
    [37 NE3d 78, 16 NYS3d 21]
    Universal American Corp., Appellant, v National Union Fire Insurance Company of Pittsburgh, Pa., Respondent.
    Argued May 7, 2015;
    decided June 25, 2015
    
      POINTS OF COUNSEL
    
      Schlam Stone & Dolan LLP, New York City (Richard H. Dolan and. Bradley J. Nash of counsel), for appellant.
    I. The order below should be reversed, and partial summary judgment granted to Universal American Corp. on the issue of coverage. (Executive Risk Indent., Inc. v Starwood Hotels & Resorts Worldwide, Inc., 98 AD3d 878; Ace Wire & Cable Co. v Aetna Cas. & Sur. Co., 60 NY2d 390; Belt Painting Corp. v TIG Ins. Co., 100 NY2d 377; Dean v Tower Ins. Co. of N.Y., 19 NY3d 704; Ragins v Hospitals Ins. Co., Inc., 22 NY3d 1019; Westview Assoc. v Guaranty Natl. Ins. Co., 95 NY2d 334; United States Fid. & Guar. Co. v Annunziata, 67 NY2d 229; City of New York v Evanston Ins. Co., 39 AD3d 153; Primavera v Rose & Kiernan, 248 AD2d 842; Raner v Security Mut. Ins. Co., 102 AD3d 485.) II. None of the exclusions to the computer fraud policy applies to Universal American Corp.’s claim. (Dean v Tower Ins. Co. of N.Y., 84 AD3d 499, 19 NY3d 704; Pioneer Tower Owners Assn. v State Farm Fire & Cas. Co., 12 NY3d 302; Teichman v Community Hosp. of W. Suffolk, 87 NY2d 514; Belt Painting Corp. v TIG Ins. Co., 100 NY2d 377; On Demand Mach. Corp. v Ingram Indus., Inc., 442 F3d 1331; Commodity Trend Serv., Inc. v Commodity Futures Trading Commn., 233 F3d 981; Kamine/Besicorp Allegany L.P. v Rochester Gas & Elec. Corp., 908 F Supp 1194; MedAssets, Inc. v Federal Ins. Co., 705 F Supp 2d 1368; Raner v Security Mut. Ins. Co., 102 AD3d 485; Miller Tabak + Co., LLC v Senetek PLC, 118 AD3d 520.)
    
      
      Nixon Peabody LLP, New York City (.Barbara A. Lukeman of counsel), for respondent.
    I. The unanimous order of the First Department should be affirmed because Universal American Corp. cannot meet its burden of showing coverage. (Tribeca Broadway Assoc. v Mount Vernon Fire Ins. Co., 5 AD3d 198; Munzer v St. Paul Fire & Mar. Ins. Co., 145 AD2d 193; Bretton v Mutual of Omaha Ins. Co., 110 AD2d 46; Caporino v Travelers Ins. Co., 62 NY2d 234; Jones v St. Paul Fire & Mar. Ins. Co., 295 AD2d 569; United States Fire Ins. Co. v General Reins. Corp., 949 F2d 569; Loblaw, Inc. v Employers’ Liab. Assur. Corp., 85 AD2d 880, 57 NY2d 872; Standard Mar. Ins. Co. v Federal Ins. Co., 39 AD2d 444; Eagle Leasing Corp. v Hartford Fire Ins. Co., 540 F2d 1257.) II. Three exclusions apply and act as a bar to coverage of Universal American Corp.’s claims. (Citigroup Global Mkts. Inc. v Abbar, 761 F3d 268; Securities Inv. Protection Corp. v Morgan, Kennedy & Co., Inc., 533 F2d 1314; Swerdloff v Miami Natl. Bank, 584 F2d 54; Arkwright Corp. v United States, 53 F Supp 359; Matter of Bombay Realty Corp. v Magna Carta, 100 NY2d 124; Muzak Corp. v Hotel Taft Corp., 1 NY2d 42; Brooklyn City R.R. Co. v Kings County Trust Co., 214 App Div 506, 242 NY 531; People v Bhatt, 160 Misc 2d 973.)
    
      Anderson Kill P.C., New York City (Joshua Gold and Dennis J. Nolan of counsel), and Amy Bach, United Policyholders, San Francisco, California, for United Policyholders, amicus curiae.
    I. It is critically important that New York’s courts provide policyholders with relief for improper denials of insurance coverage. (American Home Prods. Corp. v Liberty Mut. Ins. Co., 565 F Supp 1485, 748 F2d 760; Bi-Economy Mkt., Inc. v Harleysville Ins. Co. of N.Y., 10 NY3d 187.) II. New York law, properly applied, requires a finding of insurance coverage for appellant’s crime loss. (Miller v Continental Ins. Co., 40 NY2d 675; Seaboard Sun Co. v Gillette Co., 64 NY2d 304; Matter of Mostow v State Farm Ins. Cos., 88 NY2d 321; Matter of Reliance Ins. Co., 55 AD3d 43, 12 NY3d 725; Matter of New York Cent. Mut. Fire Ins. Co. v Ward, 38 AD3d 898; Retail Ventures, Inc. v National Union Fire Ins. Co. of Pittsburgh, Pa., 691 F3d 821.) III. Policyholders are particularly vulnerable when insurance companies are not compelled to honor their coverage obligations. (Bi-Economy Mkt., Inc. v Harleysville Ins. Co. of N.Y., 10 NY3d 187.) IV. The lower courts’ findings regarding insurance coverage intent were erroneous. (Dean v Tower Ins. Co. of N.Y., 19 NY3d 704; Cragg v Allstate Indem. Corp., 17 NY3d 118; Rubin v Empire Mut. Ins. Co., 57 Misc 2d 104, 32 AD2d 1, 25 NY2d 426.)
   OPINION OF THE COURT

Rivera, J.

On this appeal we consider whether an insuring agreement for computer systems fraud that applies to “a fraudulent entry ... of Electronic Data or Computer Program” encompasses losses caused by an authorized user’s submission of fraudulent information into the insured’s computer system. We conclude that the agreement is unambiguous and “fraudulent entry” refers to unauthorized access into plaintiff’s computer system, and not to content submitted by authorized users. Therefore, we affirm the order of the Appellate Division.

Plaintiff, Universal American Corp. (Universal), is a health insurance company that offers, as relevant to this appeal, a choice of federal government-regulated alternatives to Medicare, known as “Medicare Advantage Private Fee-For-Service” plans (Medicare Advantage). These plans allow Medicare-eligible individuals to purchase health insurance from private insurance companies, and those companies are, in turn, eventually reimbursed by the U.S. Department of Health & Human Services’ Centers for Medicare & Medicaid Services for health care services provided to the plans’ members. Universal has a computerized billing system that allows health care providers to submit claims directly to the system. According to Universal, the great majority of claims submitted are processed, approved, and paid automatically, without manual review.

The matter before us involves Universal’s demand for indemnification to cover losses resulting from health care claims for unprovided services, paid through Universal’s computer system. At issue is the coverage available to Universal pursuant to rider No. 3 (rider) of a financial institution bond (bond), issued by defendant National Union Fire Insurance Company of Pittsburgh, Pa. (National Union). The bond insured Universal against various losses, inclusive of certain losses resulting from dishonest and fraudulent acts. The rider amended the bond to provide indemnification specifically for computer systems fraud, and states, in part:

“COMPUTER SYSTEMS
“It is agreed that:
“1. the attached bond is amended by adding an Insuring Agreement as follows:
“COMPUTER SYSTEMS FRAUD
“Loss resulting directly from a fraudulent
“(1) entry of Electronic Data or Computer Program into, or
“(2) change of Electronic Data or Computer Program within
“the Insured’s proprietary Computer System . . .
“provided that the entry or change causes
“(a) Property to be transferred, paid or delivered,
“(b) an account of the insured, or of its customer, to be added, deleted, debited or credited, or
“(c) an unauthorized account or a fictitious account to be debited or credited.”

The rider, and the basic bond coverage, carry a $10 million limit and a $250,000 deductible for each “single loss,” which, as defined in the rider, includes “the fraudulent acts of one individual,” or of “unidentified individuals but arising from the same method of operation.” Universal’s annual premium during the relevant policy period was $170,500.

A few months after obtaining coverage, Universal suffered over $18 million in losses for payment of fraudulent claims for services never actually performed under its Medicare Advantage plans. When Universal sought payment from National Union for its post-deductible losses, National Union denied coverage on the ground that the rider did not encompass losses for Medicare fraud, which National Union described as losses from payment for claims submitted by health care providers.

Universal then commenced an action for damages and declaratory relief against National Union. Thereafter, Universal moved pursuant to CPLR 3212 for partial summary judgment, and an order declaring the losses to be covered under the policy. National Union cross-moved for summary judgment. Supreme Court denied Universal’s motion, granted National Union’s motion, and dismissed the complaint (38 Misc 3d 859 [Sup Ct, NY County 2013]), concluding that the rider is not ambiguous and does not extend to fraudulent claims entered into Universal’s system by authorized users. The court determined, instead, that the intended coverage is for an unauthorized entry into the computer system by a hacker or through a computer virus.

The Appellate Division unanimously modified the summary judgment order, on the law, to declare the policy does not cover the loss, and otherwise affirmed. The Court concluded the unambiguous language of the policy does not cover fraudulent content entered by authorized users, but rather “wrongful acts in manipulation of the computer system, i.e., by hackers” (110 AD3d 434, 434 [1st Dept 2013]). We granted Universal leave to appeal (23 NY3d 904 [2014]), and now affirm.

An insurance agreement is subject to principles of contract interpretation. “As with the construction of contracts generally, ‘unambiguous provisions of an insurance contract must be given their plain and ordinary meaning, and the interpretation of such provisions is a question of law for the court’ ” (Vigilant Ins. Co. v Bear Stearns Cos., Inc., 10 NY3d 170, 177 [2008], quoting White v Continental Cas. Co., 9 NY3d 264, 267 [2007]). “Ambiguity in a contract arises when the contract, read as a whole, fails to disclose its purpose and the parties’ intent” (Ellington v EMI Music, Inc., 24 NY3d 239, 244 [2014], citing Brooke Group v JCH Syndicate 488, 87 NY2d 530, 534 [1996]), or where its terms are subject to more than one reasonable interpretation (see Dean v Tower Ins. Co. of N.Y., 19 NY3d 704, 708 [2012], quoting Seaboard Sur. Co. v Gillette Co., 64 NY2d 304, 311 [1984]; Chimart Assoc. v Paul, 66 NY2d 570, 573 [1986] [ambiguity exists if “the agreement on its face is reasonably susceptible of more than one interpretation”]; see also Greenfield v Philles Records, 98 NY2d 562, 569-570 [2002]). However, parties cannot create ambiguity from whole cloth where none exists, because provisions “are not ambiguous merely because the parties interpret them differently” (Mount Vernon Fire Ins. Co. v Creative Hous., 88 NY2d 347, 352 [1996]). Rather, “the test to determine whether an insurance contract is ambiguous focuses on the reasonable expectations of the average insured upon reading the policy and employing common speech” (Matter of Mostow v State Farm Ins. Cos., 88 NY2d 321, 326-327 [1996] [citations omitted]; see also Cragg v Allstate Indem. Corp., 17 NY3d 118, 122 [2011] [“Insurance contracts must be interpreted according to common speech and consistent with the reasonable expectations of the average insured”]).

Turning to the language of the rider, we conclude that it unambiguously applies to losses incurred from unauthorized access to Universal’s computer system, and not to losses resulting from fraudulent content submitted to the computer system by authorized users. The term “fraudulent” is not defined in the rider, but it refers to deceit and dishonesty (see Merriam-Webster Collegiate Dictionary 464 [10th ed 1993]). While the rider also does not define the terms “entry” and “change,” the common definition of the former includes “the act of entering” or “the right or privilege of entering,” “access,” and the latter means “to make different,” “alter” (id. at 387, 190). In the rider, “fraudulent” modifies “entry” or “change” of electronic data or computer program, meaning it qualifies the act of entering or changing data or a computer program. Thus, the rider covers losses resulting from a dishonest entry or change of electronic data or computer program, constituting what the parties agree would be “hacking” of the computer system. The rider’s reference to “fraudulent” does not also qualify what is actually acted upon, namely the “electronic data” or “computer program” itself. The intentional word placement of “fraudulent” before “entry” and “change” manifests the parties’ intent to provide coverage for a violation of the integrity of the computer system through deceitful and dishonest access.

Other language in the rider confirms that the rider seeks to address unauthorized access. First, the rider is captioned “COMPUTER SYSTEMS,” and the specific language at issue is found under the subtitle “COMPUTER SYSTEMS FRAUD.” These headings clarify that the rider’s focus is on the computer system qua computer system. Second, under “EXCLUSIONS,” the rider exempts from coverage losses resulting directly or indirectly from fraudulent instruments “which are used as source documentation in the preparation of Electronic Data or manually keyed into a data terminal.” If the parties intended to cover fraudulent content, such as the billing fraud involved here, then there would be no reason to exclude fraudulent content contained in documents used to prepare electronic data, or manually keyed into a data terminal.

Nonetheless, Universal argues that in the context of the rider, “fraudulent entry” means “fraudulent input” because a loss due to a fraudulent entry by necessity can only result from the input of fraudulent information. This would render superfluous the word “a” before “fraudulent,” and the word “of” before “electronic data or computer program.” Universal’s proposed interpretation is easily achieved by providing coverage for a “loss resulting directly from fraudulent data.” Of course, that is not what the rider says. Moreover, Universal’s reading ignores the other language contained in the rider and its categorical application to “Computer Systems” and “Computer Systems Fraud.”

We are also unpersuaded by Universal’s reliance on Owens, Schine & Nicola, P.C. v Travelers Cas. & Sur. Co. of Am. (2010 WL 4226958, *1, 2010 Conn Super LEXIS 2386, *1-3 [Sept. 20, 2010, No. CV095024601], vacated 2012 WL 12246940, 2012 Conn Super LEXIS 5053 [Apr. 18, 2012] [memorandum of decision vacated by stipulation of the parties]), in support of its argument that the heading “COMPUTER SYSTEMS FRAUD” can reasonably be interpreted to encompass fraud committed through a computer, meaning fraud that is not limited to computer hacking incidents. The Owens decision is of little assistance to Universal’s cause. In Owens, the policy provision was far broader, and contained an internally applicable definition of “Computer Fraud” as

“[t]he use of any computer to fraudulently cause a transfer of Money, Securities or Other Property from inside the Premises or Banking Premises:
“1. to a person (other than a Messenger) outside the Premises or Banking Premises; or
“2. to a place outside the Premises or Banking Premises” (2010 WL 4226958, *4, 2010 Conn Super LEXIS 2386, *9-10).

The insurer argued that “computer fraud” within the meaning of the policy required manipulation of the computer system, i.e., hacking. It further argued that there was no actual computer fraud because the use of emails and a computer to create a fraudulent check, as part of a scheme to steal funds from the insured, did not cause the physical transfer of money out of the insured’s account. Instead, the loss resulted from the insured’s wiring of the funds out of the account. The court found the phrase “use of any computer” to be ambiguous as to “the amount of computer usage necessary to constitute computer fraud” (2010 WL 4226958, *7, 2010 Conn Super LEXIS 2386, *19). Thus, Owens was concerned with whether the computer had been utilized sufficiently to constitute computer fraud as contemplated by the parties, based on their reasonable understanding of the policy’s terms.

Here, it is undisputed that use of Universal’s computer is absolutely essential to trigger coverage for a loss, and that its computers were indeed used in a manner that resulted in payment of claims for health care services that were never provided. Thus, unlike in Owens, the question is not how much computer use is required under the policy, but whether the use involved here is the type actually covered by the rider.

We conclude that the “reasonable expectations of the average insured upon reading the policy” (Mostow, 88 NY2d at 326-327) are that the rider applies to losses resulting directly from fraudulent access, not to losses from the content submitted by authorized users. Accordingly, the order of the Appellate Division should be affirmed, with costs.

Judges Read, Pigott, Abdus-Salaam, Stein and Fahey concur; Chief Judge Lippman taking no part.

Order affirmed, with costs. 
      
       Medicare, a hospital, medical, and prescription drug insurance program, is administered by the Centers for Medicare & Medicaid Services within the U.S. Department of Health & Human Services (see 42 USC § 1395 et seq.).
      
     