The 5th U.S. Circuit Court of Appeals in New Orleans has affirmed a lower court's decision in finding that a commercial crime insurer in an insured's suit for coverage of a multi-million dollar loss in a phishing incident was proper because the insured never "held" the funds intended for its clients, nor did it control the funds designated for them. The case is RealPage, Inc. v. Nat'l Union Fire Ins. Co., No. 21-10299, 2021 U.S. App. LEXIS 37962 (5th Cir. Dec. 22, 2021).
This case resulted from a successful phishing expedition. In 2018, a RealPage, Inc. employee accidentally clicked on a fake link in a seemingly innocuous email, and provided login information for RealPage's account with a third-party processing site called Stripe, Inc. Phishers stole the login credentials. The phishers then used the credentials to divert millions of dollars in rent payments from tenants intended for RealPage's property manager clients.
RealPage and Stripe recovered some of the stolen funds, but ended up losing about $6 million to the crooks. RealPage reimbursed its clients and filed claims under its $5 million commercial crime insurance policy with AIG unit National Union Fire Insurance Co. of Pittsburgh and its $5 million excess fidelity and crime policy with Beazley Insurance Co. for the stolen funds. National Union determined that RealPage owned the funds that Stripe had earmarked as RealPage's transaction fees and reimbursed the company for $1.1 million, but the insurer denied coverage for the remainder of the stolen funds on the basis that the phished funds were not covered losses because RealPage never "held" them. RealPage then filed this action challenging the denial of coverage. The district court agreed with RealPage's insurer and granted summary judgment. A three-judge appeals court panel affirmed that decision.