“Business email compromise” and other “social engineering” schemes have garnered increasing headlines as the scams become more sophisticated and the losses pile up. Coverage claims under the “computer fraud” rider in fidelity policies for these losses have met with mixed results, leaving some policyholders holding the bag for significant losses and pushing insurers to revamp their products.
February 02, 2018 Articles
Phishing for Fidelity Coverage
Coverage claims under the “computer fraud” rider in fidelity policies for certain types of scam have met with mixed results
by John Pitblado
A Brief History of Financial Tech
The financial services industry has long been at the forefront of technological advances in commerce. In the 1950s, Bank of America commissioned a consortium of Stanford scientists to develop an “electronic brain” to count checks. ERMA (Electronic Recording Machine, Accounting), as it was called, was a prototypical “computer.”[1]
Among other notable advances, this led to numerical bank account numbers (avoiding the problem of the old alphabetical by-name lists to which new customers were added and which had to be reshuffled with every new name) and magnetic ink character recognition (MICR), the readily recognizable font used for the numbering found on checks.[2]
Financial institutions were also at the forefront of computerizing sales transactions. In the late 1960s and 1970s, Bank of America’s National BankAmericard (later, Visa) and a consortium of competing banks called the Interbank Card Association (later, Mastercard) began competing over the nascent “credit card” sales industry.[3] That competition quickly led to the development of real -time credit account checks through phone lines, the development of automated teller machines,[4] and, eventually, electronic point-of-sale technology.[5]
First the Computer, Then Computer Fraud
It should not be surprising that banks and other financial institutions were also at the forefront when it came to targets for computer fraud and hacking. And their insurers were close behind in their own responses to these new threats.
Financial institution bonds or “fidelity” bonds were developed a century or so ago to protect banks and other financial institutions from theft and fraud. These policies, sometimes also called commercial crime policies (for non-banking entities) or financial institution bonds, have not changed much from their original form, but insurers have responded to new risks by adding riders. One such rider is the “computer systems” rider, which has been in use since at least the mid-1990s.[6]
Typically, the “computer systems” rider is worded to require “fraudulent . . . change” to the insured’s computer network or data. Courts have generally interpreted this language to require that the “change” be unauthorized in some fashion, generally meaning perpetrated by an unauthorized user. To wit, in Universal American Corp. v. National Union Fire Insurance Co. of Pittsburgh, Pa., New York’s high court found no coverage under a computer systems fraud rider for a Medicare fraud scheme that was perpetrated by a health care provider using an electronic payment system submitted through his company’s computer network.[7] In that case, the court concluded that the rider was not meant to cover any fraud committed by an authorized user of a computer; rather, it was meant to cover “losses resulting from a dishonest entry or change of electronic data or computer program, constituting what the parties agree would be ‘hacking’ of the computer system.”[8]
Consistent with this analysis, the U.S. Court of Appeals for the Eighth Circuit held, in a coverage dispute between a bank and its insurer, that a direct hack of the insured bank’s computer network by an unauthorized (and unknown) user that resulted in the wiring of funds to a foreign account set up by the hacker was covered under the “computer fraud” rider of its financial institution bond.[9]
A Direct Hack as Distinct from Social Engineering
While the foregoing appellate cases provided some guidance, neither involved the type of scheme that has become so prominent in the news and for which losses have been increasing exponentially—namely, “business email compromise” (BEC) or “social engineering” schemes. According to recent Federal Bureau of Investigation (FBI) data, losses from these schemes have grown over 1300 percent since early 2015 and, as of a recent tally, have totaled over $3 billion.[10]
Under these schemes, perpetrators trick company employees into believing that they have received instructions from a superior, often a high-ranking officer such as a chief financial officer or chief executive officer, to change wiring information to vendors or other trusted recipients, who then appear to corroborate the instructions. A common method of perpetrating the fraud involves the company’s business email system. As the FBI explains, these schemes are becoming increasingly sophisticated:
At its heart, BEC relies on the oldest trick in the con artist’s handbook: deception. But the level of sophistication in this multifaceted global fraud is unprecedented, according to law enforcement officials, and professional businesspeople continue to fall victim to the scheme.
Carried out by transnational criminal organizations that employ lawyers, linguists, hackers, and social engineers, BEC can take a variety of forms. But in just about every case, the scammers target employees with access to company finances and trick them into making wire transfers to bank accounts thought to belong to trusted partners—except the money ends up in accounts controlled by the criminals.[11]
These schemes often involve, but don’t typically rely exclusively on, the use of email. And this facet of the scheme is at the heart of the coverage issues with which courts have struggled over the last couple of years.
Round One: District Courts Take a Crack
One of the first cases to address the issue was a federal district court case out of Texas, which analyzed whether such a scheme came within the purview of a commercial crime policy’s computer fraud provision. In that case, Apache Corp v. Great American Insurance Co.,[12] the court addressed a now-familiar scheme: An employee of the insured corporation was duped by a phone call purporting to be from a vendor, requesting that the vendor’s wiring instructions be changed to a new bank account. The employee asked that the requested change be sent in writing on the vendor’s letterhead. The fraudster then created letterhead, by cutting and pasting the vendor’s logo off its website, and sent a scanned copy of the signed letter via an email that appeared to be from the vendor’s domain but was not. Another employee, upon being forwarded the written “verification,” then called the number on the letterhead (which was fraudulent) and, upon receiving confirmation of the change, re-routed the vendor’s payments to a fraudulent account. The insured suffered $2.4 million in losses before the scheme was detected.[13] The district court held that the loss was covered because the fraudster’s scheme was perpetrated, in part, through the insured’s computer network, insofar as it involved email.[14]
The decision was later cited favorably in Principle Solutions Group, LLC v. Ironshore Indemnity, Inc., a similar federal district court case in Georgia.[15] In Principle Solutions, the insured suffered a $1.7 million loss from a similar BEC scheme, and the district court likewise held it was covered under a computer systems fraud rider.[16]
Round Two: The Circuit Courts Step In
But just as soon as it looked like the Texas decision was gaining traction, the Ninth Circuit Court of Appeals vacated a similar decision from a California federal district court. In Pestmaster Services, Inc. v. Travelers Casualty & Surety Co. of America, the Ninth Circuit found no coverage for losses from a BEC scheme under a computer systems fraud rider.[17] The Ninth Circuit reasoned as follows:
The Policy defines Computer Fraud as “[t]he use of any computer to fraudulently cause a transfer. . . .” Because computers are used in almost every business transaction, reading this provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a “General Fraud” Policy. While [the insurer] could have drafted this language more narrowly, we believe protection against all fraud is not what was intended by this provision, and not what [the policyholder] could reasonably have expected this provision to cover.[18]
Citing the Ninth Circuit’s Pestmaster decision, the Fifth Circuit followed suit and reversed the Texas district court ruling in Apache and held that coverage did not apply.[19] Like the Ninth Circuit, the Fifth Circuit pointed out the ubiquity of electronic communication: “[W]hen the policy was issued in 2012, electronic communications were, as they are now, ubiquitous, and even the line between ‘computer’ and ‘telephone’ was already blurred. In short, few—if any—fraudulent schemes would not involve some form of computer-facilitated communication.”[20]
Unsurprisingly, the Fifth Circuit’s Apache decision was cited by the insurer in a motion for reconsideration in the Georgia Principle Solutions case and was cited by the insurer in a similar case that was pending at the time in New York federal court.[21] In the meantime, the Ninth Circuit reaffirmed its position in Pestmaster in another case, Taylor & Lieberman v. Federal Insurance Co., affirming an order that had concluded there was no coverage for a social engineering loss.[22]
Bucking the Trend
A trio of federal district court decisions handed down since the Pestmaster, Apache, and Taylor & Lieberman appellate rulings demonstrate that the issue is hardly settled. In American Tooling Center, Inc. v. Travelers Casualty & Surety Co. of America, a Michigan federal district court followed the Fifth and Ninth Circuits’ guidance, holding there was no coverage under the computer fraud provision of a fidelity policy for a scheme in which the insured’s vice president received instructions to change the wiring of payment for legitimate invoices to a new bank account.[23] The email address reflected the domain name as “yifeng-rnould,” but the correct domain name for the vendor’s email was “yifeng-mould.”[24] The policyholder has appealed that decision to the U.S. Court of Appeals for the Sixth Circuit.
Meanwhile, the Georgia district court in Principle Solutions and a New York district court in Medidata Solutions, Inc. v. Federal Insurance Co. made dispositive rulings that are now also on appeal to the Eleventh and Second Circuits, respectively.[25]
In Georgia, the court addressed coverage for a scheme in which the insured’s controller received an email from someone purporting to be one of the insured’s managing directors and appeared to be sent from his corporate email address.[26] The email referenced a company acquisition and instructed the controller to work with an attorney to wire the requisite payment. The controller later received an email from someone purporting to be the attorney, who provided the wire instructions. The attorney also called the controller and said he had approval from the insured’s director to complete the wire transfer. The controller then instructed another employee to create the wire transfer and approved it, resulting in a $1.717 million loss.[27] The court found coverage under the insured’s commercial crime policy, citing the “Computer and Funds Transfer Fraud” provisions and distinguishing Apache and Pestmaster, both of which the insurer cited.[28] The insurer appealed, and the case is pending before the Eleventh Circuit.
Likewise, a New York federal district court found coverage for a similarly sustained $4.7 million loss. In Medidata Solutions, Inc. v. Federal Insurance Co., an employee of the insured received an email purportedly from the insured’s president, stating that they were close to finalizing an acquisition and that an attorney would contact the employee to discuss.[29] The employee received a call from someone purporting to be the attorney. The attorney directed a wire transfer, and the employee told the attorney she needed an email from the insured’s president requesting a wire transfer and approval from the insured’s vice president and director of revenue. The employee, vice president, and director of revenue thereafter received an email purportedly from the insured’s president requesting that they sign off on the transfer—notably, the email showed the president’s email address and his picture. The employee submitted the wire for approval, and the vice president and director of revenue signed off on the transaction.[30]
The court took a very hard look at the question of whether this fit the definition of a computer violation, which was defined as the “fraudulent: (a) entry of Data into . . . a Computer System; [and] (b) change to Data elements or program logic of a Computer System, which is kept in machine readable format . . . directed against an Organization.”[31] After summary judgment briefing was completed, the court ordered further briefing with expert reports regarding the precise mechanics of the scheme. The court asked the parties to focus on the precise process that allowed the mock email to appear as though it was generated internally, particularly given that it included the president’s picture, and whether the process required changes to data elements in the insured’s computer system. The court held that it did require such changes and that the loss was therefore covered.[32] The insurer subsequently filed a notice of appeal to the Second Circuit.
Will the Circuit Courts Strike Back?
So the focus now shifts back to the circuit courts, with cases pending in the Second, Sixth, and Eleventh Circuits.[33] The cases are all similar on their facts to those already decided in the Fifth and Ninth Circuits, representing fairly typical, sophisticated social engineering schemes of the type warned about by the FBI. And there is no sign that the losses are stopping or even slowing. But to date, policyholders in California and Texas have been left with significant uninsured losses and with significant coverage counsel fees on top of those losses.
For their part, insurers are rightfully worried about one or more of the current appeals contradicting current precedent and creating a circuit-by-circuit (or, worse yet, state-by-state) patchwork of coverage law on the issue. In response, some insurers are proactively altering their products. Indeed, the insurer appealing the Georgia decision in the Eleventh Circuit pointed out in the district court proceedings that, at the time of the purchase of the policy at issue in the litigation, the insurer offered separately available coverage designed specifically to address schemes precisely like those at issue and which differed in material ways from the relevant “computer systems” fraud coverage at issue in the litigation.[34] Other insurers are similarly addressing BEC and social engineering schemes with specialized coverage.
Still, under typical current policy forms, the field of play is very much in flux, and coverage practitioners on both sides of the issue should familiarize themselves with the relevant decisions in their forum, as it is increasingly likely that their clients, large and small, will be suffering increasingly expensive social engineering losses.
John Pitblado is a shareholder with Carlton Fields Jorden Burt PA in Hartford, Connecticut.
[1] Stanford Research Inst., Banking Automation: ERMA.
[2] Troy Grp., Inc., MICR Basics Handbook, at 1-1 (Oct. 8, 2004).
[3] See, e.g., BankofAmerica.com, Introducing the Modern Credit Card; Mastercard, Key Milestones.
[4] Wikipedia, Automated Teller Machine.
[5] Vendhq.com, The History of Point of Sale (POS).
[6] See, e.g., Hudson United Bank v. Progressive Cas. Ins. Co., 152 F. Supp. 2d 751, 754 (E.D. Pa. 2001) (addressing coverage for 1997 auto insurance financing fraud scheme under provision covering “fraudulent . . . change of Electronic Data or Computer program with any Computer System operated by the Insured”).
[7] Universal Am. Corp. v. Nat’l Union Fire Ins. Co. of Pittsburgh, Pa., 37 N.E.3d 78, 81 (N.Y. 2015).
[8] Universal American, 37 N.E.3d at 81.
[9] State Bank of Bellingham v. BancInsure, Inc., 823 F.3d 456 (8th Cir. 2016).
[10] Fed. Bureau of Investigation, “Business E-Mail Compromise: Cyber-Enabled Financial Fraud on the Rise Globally,” Feb. 27, 2017 [hereinafter FBI Business E-Mail Compromise News].
[11] FBI Business E-Mail Compromise News.
[12] Apache Corp. v. Great Am. Ins. Co. (Apache I), No. 4:14-CV-237, 2015 U.S. Dist. LEXIS 161683 (S.D. Tex. Aug. 7, 2015).
[13] Apache I, 2015 U.S. Dist. LEXIS 161683, at *2–3.
[14] Apache I, 2015 U.S. Dist. LEXIS 161683, at *7–8.
[15] Principle Sols. Grp., LLC v. Ironshore Indem., Inc., No. 1:15-CV-4130-RWS, slip op. at 12 (N.D. Ga. Aug. 30, 2016).
[16] Principle Solutions, No. 1:15-CV-4130-RWS, slip op. at 2–4, 12–13.
[17] Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., 656 F. App’x 332 (9th Cir. July 29, 2016).
[18] Pestmaster Services, 656 F. App’x at 333.
[19] Apache Corp. v. Great Am. Ins. Co. (Apache II), 662 F. App’x 252 (5th Cir. Oct. 18, 2016).
[20] Apache II, 662 F. App’x at 258.
[21] Notice of Supplemental Authority, Principle Sols. Grp., LLC v. Ironshore Indem., Inc., No. 1:15-CV-4130-RWS (N.D. Ga. Oct. 31, 2016), ECF No. 64; Notice of Supplemental Authority, Medidata Sols., Inc. v. Fed. Ins. Co., No. 15-CV-00907 (S.D.N.Y. Oct. 18. 2016), ECF No. 76.
[22] Taylor & Lieberman v. Fed. Ins. Co., 681 F. App’x 627, 629 (9th Cir. 2017).
[23] Am. Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co. of Am., No. 5:16-cv-12108-JCP, 2017 U.S. Dist. LEXIS 120473, at *1–3 (E.D. Mich. Aug. 1, 2017).
[24] American Tooling, 2017 U.S. Dist. LEXIS 120473, at *2.
[25] Principle Sols. Grp., LLC v. Ironshore Indem., Inc., No. 1:15-CV-4130-RWS, slip op. (N.D. Ga. Aug. 30, 2016), appeal filed, No. 17-11703 (11th Cir. Apr. 13, 2017); Medidata Sols., Inc. v. Fed. Ins. Co., No. 15-cv-907 (ALC), 2017 U.S. Dist. LEXIS 122210 (S.D.N.Y. July 21, 2017), appeal filed, No. 17-2492 (2d Cir. Aug. 11, 2017).
[26] Principle Sols. Grp., LLC v. Ironshore Indem., Inc., No. 1:15-CV-4130-RWS, slip op. at 1–2 (N.D. Ga. Mar. 29, 2017).
[27] Principle Solutions, No. 1:15-CV-4130-RWS, slip op. at 2–4.
[28] Principle Solutions, No. 1:15-CV-4130-RWS .
[29] Medidata Sols., Inc. v. Fed. Ins. Co., No. 15-CV-00907, 2017 U.S. Dist. LEXIS 122210, at *3 (S.D.N.Y. July 21, 2017).
[30] Medidata Solutions, 2017 U.S. Dist. LEXIS 122210, at *3–5.
[31] Medidata Solutions, 2017 U.S. Dist. LEXIS 122210, at *6.
[32] Medidata Solutions, 2017 U.S. Dist. LEXIS 122210, at *12–14.
[33] Notice of Appeal, Principle Solutions, No. 1:15-CV-4130-RWS (N.D. Ga. Apr. 13, 2017), ECF No. 77; Notice of Appeal, Medidata Solutions, No. 15-CV-00907 (S.D.N.Y. Aug. 11, 2017), ECF No. 84; Notice of Appeal, American Tooling, No. 5:16-cv-12108 (E.D. Mich. Aug. 28, 2017), ECF No. 35.
[34] Principle Solutions, No. 1:15-CV-4130-RWS, slip op. at 7–8.
Copyright © 2018, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).