might fabricate a phantom vehicle's involvement to excuse his own neglect. Moreover, it is beyond dispute that, as time passes, memories fade and evidence disappears; therefore, providing prompt notice helps ensure the integrity of the evidence either in support of or discrediting the alleged phantom vehicle's involvement. This is not to say, however, that every case will be affected by notice delay in the same manner or that delay cannot be excused based on the facts of the case.” Vanderhoff v. Harleysville Ins. Co., 78 A.3d 1060, 1067, 621 Pa. 429, 440 (Pa., 2013).
Under the plain terms of the Policy, CFAS was disallowed from settling any claims, incurring any defense cost (as defined by the Policy), admitting any liability, or otherwise assuming any contractual obligation without FIC's prior written consent. However, by responding to SWF's demand letter dated April 13, 2018 with a unilateral payment, CFAS acted in contravention to the agreed-upon notification provision. In doing so, it prejudiced FIC's ability to assert defenses originating under the FADA or otherwise. As stated above, the FADA contained two clauses which arguably pertained to CFAS's alleged obligation to SWF following the money transfers. Further, FIC was unable to investigate any comparative fault on behalf of SWF, or even the events leading up to the fraudulent transfers themselves. As stated, a condition precedent to receiving coverage was CFAS's notification of a pending claim, presumably so as to enable FIC the full opportunity to investigate these obvious questions. Rather, CFAS presented a settled claim, giving FIC no chance to investigate or evaluate any available options given the situation, as agreed upon in the Policy. Since CFAS failed to adhere to the terms of the Policy's notification provision, it squarely has not obtained FIC's prior written consent; thus, FIC should not be held liable for this obligation assumed by its insured.
IV. CONCLUSION
For the foregoing reasons, CFAS's Motion for Summary Judgment will be denied, and FIC's Motion for Summary Judgment will be granted. FIC's Motion to Strike will be denied. An appropriate order follows.