What role do cyber and other insurance lines play when losses result from an employee’s unwitting participation in spoofed email or password theft schemes? Several recent cases illustrate the evolving coverage implications that arise from the actions of duped employees who, while trying to do their jobs, fall victim to schemes designed to exploit the human element of computer security. Although varied in the specific method of alleged fraud and coverage sought, litigants face a common fact pattern in the above cases: exploitation of human elements – often the weakest link in computer and online security – to induce an insured to take action through electronic means that it would never take if it knew the true source of the request.
A federal court in one recent case sided with the insured in a spoofed email fraud case. Principle Solutions Group, LLC v. Ironshore Indem., Inc., No. 1:15-CV-4130 (N.D. Ga. Aug. 30, 2016). In that case the hacker faked an email from the insured’s managing director to its controller. The email referenced a company acquisition and asked that the controller work with a specific attorney to wire funds. Later that morning, the phony attorney sent an email with wiring instructions to a bank in China and called the controller to emphasize that the transaction needed to be completed that day. The controller complied and the fraud was discovered the next day.
The insured sought coverage under its commercial crime policy, which covered losses “directly resulting from a ‘fraudulent instruction’” directing a financial institution to transfer funds. On cross-motions for summary judgment, the insurer argued that while the email was an instruction, it did not “directly” result in the loss because of the intervening actions of the insured’s employees and the phony attorney. The court disagreed and instead granted summary judgment for the insured, finding the “directly resulting” language to be ambiguous. It concluded that because both parties’ interpretations of the policy were reasonable, there was an ambiguity requiring the court to construe the policy in the light most favorable to the insured. See also Apache v. Great Am. Ins. Co., No. 4:14-CV-237 (S.D. Tex. Aug. 7, 2015), appeal pending, No. 15-20499 (5th Cir. 2016) (granting summary judgment to insured; “[D]espite the human involvement that followed the fraud, the loss still resulted directly from computer fraud, i.e., the email directing Apache to disburse payments to a fraudulent account.”).
Real estate closings are also a frequent target. In one pending case, hackers obtained email credentials for the head of a real estate company and sent fraudulent emails from his address to an escrow company requesting withdrawals from the company’s account. Maxum Indem. Co. v. Long Beach Escrow Corp., et al., No. 2:16-CV-05907 (C.D. Cal., filed Aug. 8, 2016). The escrow company transferred the funds, which could not be recovered after the fraud was discovered. The plaintiff, a client of the escrow company, alleges in the underlying suit that the escrow company wired funds to the hackers’ accounts without communicating directly with the plaintiff by telephone or facsimile, and in doing so failed to follow its own procedures and industry custom and practice. The insurer denied coverage, and seeks a declaration that two exclusions apply: (1) the “funds exclusion” (damages arising out of “commingling, conversion, misappropriation or defalcation of funds”); and (2) the fiduciary duty exclusion (claims arising out of the insured’s fiduciary duty, responsibility or obligation). This litigation is ongoing.
Another court denied an insurer’s motion to dismiss in a case involving a spoofed email to a title company in a residential real estate sale. ABL Title Ins. Agency, LLC v. Maxum Indem. Co., No. 15-7534 (D.N.J. Jun. 30, 2016). The hacker, using a misleading email address that resembled the seller’s attorney email, sent an email indicating that the sellers desired payment by wire transfer. As a result, the title company wired nearly $600,000 to the hacker. The insurer denied coverage under the title company’s professional liability policy, and moved to dismiss the title company’s lawsuit on grounds that the policy excluded damages arising out of “conversion.” The court denied the insurer’s motion to dismiss, concluding that it was too early in the proceedings to make a “legal determination that the tort of conversion occurred.”
In a pending Texas state court case, the insured alleges that it was the victim of fraudulent emails that impersonated the company’s CEO. Ameriforge Group Inc. v. Fed. Ins. Co., No. 4:16-cv-00377 (S.D. Tex., removed from Harris County); see Testing the Limits - Cyber Coverage Litigation Update (Locke Lord Feb. 23, 2016). In the spoofed emails, the imposter allegedly instructed an accounting employee to transfer $480,000 in connection with a “strictly confidential financial operation.” The imposter cautioned that since the transaction was “very sensitive,” the employee should “communicate with me through this email, in order for us not to infringe SEC regulations.” Based on those seemingly authentic instructions and a call from a third party “attorney” (also part of the scam), the employee transferred the funds. The insurer has denied coverage on the basis (among others) that the imposter’s email does not constitute computer fraud as defined in the policy, because it was not an “unauthorized” introduction of instructions to the computer system, i.e., a hacking event involving unauthorized access or entry to a computer. The litigation is ongoing.
In Medidata v. Fed. Ins. Co. No. 1:15-cv-00907 (S.D.N.Y. Mar. 10, 2016), the court denied summary judgment in a case involving forged emails used to deceive finance department employees. The emails caused them to transfer funds to unauthorized overseas accounts. The insurer filed a motion for summary judgment on grounds that there was no unauthorized entry into or manipulation of the insured’s computer systems for purposes of the computer fraud policy. Rather, the insurer asserted that the losses were caused by “voluntary transfer” effected by “authorized signatories.” Medidata argued in its motion that the emails used an altered sender’s code and other data that constituted a fraudulent change to its systems. The court denied both parties’ summary judgment motions “without prejudice due to an insufficient record.” The order suggests that the court may revisit the motions at a later date following limited expert discovery.
Results for these and similar coverage cases should be watched and will be heavily influenced by the claim-specific facts, the language of the policy (cyber, computer fraud, commercial crime, professional liability or other lines of coverage), and the law of the relevant jurisdiction. But the fact pattern of honest and diligent employees falling victim to trickery by malicious parties to gain access to an insured’s computer systems is not going away anytime soon. The increasing frequency of such losses, and the resulting disputes over whether they constitute “computer” or “cyber” losses, should encourage insureds, brokers and insurers to discuss such potential risks and possible insurance components of an insured’s overall risk management.
Molly McGinnis Stine is a Partner and John F. Kloecker is Of Counsel in Locke Lord’s Chicago office. They can be reached at email@example.com and firstname.lastname@example.org.