It has become a truism in the cyber-security industry that even the most secure computer systems have a fatal flaw—the human beings who operate them. Over the past decade, hackers have increasingly exploited this weakness with sophisticated “social engineering” schemes that combine computer fraud with personal manipulation. In a typical social engineering fraud, the attackers will reach out to a well-researched employee—pretending to be an important vendor, company executive, or even a good friend. Often the first step is an email, but it can also be a letter, fax, or telephone call. The imposter will ask the employee to download a file, change a creditor’s banking information, or contact an attorney about a top-secret new corporate deal. These messages will often include links to fake websites, telephone numbers controlled by the fraudsters, and other legitimate-looking details, such as signature blocks and photos of the purported sender.
Often enough, by the time the employee realizes the mistake, it is too late, and the company has lost thousands or, sometimes, even millions of dollars.
Losses arising from these clever frauds raise thorny issues of insurance coverage and have resulted in a host of arguably inconsistent nationwide rulings applying a standard Commercial Crime | Computer Fraud coverage form. A decision comes from Indiana. In G&G Oil Co. of Indiana, Inc. v. Continental Western Insurance Co., No. 20S-PL-617, 2021 WL 1034982 (Ind. Mar. 18, 2021), the insured was a midwestern petroleum distributor whose employee was targeted by a fraudulent email. The attack led the employee to download a file that included a ransomware virus (a code that locks the victim’s computer systems until the victim agrees to pay a ransom to the attacker). The insured, after consulting with the FBI and a cyber-security expert, agreed to pay the anonymous hacker four bitcoins worth a total of $35,000 to regain access to its systems.
After paying the ransom, the insured sought indemnity from its insurer under a standard Commercial Crime coverage form, which states as follows:
. . . Computer Fraud
We will pay for loss or damage to “money”, “securities” and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises”:
a. To a person (other than a “messenger”) outside those “premises”; or
b. To a place outside those “premises”.
Id. at *1.
The G&G Oil insurer denied coverage for two reasons. First, the insurer reasoned that the insured had voluntarily transferred the bitcoin ransom to the hacker, and consequently, the hacker did not “fraudulently cause a transfer” directly from the insured. Second, the insurer contended that the insured’s loss did not “result[] directly from the use of any computer” (emphasis added) because the insured’s voluntary decision to pay the ransom constituted an intervening cause of loss.
The insurer’s arguments were accepted by an Indiana trial court—which granted summary judgment to the insurer—and the Indiana Court of Appeals, which unanimously affirmed. But the insurer’s luck ran out at the state’s highest court, which reversed and remanded.
Recognizing that “the interplay between computer fraud coverage and computer hacking is an emerging area of the law,” id. at *4, the Indiana Supreme Court held that, under the plain language of the Commercial Crime coverage form, a question of fact on coverage should have precluded summary judgment. First, the court held that the policy’s coverage for a computer attack that “fraudulently caus[es] a transfer” is, essentially, a requirement that the hacker initiate the loss by using trickery. This requirement could have been met, in the court’s view, with evidence that the initial ransomware virus was downloaded into its system by a “spear phishing” (i.e., an email targeted to a well-researched victim) fraud. Id. at *5. And second, the court held that it was inappropriate to grant summary judgment on the issue of whether the loss “result[ed] directly from the use of a computer[.]” The court reasoned that the insured’s “transfer of Bitcoin was nearly the immediate result—without significant deviation—from the use of a computer,” and thus the proximate result of the trick. Id. at*6. The court remanded for further discovery on the scope and means of the fraud.
The G&G Oil decision follows a decade’s worth of judicial interpretations of similar policy language—often with conflicting and inconsistent results. These decisions, like G&G Oil, typically turn on two key questions. First, does a sophisticated social engineering scheme, which uses a computer to trick the victim into doing something voluntarily, qualify as a computer attack that fraudulently causes a transfer of money? And second, does human decision-making (such as the G&G Oil insured’s decision to pay the ransom) sever the chain of causation between the computer attack and the loss?
While the G&G Oil court answered both questions in favor of the possibility of coverage, many others courts have reached divergent conclusions on similar facts and policy language.
Fraudulently cause a transfer
Insurers faced with claims for coverage arising from social engineering, spear phishing, and ransomware attacks frequently argue that such attacks are distinguishable from the kind of pure “hacking” that Commercial Crime coverage forms are intended to cover. For example, in American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, 895 F.3d 455 (6th Cir. 2018), a hacker “spoofed” (tech-speak for a sophisticated counterfeit email) a vendor’s email address and asked the victim to pay the vendor’s invoices to a new bank account, which belonged to the fraudster rather than to the vendor. The victim did not realize the fraud until it had sent approximately half a million dollars to the fraudster’s account.
The American Tooling Center insurer argued that its policy form “requires a computer to fraudulently cause the transfer. It is not sufficient to simply use a computer and have a transfer that is fraudulent.” Id. at 461 (internal quotations omitted). That is, the insurer asserted that the Computer Fraud form was designed to insure a loss entirely caused by a computer hack or virus, with no intervening conduct by a human being. The Sixth Circuit rejected that interpretation of the form, holding that it was sufficient that “the impersonator sent [the insured] fraudulent emails using a computer and these emails fraudulently caused [the insured] to transfer the money to the impersonator.” Id. at 461–62.
Faced with similar policy language, the Ninth Circuit Court of Appeals reached an entirely different result. In Pestmaster Serices, Inc. v. Travelers Casualty & Surety Company of America, 656 F. App’x 332 (9th Cir. 2016), the court held that the policy phrase “fraudulently cause a transfer” would not cover a voluntary automated payment—even if it was made under false pretenses. “Because computers are used in almost every business transaction, reading this provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a ‘General Fraud’ Policy.” Id. at 333.
Directly from the use of a computer
The causation element of Computer Fraud coverage forms has been even more hotly disputed. Several courts—like the G&G Oil court—have held that an intervening human decision to pay funds does not sever the chain of causation between a fraudulent email or hack and a loss. Others, meanwhile, have ruled that policy language requiring a “direct” connection between computer fraud and loss is not satisfied in social engineering cases.
The Fifth Circuit Court of Appeals’ decision in Apache Corp. v. Great American Insurance Co., 662 F. App’x 252 (5th Cir. 2016) is the leading case for the “narrow” view of Computer Fraud coverage form causation standards. In Apache Corp., an employee of the insured received an email purporting to be from a vendor and requesting that the insured make all future payments to a new bank account (again, belonging to the imposter). After “confirming” the provenance of the request with a call to a fake telephone number provided by the imposter, the employee changed the vendor’s payment information. The insured paid nearly $7 million to the imposter’s bank account before realizing the mistake. The insurer denied coverage for the loss.
The Fifth Circuit affirmed the insured’s coverage denial, concluding that the email was only “part of the scheme” and therefore insufficient to establish a “direct” relationship between computer use and the loss. Id. at 258. In so holding the court examined each intervening step in the fraud, which included telephone calls between the insured and the fraudster, and concluded that “the computer-use was but one step in Apache’s multi-step, but flawed, process that ended in its making required and authorized, very large invoice-payments, but to a fraudulent bank account.” Id. at 259. Borrowing the Ninth Circuit’s reasoning from the Pestmaster ruling cited above, the Apache Corp. court held that “[t]o interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would . . . convert the computer-fraud provision to one for general fraud.”
Applying similar reasoning, the Eleventh Circuit Court of Appeals held in Interactive Communications International, Inc. v. Great American Insurance Co., 731 F. App’x 929 (11th Cir. 2018), that the insured’s $11 million loss following a hack of its prepaid debit card system was not covered. The Interactive court, while agreeing that “the fraudsters’ manipulation of [the insured’s] computers set into motion the chain of events that ultimately led to [the insured’s] loss,” ultimately held that there was no “direct” causation because “several steps typically intervened between the fraudulent manipulation of the [] system . . . and [the insured’s] ultimate loss[.]” Id. at 934.
Notably, a year later, the same court issued another ruling on Computer Fraud coverage causation standards, and applied an arguably broader standard. In Principle Solutions Group, LLC v. Ironshore Indem., Inc., 944 F.3d 886 (11th Cir. 2019), the insured lost $1.7 million after an employee wired funds in response to an imposter’s email that appeared to be from the company’s managing director. While the Eleventh Circuit held in Interactive that intervening actions can break the causal chain, the Principle Solutions Group court held that neither the insured’s post-email telephone communications nor the voluntary order for the bank to wire the funds defeated coverage because “both were foreseeable consequences of the email.” Id. at 892.
The Principle Solutions Group decision is consistent with the decisions reached by the Sixth Circuit in American Tooling Center and the Indiana Supreme Court in G&G Oil, as well as a number of other recent cases. Those rulings, similarly, held that a chain of events initiated by a fraudulent spear-phishing email arises “directly from the use of a computer”—even if there are subsequent voluntary decisions by the insured and other non-fraudulent intervening acts. See G&G Oil, 2021 WL 1034982 at *6; Am. Tooling Ctr., Inc., 895 F.3d at 463 (“[B]ecause the loss occurred once [the insured] transferred the money in response to the fraudulent emails . . . the computer fraud ‘directly caused’ [the insured’s] ‘direct loss.’”); Cincinnati Ins. Co. v. Norfolk Truck Ctr., Inc., 430 F. Supp. 3d 116, 130 (E.D. Va. 2019) (holding that intervening events did not sever causal connection between imposter email and the insured’s loss of money because “[c]omputers were used in every step of the [process]”); Medidata Sols., Inc. v. Fed. Ins. Co., 268 F. Supp. 3d 471, 479 (S.D.N.Y. 2017) (holding that the insured’s “employees only initiated the transfer as a direct cause of the thief sending spoof emails posing as [the insured’s] president”).
Conclusion
As readily noted by the G&G Oil court, Computer Fraud coverage for sophisticated social engineering attacks and spear phishing schemes is a developing and unsettled area of the law. Such cases are heavily fact-intensive and, as noted above, can turn on extremely minute factual distinctions as well as individual courts’ differences in interpreting common policy terms.