Insurance policies

Third Party Email Fraud Covered by Insurance Policies | Ervin Cohen & Jessup LLP

In Medidata Solutions, Inc. c. Federal Insurance Company, 268 F. Supp. 3d 471 (SDNY 2017), confirmed, 729 Fed. Approx. 117 (2nd Circuit 2018), the Court found that insurance coverage existed when a business had been the victim of an email spoofing scheme that resulted in the business transferring funds to the account of a fraudster. More recent cases have also found insurance coverage for losses resulting from similar incidents of this type. See, for example, Ernst & Haas vs. Hiscox, Inc.., 23 F. 4e 1125 (9e Cir. 2022)

In Medidata, the spoofed email was in the form of an email purporting to be from the president of the company, who ordered payment to be made to a certain outside account. Believing the email to be genuine, a company subordinate wired the funds to the fraudster’s account.

Cover for the loss of the business was found in Medidata because the Court determined that the fraudster’s entry into and manipulation of the company’s electronic mail system satisfied the policy requirement that there had been “a fraudulent entry of data into a computer system and a modification of the data elements or program logic of a computer system”.

But what if the spoofed email is allegedly from someone posing as an outside vendor, as opposed to someone posing as an executive within the victimized company? In the case of an email impersonating an external vendor, the case that the company’s own email system was manipulated may be less strong, depending on the specific policy language. However, three recent cases have confirmed supplier coverage in which a supplier’s identity has been impersonated and as a result the company has suffered a loss.

In A m. Tooling Ctr., Inc. v. Travelers Case. & On. Co. of Am.895 F. 3d 455 (6e Cir. 2018), a company fell victim to a fraudster posing as one of the company’s Chinese suppliers. The company received a series of emails, allegedly from its Chinese supplier, claiming that the supplier had changed its bank accounts and that the company should transfer its payments to these new accounts. After transferring $834,000, the company learned the emails were fraudulent.

The business was insured by Travelers under a commercial insurance policy, which included coverage against computer fraud. The Computer Fraud Coverage Grant provided that Travelers would indemnify the company for any losses resulting from “the use of a computer to fraudulently cause a transfer of money…from inside [the company’s] premises … to a person … outside [the company’s] local…”

The company submitted the claim to Travelers, but it was denied and the trial court granted summary judgment to Travelers.

The Court of Appeal overturned. As it did in the trial court, Travelers argued on appeal that computer fraud coverage required a computer to be used to fraudulently cause the transfers. In other words, Travelers argued that the coverage of the computer fraud subsidy should be limited to “hacking and similar behaviors in which a malicious party somehow gains access to the user’s computer. ‘insured and/or control’. The Court rejected this interpretation of the policy and concluded that the company’s loss was covered by the Travelers policy.

In Cincinnati Ins. Co. v. Norfolk Truck Ctr., Inc.., 430 F. Supp. 116 (ED .Va. 2019), the Court dealt with a similar case. There, the victim company received an email from an unidentified impostor who posed as an employee of the company’s supplier. The impostor gave fraudulent payment instructions via email and subsequently the company authorized its bank to issue a wire transfer for $333,724 as per the impostor’s instructions.

The coverage premium for the computer fraud contract in question in Cincinnati Ins. was substantially similar to that of A m. Toolsexcept that the Cincinnati Ins. policy required that the loss result “directly” from the use of any computer to fraudulently cause the transfer of funds. In this case, the carrier argued that the loss did not arise “directly” from the impostor email, because the company and its employees had taken subsequent steps to implement the underlying transfer. after receiving the fraudulent email. This argument was essentially a variation of Traveler’s argument in A m. Tools that, to be covered, the loss had to result from the impostor actually entering and manipulating a company’s computer system.

The two carriers essentially argued that because the impostors in these cases did not penetrate or manipulate the companies’ computer systems, and therefore did not perform the funds transfers themselves, there would be no cover. As in many other cases in this area, the Court rejected this argument and determined that the company’s reliance on the fraudulent email provided a sufficient link to satisfy the “directly” requirement of the granting of coverage. See also Sol principle. Group. V. Ironshore Indem., Inc.., 944 F. 3d 886 (11e Cir. 2019); Ernst & Haas vs. Hiscox, Inc.., above.

Finally, in City of Unalaska v. Nat’l Union Fire Ins. Co., 2022 US Dist. LEXIS 51387 (D. Alaska Mar 18, 2022), the city’s accounts payable assistant received an email purportedly from one of the city’s regular vendors, requesting a copy of the ACH/EFT form from the city ​​to change its method of receiving payments for invoices from paper checks to ACH wire transfer payments. The email did not come from the City’s supplier but from a fraudster, but relying on it, the City made significant disbursements.

The City had an insurance policy with the National Union which included a computer fraud insurance agreement. This policy included subsidies for identity theft fraud as well as computer fraud. This latter grant stipulated that the National Union would pay for loss of money “resulting directly from the use of any computer to fraudulently cause a transfer”. [of money] inside [the company’s] premises to an outside person [the company’s] local…”

Following the Union Nationale’s partial denial of coverage, the City sued and the City filed a motion for summary judgment, while the Union Nationale filed a motion for judgment on the pleadings. Based on two unpublished Fifth Circuit decisions, Apache Corp. against Great Am. Ins. Co., 662 Fed. App’x 252 (5e Cir. 2016) and Mississippi Silicon Holdings, LLC v Axis Ins. Co., 843 Fed. App’x 581 (5e Cir. 2021), the National Union argued that the City’s loss was not covered by the Computer Fraud Grant because the use of a computer was not the “direct cause” of the loss. As the insurers of A m. Tools and Cincinnati Ins., The national union argued that the cover would only be triggered if “the fraudster’s use of a computer … directly brings[s] concerning the transfer of funds”.

The District granted the City’s motion and denied the National Union’s motion. In doing so, the Court ruled that the impostor’s email caused funds to be transferred from the City to the fraudster’s bank account. The Court noted that “the ubiquity of computer use does not alter the fact that a reasonable layman would consider the term ‘computer use’ to encompass a wide range of activities, including sending e-mails, rather than being limited to cases of computer hacking. ”.

Although the previous three cases found coverage for losses caused by people posing as a supplier to a business, the determining factor in all cases will be the wording of the policy itself. In policies defining “computer fraud” in the same way as the policies at issue in these cases, coverage will most likely be found in similar circumstances.