A federal judge in the U.S. District Court for the Western District of Pennsylvania has
denied an insurance company's request to dismiss a breach of contract claim filed by a Pennsylvania bank that had to reimburse a customer $3.5 million for funds lost in a data breach.
According to court documents, malicious software, or malware, infected the account of a client for First Commonwealth Bank and initiated three unauthorized wire transfers. The documents say that on Aug. 12, 2012, a Russian account received a transfer of $2,158,600. On Sept. 4, 2012, a second transfer of $76,520 was made to an account in Upper Darby, Pa., and a third amount of $1,350,000 was transferred to an account in Belarus.
The bank managed to recover the $76,520 transfer, but not the rest. Its clients demanded reimbursement for the missing funds, and First Commonwealth Bank complied with a payment of $3,508,600 out of its own accounts. The bank subsequently filed a claim with its policyholder, St. Paul Mercury Insurance Company.
The insurance company denied the claim, saying that the bank made the reimbursement without St. Paul Mercury's consent, violating the terms of its policy agreement. The defendant argues that because First Commonwealth Bank voluntarily reimbursed their client for the unauthorized transfers without consent, they are in breach of the defense and settlement provision of the policy.
U.S. Magistrate Judge Maureen Kelly ruled that the bank was required by law under the Pennsylvania Uniform Commercial Code to make the reimbursement, making the payment unvoluntarily and not a breach of the policy. The obligations from the state law acted as an outside influence that interfered with the restrictions imposed by the defendants.