October 31, 2018 Articles

Is a Consensus Developing on Computer Fraud Coverage for Email Schemes?

As social engineering schemes have grown and evolved, so too has the body of case law addressing whether crime coverage policies provide coverage to insureds who fall victim to email fraud

by Laura J. Grabouski[1]

Cyber crime continues to be a growth industry. In 2017, the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) received 301,580 complaints with reported losses exceeding $1.4 billion.[2] Email-related fraud is significant, with phishing schemes ranked in the top three types of Internet crime along with nonpayment/non-delivery and personal data breach.[3] Business email compromise (BEC) schemes, however, continue to grow and evolve.[4] IC3 reports that, worldwide, BEC losses exceed $12 billion, having increased 136 percent between December 2016 and May 2018.[5]

Email schemes may involve direct hacking into a victim’s computer or social engineering techniques. In a common social engineering scenario, a company’s employee, relying on one or more emails appearing to be from a legitimate source, will cause funds to be transferred to a purported customer or vendor. In reality, the recipient is an imposter diverting the funds from the appropriate payee.

As social engineering schemes have grown and evolved, so too has the body of case law addressing whether crime coverage policies provide coverage to insureds who fall victim to email fraud. Multiple decisions have grappled with whether social engineering schemes constitute covered “computer fraud” under such policies. The issue is complex because such schemes typically involve some kind of human error, thus raising questions concerning whether the email was the proximate cause of an insured’s loss. While decisions are mixed, a number of recent cases have held in favor of coverage, leading to speculation of an emerging trend.

Recent Decisions

American Tooling Center, Inc. v. Travelers Casualty & Surety Co., 895 F.3d 455 (6th Cir. 2018). American Tooling Center, Inc. (ATC), a Michigan-based company, manufactures stamping dies for the automotive industry. ATC subcontracted work to a Chinese company, Shanghai YiFeng Automotive Die Manufacture Co., Ltd., which emailed invoices to ATC upon completion of phases of work.[6] ATC’s treasurer emailed a YiFeng employee, requesting all outstanding invoices. The email was intercepted by an unknown third party, who began impersonating YiFeng in emails exchanged with ATC.[7] The imposter first instructed ATC to wire funds to a different account because of an “audit.” After the first wire transfer, the imposter advised that the money had not been credited to the account “due to . . . new bank rules” and it would return the payment. The impersonator then requested that ATC wire payment to another account, which ATC did. The scam was repeated twice more before the real YiFeng requested payment, resulting in erroneous payments totaling $834,000.[8]

ATC sought coverage under a business insurance policy issued by Travelers with a subpart for computer crime, defined to include “computer fraud.” The district court granted summary judgment for Travelers,[9] but the Sixth Circuit reversed, holding that ATC suffered a “direct loss” “directly caused” by “computer fraud” as required by the policy.[10] The court also held that the three exclusions on which Travelers relied were inapplicable, primarily due to their specific wording and a narrow definition of “electronic data.”[11] Although instructive regarding the exclusions, the court’s analysis of the coverage grant may be more significant for future disputes.

First, to come within coverage, ATC had the burden to prove a “direct loss” of money. Travelers urged that there was no direct loss at the time of the money transfer because ATC was already obliged to pay the invoices and the loss was not suffered until after ATC discovered the fraud and paid YiFeng half of what was owed.[12] The court disagreed. Applying Michigan law, the court noted that “direct loss” in property insurance policies generally means proximate cause, distinguishing an “immediate cause” standard applicable to employee fidelity bonds.[13] Under either standard, however, the court held that ATC’s loss met the requirement of being a direct loss as illustrated by the following analogy:

Imagine Alex owes Blair five dollars. Alex reaches into her purse and pulls out a five-dollar bill. As she is about to hand Blair the money, Casey runs by and snatches the bill from Alex’s fingers. Travelers’ theory would have us say that Casey caused no direct loss to Alex because Alex owed that money to Blair and was preparing to hand him the five-dollar bill. This interpretation defies common sense.[14]

The court then addressed whether the email scheme constituted “computer fraud” where ATC’s treasurer accessed ATC’s computer system and input the new account information.[15] The court distinguished an unpublished decision by the Ninth Circuit, Pestmaster Services, Inc. v. Travelers Casualty & Surety Co. of America,[16] on its facts without disagreeing with the general premise that “computer fraud” requires more than the use of a computer in a fraudulent transaction.[17] In Pestmaster, an authorized payroll vendor who had been granted access to the insured’s bank account diverted funds intended for tax liabilities.[18] Thus, the ATC court concluded that

everything that occurred using the computer was legitimate and the fraudulent conduct occurred without the use of a computer [in Pestmaster]. In contrast, here the impersonator sent ATC fraudulent emails using a computer and these emails fraudulently caused ATC to transfer the money to the impersonator.[19]

Noting that the policy did not state that the fraud had to “cause any computer to do anything,” the court declined to impose an unstated limitation that would require hacking and similar behaviors.[20]

As for the requirement that the loss be “directly caused” by computer fraud, the court applied the proximate cause/immediate cause standard to hold that the loss was the unbroken result of the receipt of the fraudulent emails.[21] Citing Interactive Communications International, Inc. v. Great American Insurance Co.[22] as a “helpful counterpoint,” the ATC court examined the temporal connection between the use of a computer and the insured’s loss.[23] The court framed the issue in terms of when “the point of no return” occurred:[24]

ATC received the fraudulent email at step one. ATC employees then conducted a series of internal actions, all induced by the fraudulent email, which led to the transfer of the money to the impersonator at step two. This was “the point of no return,” because the loss occurred once ATC transferred the money in response to the fraudulent emails. Thus, the computer fraud “directly caused” ATC’s direct loss. [25]

The remainder of the opinion discusses three exclusions, one of which applies to “surrendering of Money . . . in any exchange,” which the court held to be ambiguous.[26] The other two exclusions hinged on the narrow definition of “Electronic Data,” which excludes “instructions or directions,” and by its terms did not apply to the company treasurer’s inputting of instructions for payment to be made to the wrong account.[27]

Immediately before ATC, the Second Circuit and Ninth Circuit issued the following opinions analyzing coverage for email schemes, with conflicting results.

Medidata Solutions, Inc. v. Federal Insurance Co., 729 F. App’x 117 (2d Cir. 2018). Although the Second Circuit’s ruling in Medidata—affirming an award of $5.8 million to the insured—was made by summary order, is without precedential effect and rests on specific facts involving spoofing-type fraud, the decision is nevertheless instructive with regard to how the court analyzed computer fraud coverage.

Medidata “provides cloud-based services to scientists conducting research in clinical trials.”[28] Medidata used Google for email communications. Emails sent to Medidata employees were routed through Google computer servers and processed and stored by Google. “During processing, Google compared an incoming email address with Medidata employee profiles in order to find a match” and, if found, Google “displayed the sender’s full name, email address, and picture in the ‘From’ field[.]”[29] Employees used company-owned computers to access their email.[30]

Medidata’s woe began when an employee in the accounts payable division received what purported to be an email from the company’s president with the president’s name, email address, and photo displayed. Several months earlier, employees had been told to anticipate a possible acquisition. The email advised that the company was close to finalizing an acquisition and the employee would be contacted by an attorney named Michael Meyer.[31] After a series of additional emails, some of which were sent to additional employees required to authorize the transfer, $4,770,226 was wired to a bank account provided by Meyer.[32] When the imposter attempted the scam again, another employee questioned the address in the “reply to” field, prompting the first employee to send an email to the president, which exposed the scheme.[33] Subsequent investigations “revealed that an unknown actor altered the emails that were sent to [the employees] to appear as if they were sent from Medidata’s president.”[34]

Medidata sought coverage under the Crime Coverage Section of its Executive Protection policy issued by Federal. The computer fraud provision provided coverage for “direct loss of Money . . . resulting from Computer Fraud committed by a Third Party.”[35] “Computer Fraud” was defined as “the unlawful taking or the fraudulently induced transfer of Money, Securities or Property resulting from a Computer Violation.”[36] The policy defined “Computer Violation” to mean either of the following:

the fraudulent: (a) entry of Data into . . . a Computer System; [and] (b) change to Data elements or program logic of a Computer System, which is kept in machine readable format . . . directed against an Organization.[37]

“Data” included any “representation of information.”[38]

At issue was whether spoofing—a practice whereby external emails are altered to make it appear as if they have been sent internally [39]—constituted a fraudulent entry of data or a change to data within Medidata’s computer system absent actual hacking of the system. Federal argued there had been no fraudulent entry of data into Metadata’s computer system because the emails had been sent to an inbox that was “open” “to the public” and, hence, any email was “authorized.”[40] With respect to whether the emails caused a “change to data elements” or “program logic of Medidata’s computer system,” Federal conceded that Gmail added the name and picture of Medidata’s president, but Federal argued that the fake email did not itself cause the changes.[41] Federal also argued that the emails did not directly cause Medidata’s loss because no loss would have occurred absent the employees’ actions.[42]

Affirming the district court’s decision, the Second Circuit determined that coverage under the policy was not limited solely to hacking-type intrusions, reasoning that the wrongdoers, through spoofing, were able to create a “computer-based attack that manipulated Medidata’s email system,” undisputedly a “computer system” as contemplated by the policy.[43] The court elaborated:

The spoofing code enabled the fraudsters to send messages that inaccurately appeared, in all respects, to come from a high-ranking member of Medidata’s organization. Thus the attack represented a fraudulent entry of data into the computer system, as the spoofing code was introduced into the email system. The attack also made a change to a data element, as the email system’s appearance was altered by the spoofing code to misleadingly indicate the sender.[44]

The court distinguished Universal American Corp. v. National Union Fire Insurance Co.,[45] a decision applying New York law on which Federal relied. The spoofing conduct at issue in Medidata was not present in Universal, in which a health care insurer was defrauded as a result of health care providers entering claims for reimbursement for services that had not been provided.[46] The use of a computer in Universal was incidental to the fraud; in contrast, Medidata’s email system itself was compromised.[47]

The court also found that the loss was the “direct” or proximate cause of the computer violation.[48] The employees’ actions, without which the money would not have been transferred, were not an intervening cause where they occurred as part of a same-day transaction and were mistakenly believed to be in compliance with a directive from the company’s president.[49]

Decisions by the Ninth and Fifth Circuits, discussed below, however, weigh against a conclusion that there is a consensus in favor of coverage.

Aqua Star (USA) Corp. v. Travelers Casualty & Surety Co. of America, 719 F. App’x 701 (9th Cir. 2018). Aqua Star involved both hacking and spoofing, although the insured was not the direct victim of the hacking attack. Rather, the perpetrator hacked into the computer of one of Aqua Star’s vendors; began monitoring the vendor’s email communications with the company; and then, using spoofing, sent emails to Aqua Star’s employees.[50] As is typical, the spoofed emails directed Aqua Star to change the account information for amounts due to be wire-transferred to the vendor.[51] The insured suffered a loss of $713,890 as a result of funds paid to the hacker.[52]

Affirming the district court’s grant of summary judgment in favor of Travelers, the Ninth Circuit did not decide whether the spoofing scheme constituted “computer fraud” because the policy excluded coverage for “authorized use.”[53] The exclusion specifically and, according to the Ninth Circuit, unambiguously excluded coverage for “loss or damages resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the insured’s Computer System.”[54]

Although prompted to do so by duplicitous emails, the insured’s employees caused the loss to Aqua Star when they input data to change the vendor’s account information and sent the payments.[55] Because the employees were authorized both to input the data and send the funds, “[t]heir conduct fits squarely within the Exclusion.”[56] Notably, the court also rejected application of the efficient-proximate-cause rule on the basis that there was but a single “peril,” i.e., computer fraud.[57]

Apache Corp. v. Great American Insurance Co., 662 F. App’x 252 (5th Cir. 2016). In an unpublished decision applying Texas law, the Fifth Circuit also held in favor of the insurer in a coverage dispute arising out of a social engineering scheme. Apache, an oil-production company with international operations, fell victim to a scheme involving vendor payments like Aqua Star and ATC. The fraud ultimately involved email but began with a telephone call from a purported vendor, Petrofac, requesting an account change.[58] Apache instructed the “vendor” that a change request would not be honored without a formal request on letterhead. The imposter created a fake domain similar to the real domain name and sent an email confirming the change; an attached letter on Petrofac letterhead referenced both the old and new account numbers with instructions to use the new account. A week later, Apache transferred about $7 million to the fraudulent account. Upon learning of the fraud, Apache sought coverage under the “Computer Fraud” provision in a crime protection policy issued by Great American.[59]

Great American denied the claim, contending that Apache’s loss was caused by human error and not by use of a computer.[60] On appeal the Fifth Circuit sided with Great American, noting in the first line of the opinion that Apache had been the victim of criminal fraud but had also conducted a “flawed follow-up investigation.”[61] Noting the absence of controlling Texas authority, the court surveyed unpublished opinions in other circuits and lower court opinions, none of which had ruled—as of the time of the court’s opinion predating ATC and Medidata—that similar policy language for “computer fraud” covered non-hacking email communications.[62] According to the court, the email was merely an incidental part of the scheme and “[t]o interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would, as stated in Pestmaster II, convert the computer-fraud provision to one for general fraud.”[63]

Conclusion

The Fifth Circuit’s concern that the mere use of email could convert a vast amount of fraud into “computer fraud” is a reasonable one. The very fact that email is so ubiquitous in business communications, however, may explain the growing trend of email fraud, which persists even with increased awareness and warnings. Indeed, ATC and Medidata appear to indicate an implicit recognition of the way that email schemes are accomplished and the growing sophistication of social engineering itself. A fraudulent email may put into motion a chain of events from which there is “no return” even if the scheme is ultimately accomplished by an insured’s employee’s acts.

The cases also indicate, however, that there is a spectrum of causation. Relevant to the court’s analysis in Apache is the fact that the insured’s employee “invited” the email and then conducted a “multi-step, but flawed, process” that resulted in an “authorized” payment. Had the email come first, it could have been a more significant factor, although the court’s emphasis on the fact that the payment was “authorized” by the insured raises additional questions, as in Aqua Star.

In short, while ATC and Medidata are favorable for insureds, it is premature to conclude that a consensus has emerged with regard to coverage for social engineering schemes under crime coverage policies. Specific policy terms and specific facts will be highly probative of the outcome. Nonetheless, policyholder practitioners can point to the analyses and holdings in those decisions to argue in favor of coverage for spoofing schemes that may not be the direct result of a hack. On the other hand, carriers may focus on the proximity between a fraudulent email and the resulting loss, as well as policy exclusions. Given the rising threat of email schemes, cyber-crime coverage issues are likely to continue.

Laura J. Grabouski is a partner at Tully Rinckey PLLC in Austin, Texas.

[1] Laura J. Grabouski is a partner at Tully Rinckey PLLC in Austin, Texas, where she represents clients in insurance coverage disputes and extra-contractual litigation arising under commercial liability, property, and other policies.

[2] Federal Bureau of Investigation, Internet Crime Complaint Center, 2017 Internet Crime Report 3.

[3] 2017 Internet Crime Report 20.

[4] 2017 Internet Crime Report 12.

[5] See Federal Bureau of Investigation, Public Service Announcement, Business E-Mail Compromise[:] the 12 Billion Dollar Scam, Alert No. I-071218-PSA (July 12, 2018).

[6] Am. Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co., 895 F.3d 455, 457 (6th Cir. 2018).

[7] American Tooling Center, 895 F.3d at 458.

[8] American Tooling Center, 895 F.3d at 457–58.

[9] American Tooling Center, 895 F.3d at 458.

[10] American Tooling Center, 895 F.3d at 463.

[11] American Tooling Center, 895 F.3d at 463–65.

[12] American Tooling Center, 895 F.3d at 459.

[13] American Tooling Center, 895 F.3d at 460.

[14] American Tooling Center, 895 F.3d at 461.

[15] American Tooling Center, 895 F.3d 461–62.

[16] Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., 656 F. App’x 332 (9th Cir. 2016).

[17] American Tooling Center, 895 F.3d at 461.