“Phishing” is a scheme in which criminals use spoofed e-mails, copycat websites, or other deceptive communications to trick unwitting companies or individuals into sharing valuable personal information or into wiring money to sham bank accounts.[1] As these schemes become unfortunately more common and sophisticated, companies are increasingly turning to their insurance policies to cover their monetary losses. However, many businesses that have purchased crime insurance to cover this type of “computer fraud” may not realize that e-mail-based thefts are not always covered. Businesses may reasonably assume that coverage exists under a crime insurance policy covering computer fraud because the loss is computer related, but insurance companies will likely insist on proof of a direct causal relationship between the computer fraud and the loss of funds before providing coverage.
The American Tooling case is the most recent pronouncement from the courts on “computer fraud” coverage. On July 13, the United States Court of Appeals for the Sixth Circuit ruled in favor of the policyholder and reversed the Michigan district court’s grant of summary judgment to Travelers Casualty and Surety Company of America. Am. Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co. of Am., No. 17-2014, 2018 WL 3404708, — F.3d. — (6th Cir. July 13, 2018).
After receiving spoofed e-mails that appeared to be from one of its vendors, the policyholder American Tooling Center (“ATC”) wired $834,000 to a criminal’s bank account. When ATC received the fraudulent e-mails, ATC verified that certain production milestones had been met, then authorized payment to a new bank account specified in the fraudulent e-mails. ATC did not attempt to independently verify the bank account change with the vendor. When the real vendor demanded payment, ATC realized that it had wired the money to an imposter. ATC then paid the vendor approximately 50 percent of the outstanding debt and promised the remaining amount contingent on recovery from its insurance claim.
Based on the language of the crime insurance policy’s computer fraud provision, Travelers denied coverage, contending that ATC did not suffer a “direct loss” that was “directly caused” by “the use of any computer.” In ATC’s suit against Travelers in the U.S. District Court for the Eastern District of Michigan, the trial court held that the fraudulent e-mails did not “directly” or immediately cause the transfer of funds from ATC’s bank account. Rather, there were “intervening events” between ATC’s receipt of the fraudulent e-mails and the transfer of funds, including ATC verifying production milestones and initiating the transfers without verifying bank account information.
On appeal, Travelers again argued that the loss was indirect. It contended that the loss did not arise when ATC paid the impersonator—because ATC had already contracted with the vendor to pay that amount of money for the product it had received—but instead the loss arose later, after the fraud was discovered, when ATC agreed to pay the vendor half of the money still owed. Reversing the district court’s entry of judgment in Traveler’s favor, the Sixth Circuit found that “[t]his interpretation defies common sense.” Am. Tooling Ctr., 2018 WL 3404708, at *4. Despite Travelers’ argument to the contrary, the fact that ATC contractually owed that money to the vendor and the two parties subsequently agreed to share the loss had no bearing on whether ATC directly suffered this loss. The Court compared the situation to a hypothetical one in which “Alex” owes “Blair” five dollars and before Alex can hand over the five-dollar bill, “Casey” runs by and “snatches the bill from Alex’s fingers.” Travelers’ theory “would have us say that Casey caused no direct loss to Alex because Alex owed that money to Blair and was preparing to hand him the five-dollar bill.” Id. at *4.
The appellate decision in American Tooling was issued only a few days after a similar decision from the United States Court of Appeals for the Second Circuit in Medidata Solutions Inc. v. Federal Insurance Co., No. 17-2492, — Fed. Appx. —, 2018 WL 3339245 (2d Cir. July 6, 2018). As described more fully in the lower court’s decision, a thief obtained a $4.8 million wire transfer from the insured company Medidata’s bank account through a series of spoofed e-mails in which the thief sent e-mails that appeared to be from Medidata’s president. The e-mails requested Medidata employees’ attention to a purported acquisition for which the president supposedly required funds. See Medidata Sols., Inc. v. Fed. Ins. Co., 268 F. Supp. 3d 471, 473-74 (S.D.N.Y. 2017).
On July 6, the Second Circuit affirmed the district court’s judgment in favor of Medidata. Despite Federal’s argument that Medidata did not suffer a “direct loss,” the Court found that the term “direct” under New York law requires only “proximate” cause, or a chain of events initiated by the spoofed e-mails. The Court declined to find that an intervening event “severed” the causal chain simply because the employees themselves had to take action to effectuate the transfer. Medidata Sols. Inc., 2018 WL 3339245, at *2.
American Tooling and Medidata are just two of several recent decisions determining insurance coverage for phishing, in which the courts engaged in extensive discussion of the precise meaning of the term “direct” in the insurance policy at issue. Although the recent appellate rulings have applied a common-sense definition of the term “direct,” some courts, such as the District Court in American Tooling, have found that a computer-related loss was not “directly caused” by a phishing scam. Due to the importance of the precise policy language and its interpretation, policyholders should carefully review their crime policies and seek to negotiate more expansive, and express, coverage if possible. Several insurers now offer explicit “social engineering” or “phishing” coverage endorsements to address this type of loss. Policyholders should carefully review the wording of such endorsements and any applicable sublimits, and request changes if necessary.
[1] See, e.g., https://www.consumer.ftc.gov/articles/0003-phishing (Federal Trade Commission).