Presented by the Insurance Agents & Brokers Liability Practice Group

Does an Agent Have a Legal Obligation To Verify Email Communications?

Edited by Timothy Ventura, Esq.

Insurance business is transacted almost exclusively these days through electronic communications. The exchange of applications for insurance, the transmission of payment, the placement of coverage, and the submission of claims is done via email, smart phones and computer applications. An insurance agent or broker cannot function effectively without the ability to quickly communicate with their clients and insurers through such electronic means.

What is an agent’s or broker’s responsibility to avoid having their electronic communications intercepted or hacked by a third party? An insurance agent has a legal duty to act reasonably, which includes not misrepresenting insurance coverage, procuring requested or adequate coverage, and informing the insured of changes in coverage or premium. Does the agent’s duty of reasonable care extent to safeguarding its electronic communications from hacking or infiltration by an unknown third party?

We recently litigated a case in Pennsylvania state court involving a transaction where an email communication between the insurance agent and a law firm was apparently hacked into by an unknown party. The hacker then posed as the law firm and sent an email to the agent’s client. The client was instructed to wire funds to a bank that the law firm had previously identified for a transaction, but with a different account number. The problem with the email was that the address was slightly changed from the firm’s email address. Otherwise, the email looked exactly like the firm’s correct email submissions, including the same logo, font and name. The client did not discover the difference and followed the instructions, including going to its bank and directing the wiring of funds to a fraudulent account. The agent and law firm later discovered that the funds were not sent to the correct bank account for the transaction. Litigation ensued against the agent and her agency to recover the diverted funds.

The court was asked to address the issue of whether the agent could be held liable for the fraudulent hacking of its email communication. The plaintiff’s attorney alleged that the agent had an obligation to secure or encrypt its emails to prevent interception. Such an obligation allegedly arose out of trade and industry directives to secure electronic communication, computer industry standards on encryption and standard practices. The claim was that the agent was responsible for submitting an unsecured email, which was intercepted by a hacker who then sent fraudulent wiring information to the plaintiff that were relied upon to their detriment. The legal theories alleged were negligence, negligent misrepresentation and unfair trade practices.

The court held that the agent had no affirmative legal duty in Pennsylvania to prevent a third party from hacking into an email sent in connection with the transaction. No legal authority from Pennsylvania was cited by the plaintiff’s attorney imposing such an obligation on the agent, and an out-of-state case cited was factually distinguished. A key to the court’s decision was the allegation that the fraudulent email communication was sent directly from the hacker, posing as the law firm, to the plaintiff, without any involvement by the agent, who was not copied on the email. Thus, the agent did not directly have knowledge of the fraudulent email. In a later email to the client, the agent had used the correct email address for the law firm. Additional facts in this case indicated that, even had the agent been responsible for the hacked email, which was disputed, the incorrect wiring instructions sent to the plaintiff were reviewed and changed by the bank, thus breaking any causal connection to the agent.

This case suggests that an insurance agent or broker should not act to secure or encrypt email or other electronic communications in their business. As more cases of this type are litigated, and as the standards and practices for email communications continue to suggest or even require that they be secure from unauthorized interception, require verification or have other protections, courts may be more inclined to find a duty, and a breach thereof, if an agent is found responsible for a hacker’s infiltration of their electronic communications.

 

The material in this law alert has been prepared for our readers by Marshall Dennehey Warner Coleman & Goggin. It is solely intended to provide information on recent legal developments, and is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. We welcome the opportunity to provide such legal assistance as you require on this and other subjects. If you receive the alerts in error, please send a note tgventura@mdwcg.com. ATTORNEY ADVERTISING pursuant to New York RPC 7.1. © 2020 Marshall Dennehey Warner Coleman & Goggin. All Rights Reserved.