April 28, 2017 Articles

When It Comes to Coverage for Cyber Crime Losses, Is Your Loss “Direct”Enough?

For policyholders making insurance claims for losses arising from cybercrimes, recent court decisions show that the availability of coverage will likely turn on the way in which the crime was committed

by P. Wesley Lambert

For policyholders making insurance claims for losses arising from cybercrimes, recent court decisions show that the availability of coverage will likely turn on the way in which the crime was committed, and more specifically, how “directly related” the use of a computer was related to policyholder’s loss.

Compare, for example, two recent decisions: Principle Solutions Group, LLC v. Ironshore Indemnity, Inc., No. 15-cv-4130, 2016 WL 4618761 (N.D. Ga. Aug. 30, 2016) and Apache Corp. v. Great American Insurance Co., 662 Fed.Appx. 252 (5th Cir. 2016), both of which involved questions of coverage for cybercrime losses but ended in very different results for the policyholder. In Principle Solutions, an employee of the policyholder received a fraudulent email from a cybercriminal posing as one of the company’s executives and directing the employee to discretely wire funds to an account for a non-existent corporate acquisition. The employee subsequently received phone calls from an individual posing as the company’s attorney who coaxed the employee into wiring $1.7 million to a fraudulent account. Id. at **1-2.

Principle pursued coverage under its commercial crime policy, which covered losses “resulting directly” from fraudulent instructions to a financial institution. Id. at *2. Ironshore argued that the loss did not result “directly” from the fraudulent email because the crime required additional actions by the company employee such as communicating with the financial institution, and because the employee voluntarily initiated and completed the wire transfer. Id. at *4. The district court found both parties’ interpretation of “resulting directly from” to be reasonable and, thus, that the provision was ambiguous. The court was therefore compelled to adopt the policyholder’s interpretation, resulting in coverage even though there arguably were intervening events between the fraud and the ultimate loss. Id. at *5.

It is interesting, then, to note that the Principle Solutions court relied in part upon a lower court decision in Apache Corp. v. Great American Insurance Co., Civil Action No. 4:14-CV-237, 2015 WL 7709584 (S.D. Tex. Aug. 7, 2015) to find in the policyholder’s favor. The Apache decision was ultimately reversed by the Fifth Circuit Court of Appeals late last year based upon the Fifth Circuit’s opinion that an insufficient nexus existed between the use of a computer to cause the policyholder’s loss. The crime at issue in Apache originated from a telephone call placed to an employee in Apache’s accounts payable department by someone posing as a representative from one of Apache’s vendors. The caller directed Apache’s employee to change the bank account information for all future payments made by Apache to the vendor. Apache’s employee replied that the information could not be changed without a written request on company letterhead. Apache’s employee then received an email from a spoofed email address that closely resembled the vendor’s email domain name, referring to the email and attaching a letter, ostensibly on the vendor’s letterhead, directing the change in payment information. Apache’s employee called the number on the letterhead— which had been altered to direct the call to the criminal’s phone—and was satisfied enough with the response that the vendor’s payment information was changed. The loss was discovered by Apache one month later when the vendor contacted Apache to inquire as to the status of its payments.

Similar to the policy language in Principle Solutions, Apache’s computer fraud coverage applied only to losses “resulting directly” from the use of any computer to cause a fraudulent transfer. Relying upon this language, the Fifth Circuit adopted the insurer’s position that the “computer use” deployed in furtherance of this particular scheme was insufficient to implicate the policy’s computer fraud coverage. “The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money.” Apache Corp., 662 Fed. Appx. at 258. The court noted that the fraudulent email was sent only after Apache's employee advised, in response to the scammer’s telephone call, that the request had to be made on the vendor’s letterhead. “Accordingly, the computer-use was in response to Apache's refusing, during the telephone call, to, for example, transcribe the change-request, which it could have then investigated with its records.” Id. at 259.

The crimes discussed in Apache and Principle Solutions can be compared to the more traditional computer-related crime committed in State Bank of Bellingham v. BancInsure, Inc., 823 F.3d 456 (8th Cir. 2016), in which the Eighth Circuit Court of Appeals affirmed a decision favoring the policyholder victimized by a hacker that gained access to a computer used to effectuate wire transfers. An investigation into the loss revealed that the compromised computer had been infected with a virus that, at the opportune time, permitted unauthorized access to the infected computer for the hacker to effectuate the unauthorized wire transfers. The Eighth Circuit rejected the insurer’s argument that the overriding cause of the loss was an employee’s failure to adhere to security protocols or take reasonable steps to protect the computer. Rather, the Eighth Circuit found that the unlawful computer hacking by a third-party was the “efficient proximate cause” of the policyholder’s loss. The Eight Circuit noted that, even if the employee’s negligent actions “played an essential role” in the loss and created a risk of intrusion into the bank’s computer system, “the intrusion and the ensuing loss of bank funds was not ‘certain’ or inevitable. The ‘overriding cause’ of the loss Bellingham suffered remains the criminal activity of a third party.” Id. at 461.

Keywords: cyber; fraud; insurance; directly; crime

P. Wesley Lambert is with Brouse McDowell, Akron, Ohio.

 

Copyright © 2017, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).