Testing the Limits III – Cyber Coverage Litigation Focuses on Computer Fraud Losses

Privacy & Cybersecurity Newsletter
August 2018

Fraudsters deploy different computer-related techniques but toward the same end – “gaming the system” for their own financial gain. Some victims turn to insurance for recovery. Four recent federal appellate decisions reveal courts’ continued analysis of whether policies with computer fraud, funds transfer fraud, crime or other coverages respond to such losses of funds. These recent opinions, which come from four different appellate circuits, stress the significance of specific policy language and the particular facts of the scams.

The federal Ninth Circuit kicked off the recent flurry of activity in April 2018. In Aqua Star (USA) Corp. v. Travelers Cas. & Sur. Co. of America, 719 F. App’x 701 (9th Cir. 2018), the insured received a fraudulent email from one of its vendors requesting that the insured change the vendor’s bank account information. The insured manually changed the account information and future wire transfers were sent to the hacker’s account. The insured sought coverage under the computer fraud provision of its crime policy. The trial court granted summary judgment to the insurer based on an exclusion that the policy “will not apply to loss or damages resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System .…” Id. at 702. The appellate court affirmed that the exclusion barred coverage.

In May 2018, the federal Eleventh Circuit ruled for the insurer in Interactive Communications Int’l, Inc. v. Great Am. Ins. Co., No. 17-11712, 2018 WL 2149769 (11th Cir. May 10, 2018). Fraudsters manipulated the insured’s computerized interactive telephone system, allowing them to load value onto debit cards from a single redemption multiple times instead of just once. The debit cards were then used for various purchases, which were honored by the debit card bank based on the value in a debit card account. The insured sought coverage under its computer fraud policy (coverage for “loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises: (a) to a person (other than a messenger) outside those premises; or (b) to a place outside those premises.”). Id. at *2. The trial court, applying Georgia law, found no coverage for losses incurred from unauthorized redemption, holding both that the redemptions were not made through computers and that the redemptions were not the direct cause of the insured’s losses. The appellate court affirmed on the grounds that the loss of money did not result “directly” (that is, “straightaway, immediately, and without any intervention or interruption”) from the use of a computer system and was also “temporally remote”. Id. at *4. The reviewing court did, however, disagree with the trial court’s finding that computers were not involved.

The busy season ramped up with two decisions in July. The federal Second Circuit in Medidata Solutions, Inc. v. Federal Insurance Co., 729 F. App’x 117 (2d Cir. 2018), agreed with the lower court that the insured was entitled to coverage under New York law. The case concerned fraudulent funds transfers resulting from spoofed emails when the insured’s employee believed the requests had come from the company’s president. The appellate court agreed with the insured that the computer fraud provision of the policy applied because “the fraudsters … crafted a computer-based attack that manipulated [its] email system” that resulted in “a fraudulent entry of data into the computer system [the spoofing code]” and which altered “the email system’s appearance … to misleadingly indicate the sender.” Id. at 118. The appellate court further concurred with the lower court that the insured’s loss was the direct result of the computer fraud. Noting that under New York law a “direct loss is equivalent to proximate cause,” the court concluded that:

[T]he spoofing attack was the proximate cause of [the insured’s] losses. The chain of events was initiated by the spoofed emails, and unfolded rapidly following their receipt. While it is true that the [insured’s] employees themselves had to take action to effectuate the transfer, we do not see their actions as sufficient to sever the causal relationship between the spoofing attack and the losses incurred.

Id. at 119.

And still one more ruling in July. Unlike the other three decisions, all of which affirmed the lower courts, the federal Sixth Circuit reversed the trial court in American Tooling Center, Inc. v. Travelers Cas. and Sur. Co. of Am., No. 17-2014, 2018 WL 3404708 (6th Cir. July 13, 2018). The insured was hoodwinked by emails purporting to be from one of its vendors into sending money to the impersonator’s bank accounts. The lower court said that the insured’s crime policy covered “direct loss” of funds “directly caused by computer fraud” which was defined as “the use of any computer to fraudulently cause a transfer of money.” The lower court concluded, under Michigan law, that the loss was not direct because it was not immediate and due to the intervening steps taken by the insured between the time it received the fake emails and the time it effected the three wire transfers. The Sixth Circuit disagreed, citing Michigan law indicating that “direct” means “immediate or proximate” as opposed to “remote or incidental.” Id. at *4. Also, although the insurer characterized the use of computers as not enough to render a fraud a “computer fraud,” the appellate court noted that “here the impersonator sent [the insured] fraudulent emails using a computer and these emails fraudulently caused ‘the insured’ to transfer the money to the impersonator.” Id. While the insurer, according to the court, seemed to want to limit “computer fraud” to “hacking and similar behaviors,” the policy’s definition did not reflect such a limitation. The court also summarily rejected application of three policy exclusions raised by the insurer.

Another decision awaits treatment by the federal Eleventh Circuit. Oral argument is currently scheduled for November 2018 in Principle Solutions v. Ironshore Indemnity Co., No. 1:15-CV-4130-RWS, 2016 WL 4618761 (N.D. Ga. Aug. 30, 2016). There, the trial court determined that, under Georgia law, there was coverage under a crime policy for a funds transfer resulting from spoofed emails. The court said that the policy’s computer and funds transfer fraud provision providing coverage for loss “resulting directly from a ‘fraudulent instruction’ directing a ‘financial institution’” to debit the insured’s account was ambiguous and that intervening steps between receipt of the fake email and the funds transfer did not bar coverage. Id. at *5. According to the lower court’s opinion, “[i]f some employee interaction between the fraud and the loss was sufficient to allow [the insurer] to be relieved from paying under the provision at issue, the provision would be rendered ‘almost pointless’ and would result in illusory coverage.” Id.

The judicial scrutiny is not over, as coverage actions remain pending throughout the country, seeking a determination under commercial crime/computer fraud policies. Also, new matters continue to be filed. See, e.g., Quality Plus Services, Inc. v. Nat’l Un. Fire Ins. Co. of Pittsburgh, PA, No. 3:18-cv-00454 (E.D. Va. filed Jul. 2, 2018).

Although the ways in which these computer-related schemes operate often reflect cutting-edge technologies or new techniques, courts wrestle with coverage issues that have long been at the heart of insurance disputes. What is the policy’s language? What jurisdiction’s law controls? What constitutes a direct loss or proximate cause? What are the public policy issues concerning the scope of policy provisions? These recent decisions illustrate that insureds and insurers face a wide array of arguments that will mark the legal landscape. Disputed claims will continue to shape the body of law that both insureds and insurers should consider in their insurance transactions going forward.