(Article from Insurance Law Alert, July/August 2018)
For more information, please visit the Insurance Law Alert Resource Center.
The Second Circuit ruled that claims arising out of a fraudulent wire transfer are covered by a “computer fraud” provision in a policy. Medidata Solutions Inc. v. Federal Ins. Co., 2018 WL 333924 (2d Cir. July 6, 2018).
A Metidata employee received an email purportedly sent from the company’s president advising her to follow instructions to be received from an attorney regarding a potential corporate acquisition. That same day, a man who identified himself as an attorney called the employee and requested a wire transfer. The employee sought confirmation to make the transfer from Medidata’s executives. Thereafter, a purported email from Medidata’s president confirmed that the wire transfer should be made. On that basis, the wire transfer was made. It was later discovered that the emails were sent by imposters. Medidata sought coverage from Federal under provisions relating to computer fraud, funds transfer fraud and forgery. Federal denied coverage, and Medidata brought suit. A New York district court ruled that the policy provided coverage for the wire transfer losses pursuant to the computer fraud and funds transfer fraud provisions. Medidata Solutions, Inc. v. Federal Ins. Co., 2017 WL 3268529 (S.D.N.Y. July 21, 2017) (discussed in our July/August 2017 Alert). In a summary order, the Second Circuit affirmed, ruling that the underlying claims were encompassed by the computer fraud provision.
The computer fraud provision provides coverage for loss arising from the fraudulent entry of data into a computer system or change to data elements of a computer system. The Second Circuit held that coverage was implicated under this provision because the thief embedded a computer code in the spoofed emails to mask their true origin and thus violated the integrity of the computer system. The court distinguished Universal American Corp. v. National Union Fire Insurance Co. of Pittsburgh, PA, 2015 WL 3885816 (N.Y. June 25, 2015) (discussed in our July/August 2015 Alert) on the basis that the fraud in that case was caused by an authorized user’s submission of fraudulent medical claims into the computer system, whereas the present case involved fraud caused by unauthorized access.
The Second Circuit further held that Medidata sustained a “direct loss” as a result of the spoofing incident, rejecting Federal’s assertion that the intervening actions by the Medidata employee in effectuating the wire transfer were sufficient to “sever the causal relationship between the spoofing attack and that losses incurred.”
The Sixth Circuit also recently ruled that claims arising out of wire transfers initiated by fraudulent emails were covered by a “computer fraud” policy provision. Am. Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co. of Am., 2018 WL 3404708 (6th Cir. July 13, 2018).
ATC, a tool and die manufacturer, received a purported email from a vendor with whom ATC did business. The email in actuality was sent by an imposter using an email with a similar domain. The email instructed ATC to send invoice payments to a new bank account. In response, ATC wired approximately $800,000 to the account. ATC sought coverage for the loss from Travelers, which denied the claim. A Michigan district court ruled that Travelers owed no coverage, reasoning that ATC’s loss was not directly caused by the use of a computer because of intervening steps that occurred internally at ATC between receipt of the fraudulent email and the eventual transfer of funds. Am. Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co. of Am., 2017 WL 3263356 (E.D. Mich. Aug. 1, 2017) (discussed in our September 2017 Alert). The Sixth Circuit reversed.
Travelers’ policy covers the “direct loss of, or direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud.” Computer Fraud is defined as “[t]he use of any computer to fraudulently cause a transfer” of money or other property to a third party. The Sixth Circuit ruled that ATC suffered a “direct loss” of funds when it transferred the money to the impersonator. The court rejected the argument that there was no direct loss because ATC contractually owed money to its vendor. In addition, the Sixth Circuit ruled that the impersonator’s conduct constituted “computer fraud” under the policy because the fraudulent emails and resulting wire transfer were implemented through the use of a computer. Finally, the court held that ATC’s loss was “directly caused” by computer fraud because the fraudulent email induced a series of internal actions that directly caused the transfer of money. The court distinguished Interactive Communications International, Inc. v. Great American Insurance Co., 2018 WL 2149769 (11th Cir. May 10, 2018) (discussed in our May 2018 Alert), in which the Eleventh Circuit held that losses did not “result directly” from use of a computer because Georgia law construes “directly” to mean immediately and because there were intervening steps and a delay between the computer fraud and financial loss.
As discussed in previous Alerts, other federal circuit courts have rejected policyholder attempts to obtain coverage for cyber-related losses under computer fraud and similar policy provisions. Such decisions largely turn on whether the factual record establishes a sufficient connection between computer use and the loss-causing event. See Taylor & Lieberman v. Fed. Ins. Corp., 2017 WL 929211 (9th Cir. Mar. 9, 2017) (coverage unavailable under computer fraud provision because sending an email, without more, does not constitute an unauthorized “entry into” a computer system) (discussed in our March 2017 Alert); Apache Corp. v. Great Am. Ins. Co., 2016 WL 6090901 (5th Cir. Oct. 18, 2016) (computer fraud provision does not cover claims arising out of the transfer of funds to criminal accounts because a fraudulent email was only one part of a chain of events that caused the loss, and the loss therefore was not caused “directly” by computer use) (discussed in our November 2016 Alert).