Coverage Rulings On Claims Involving Business Email Compromise

Laura A. FogganCrowell & Moring LLPlfoggan@crowell.com

202-624=2774

Social Engineering: Explaining the Uptick in Events, Coverage Options, and Practical Solutions to Preventing Attacks

• Crime policy defined computer fraud as the “use of any computer to fraudulently cause a transfer of Money.”

• The policyholder, a Connecticut law firm, was asked by email to receive and deposit a check from a debtor, deduct a fee for collecting the payment, and write a check for the remainder to the fraudster’s client. After following these instructions, the policyholder was held responsible by its bank for the entire amount, because the check was found to be fraudulent.

Continued. . .

Owens, Schine & Nicola, P.C. v. Travelers Cas. & Sur. Co. of Am., No. CV-09-5024601-S, 2011 WL 3200296 (Conn. Super. Ct. June 24, 2011), vacated, No. CV-09-5024601-S, 2012 WL 12246940 (Conn. Super. Ct. Apr. 18, 2012).

• Insurer argued that “computer fraud” required that a transfer occur “by way of a computer ‘hacking’ incident, such as the manipulation of numbers or events through the use of a computer . . .”

• The court initially held that “the policy is ambiguous as to the amount of computer usage necessary to constitute computer fraud” and the ambiguity must be resolved in favor of coverage. It emphasized that the imposters “communicated with the plaintiff by an e-mail and the fraudulent check may have been created by the use of a computer. . .”

• However, the trial court vacated its ruling several months later, presumably in connection with a settlement of the matter.

Owens, Schine & Nicola, P.C. v. Travelers Cas. & Sur. Co. of Am.(continued)

• “Computer Systems Fraud” policy covered “[l]oss resulting directly from a fraudulent … entry of Electronic Data.”

• The policyholder, a health insurer, suffered $18 million in losses from fraudulent claims entered into its computer system by providers.

• The court held that: “Nothing in this clause indicates that coverage was intended where an authorized user utilized the system as intended, i.e. to submit claims, but where the claims themselves were fraudulent.”

• Although not a social engineering case per se, the decision recognized a key proposition for such cases, i.e., that coverage from a “fraudulent . . .entry’ of data was dependent on an action by an unauthorized user.

Universal Am. Corp. v. Nat’l Union Fire Ins. Co. of Pittsburgh, PA (N.Y. Sup. Ct. 2013)

• Claim under crime policy covering “loss . . . resulting directly from [computer fraud].”

• A person claiming to be a vendor who wanted to change the account for future payments called policyholder. The employee notified the caller that such requests must be made in writing on company letterhead; a few days later the policyholder received an email with a letter appearing to be on the vendor’s letterhead requesting the changes. Another employee called the number on the letterhead to verify the request and then changed where future payments would be sent. More than $24 million was sent to the fraudulent address.

Continued . . .

Apache Corp. v .Great Am. Ins. Co., --- F. App’x ---, 2016 WL 6090901 (5th Cir. Oct. 18, 2016) (unpublished).

• The insurer contended that the human intervention that took place between the fraudulent email that was received and the loss meant that the “resulting directly from [computer fraud]” requirement was not met.

• Fifth Circuit surveyed decisions interpreting computer fraud policy language and agreed that “there is cross-jurisdictional uniformity in declining to extend coverage when the fraudulent transfer was the result of other events and not directly by the computer use.”

Apache Corp. v .Great Am. Ins. Co.(continued)

• Claim under Commercial Crime policy including coverage for “Computer and Funds Transfer Fraud.”

• Controller of policyholder, a technology consulting firm, received an email purportedly from one of the firm’s managing directors, instructing her to issue a wire transfer that day. She later received anticipated instructions by email and logged into the online account and initiated the transfer. The bank’s fraud prevention unit called for more information, and she called the imposter who stated he received the instructions from the policyholder’s managing director. She relayed this to the bank which then made the transfer.

Continued . . .

Principle Solutions Group, LLC v. Ironshore Indem., Inc. (N.D. Ga. 2016).

• Citing the Apache trial court ruling, the court issued an initial ruling finding ambiguity in the policy terms in response to the parties’ dispute over whether the loss “resulted directly from the fraudulent email that appeared to have been sent by” the managing director.

• A motion for reconsideration urged that a covered loss must arise from a fraudulent instruction sent directly to the bank, and while the motion was pending, Apache was reversed on appeal. A motion to supplement the motion for reconsideration is pending.

Principle Solutions Group, LLC v. Ironshore Indem., Inc. (continued)

• Computer fraud coverage excluded “loss resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System.”

• A hacker compromised a vendor’s computer and accessed email traffic between the policyholder and its vendor, then used the information learned to impersonate the vendor in an email to the policyholder directing the change of bank account information for future payments to the vendor.

• The insurer argued, and the court held, that the exclusion was triggered because the policyholder’s employee was authorized to input the account data into the company’s computer system. As such, the loss resulted indirectly from the employee’s input of the data.

• The case is on appeal to the Ninth Circuit.

Aqua Star (USA) Corp. v. Travelers Cas. and Sur. Co. of Am. (W.D. Wash. 2016)

• Claim under financial institution bond, which covered losses from forgery computer system fraud among other risks.

• A bank employee logged on to her work computer using her token, password, and passphrase. At the end of the day, the employee left work without removing her token or properly logging off the computer. Two unauthorized wire transfers were then made from the bank’s account to two accounts as a result of malware inserted by a computer hacker who made the transfers from the system that was left logged on overnight.

Continued . . .

State Bank of Bellingham v. BancInsure, Inc. (8th Cir. 2016)

• Conceding the policy covered hacking events, the insurer argued that the fraudulent hacking of the computer system by a criminal third party was not the overriding, or efficient and proximate, cause of the loss. But the court held that “an illegal wire transfer is not a ‘foreseeable and natural consequence’ of the bank employees’ failure to follow proper computer security policies, procedures, and protocols.” Those actions created a risk of intrusion, but the intrusion and the ensuing loss of bank funds was not certain or inevitable. The court affirmed that the hacking was the overriding cause.

• Case is not a social engineering case per se, but it provides guidance on the cause of loss analysis that is important in many of the business email compromise cases.

State Bank of Bellingham v. BancInsure, Inc. (continued)

• Claim under crime policy with Funds Transfer Fraud and Computer Crime coverage. Policyholder hired payroll services company to pay salaries and payroll taxes, but company debited funds and fraudulently failed to pay taxes.

• Court held the Fund Transfer Fraud provision did not cover losses arising from authorized electronic transactions even if they are, or may be, associated with a fraudulent scheme. Also, the Computer Crime coverage did not apply where there was no unauthorized use of the policyholder’s computer; the payroll company was not a hacker or intruder. The case was remanded to consider coverage for certain funds transfers that the policyholder alleged were unauthorized.

Continued . . .

Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., 656 F. App’x 332, 333 (9th Cir. 2016).

• Court recognized that, given near-universal use of computers, it would be contrary to the parties’ intent and reasonable expectations to read Computer Crime provisions “to cover all transfers that involve both a computer and fraud at some point in the transaction.” To do so would convert the policy “into a ‘General Fraud’ Policy.”

Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am.,(continued)

• Claim under Computer Fraud Insuring Agreement for loss resulting from payroll services company’s use of a computer to transfer money fraudulently from policyholder’s account to itself.

• Coverage did not apply to loss from the dishonest acts of any authorized representative of the policyholder. Even if fraudulently induced to do so, the policyholder had authorized the payroll services company to act on its behalf, including by debiting its accounts.

• Again, not a social engineering case per se, but stands for proposition that transfer by authorized person was not covered.

Continued . . .

S. Cal. Counseling Ctr. v. Great Am. Ins. Co., --- F. App’x ---, 2016 WL 3545350 (9th Cir. June 28, 2016).

• Court recognized that the function of the exclusion in the policy is “to place the onus of vetting the individuals and entities whom the insured engages to stand in its shoes – and thus the risk of loss stemming from their conduct – squarely on the insured.”

S. Cal. Counseling Ctr. v. Great Am. Ins. Co., --- F. App’x ---(continued)

• Claims under the forgery, computer fraud, and funds transfer clauses of the policy. Imposter fraudulently took control of a client’s email account and sent wire payment instructions to an employee of the policyholder, an accounting firm. The employee twice initiated a funds transfer from the client’s account before recognizing the fraud when a third fraudulent instruction was sent.

• The trial court held that coverage for each clause turned on language in the policy requiring “direct loss sustained by an Insured” and that “Plaintiff is attempting to recover for a third-party loss.”

• Affirmed on alternative grounds, including finding that sending an email does not constitute unauthorized entry into computer system under computer fraud coverage.

Taylor & Lieberman v. Fed. Ins. Co. (Mar. 9, 2017) (unpublished)

Key issues include:

• Authorized user

• Direct loss sustained by an insured

• Resulting directly [or indirectly] from

• Cause of loss analysis

• What, precisely, does the policy say?

Conclusion: Coverage Rulings On Claims Involving Business Email Compromise