“I meant what I said, and I said what I meant,” Dr. Seuss once quipped. Courts, nationwide, are stating likewise when it comes to insureds seeking coverage for phishing scams under their crime policies, and specifically the Computer Fraud Coverage Form found in many commercial property policies. More often than not, no such coverage will exist for unsuspecting companies that fall victim to phishing scams.
April 24, 2019 Feature
One Phish, Two Phish: Developments in the World of Computer Fraud Coverage
By Melissa M. D’Alelio
This is important news, as a report revealed that 85 percent of organizations suffered phishing attacks in 2016 alone.1 Not only are more organizations falling victim to these attacks, the number of attacks and their sophistication level are increasing steadily. Two-thirds of organizations polled reported experiencing attacks that were targeted and personalized (spear-phishing attacks), up 22 percent from the year before. Commentators opined that phishing attacks would continue to rise in 2018 and that they would be increasingly more sophisticated.2 Commentators predict the same for 2019.3
Phishing Defined
What exactly is “phishing”? It is a fraudulent attempt to obtain sensitive information such as usernames, passwords, credit card details, and, indirectly, money, often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter personal information at a fake website, the look and feel of which is almost identical to the legitimate one. Communications purporting to be from social websites, auction sites, banks, online payment processors, or IT administrators often are used to lure victims. Phishing emails may even contain links to websites that are infected with malware.
Notably, “hacking” is distinct from “phishing.” In a hack, information is extracted involuntarily, forcing the perpetrator to first invade and then take over a computer system, through brute force or more sophisticated methods, to access the sensitive data.4
The Purpose of the Computer Fraud Coverage Form
The typical Computer Fraud Coverage Form in a property insurance policy states thus: “We will pay for loss . . . resulting directly from . . . ‘Computer Fraud.’” Computer fraud is defined as
“theft” of property following and directly related to the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises” to a person . . . outside those “premises” or to a place outside those “premises.”5
A review of secondary sources and treatises implies that the purpose of the Computer Fraud Coverage Form is to cover instances where a perpetrator directly hacks into an insured’s computer system and fraudulently causes—by his own actions—a transfer of money. As one commentator noted, “‘Computer Fraud’ requires the culprit to use a computer to transfer money . . . from within the insured’s premises. . . .”6 Another commentator stated, “‘Computer Fraud’ mean[s] theft through the use of a computer to transfer covered property from inside the insured’s premises. . . .”7
The Computer Fraud Coverage Form, however, does not include any explicit reference to hacking, let alone phishing. Though companies victimized by phishing schemes have sought coverage under the form, they have had little success in the courts.8
Five More Recent Developments
In the last few years, there have been a number of cases addressing this issue. This paper explores five of the more notable ones.
Pestmaster v. Travelers. On July 29, 2016, the U.S. Court of Appeals for the Ninth Circuit affirmed the lower court’s grant of summary judgment to Travelers in Pestmaster Services, Inc. v. Travelers Casualty & Surety Co. of America.9
Pestmaster sustained significant losses as a result of its payroll company’s breach of its contractual obligation to pay Pestmaster’s payroll taxes. Pestmaster had executed an ACH authorization that authorized the payroll company to review and pay invoices, transferring funds from Pestmaster’s bank account for this purpose. The payroll company transferred the funds, as it was authorized to do, but kept the monies for its own purposes instead of paying invoices.
The lower court explained, in part:
“Computer Fraud” occurs when someone “hacks” or obtains unauthorized access or entry to a computer in order to make an unauthorized transfer or otherwise uses a computer to fraudulently cause a transfer of funds. . . . [T]here is an important distinction between “fraudulently causing a transfer,” . . . and Pestmaster’s interpretation of “Computer Fraud” as “causing a fraudulent transfer. . . .” [N]othing in this clause indicates that coverage was intended where an authorized user utilized the system as intended, i.e., to submit claims, . . . but where the claims themselves were fraudulent.10
The lower court also found that the use of a computer was merely incidental to, and not “directly related” to, Pestmaster’s losses.11
InComm Holdings v. Great American. On March 16, 2017, the U.S. Court of Appeals for the Northern District of Georgia found that a policyholder’s loss involving prepaid debit card system fraud was not “directly” caused by a computer. In InComm Holdings, Inc. v. Great American Insurance Co., the court granted summary judgment for Great American.12
In so holding, the court explained thus:
That a computer was somehow involved in [a] loss does not establish that the wrongdoer “used” a computer to cause the loss. To hold so would unreasonably expand the scope of the Computer Fraud Provision. . . . Lawyerly arguments for expanding coverage to include losses involving a computer engaged at any point in the causal chain— between the perpetrators’ conduct and the loss—unreasonably strain the ordinary understanding of “computer fraud” and “use of a[] computer.”13
Apache v. Great American. On October 18, 2016, the U.S. Court of Appeals for the Fifth Circuit decided Apache Corp. v. Great American Insurance Co., vacating judgment for the insured and rendering judgment for the insurer.14
In Apache, an employee
received a telephone call from a person identifying herself as a representative of [a vendor]. The caller instructed [the] Apache [employee] to change the bank-account information for its payments to [the vendor]. The . . . employee replied that the change-request could not be processed without a formal request on [vendor] letterhead.15
A week later, Apache received the requested letter via email. The employee even called the phone number listed on the letterhead to verify the request and confirm its authenticity. “[A] different Apache employee . . . implemented the change.”16 A week later, unbeknownst to it, Apache was transferring funds for payment of the vendor’s invoices to the perpetrator’s account. Within a month, the legitimate vendor asked why it had not been paid by Apache, and the scam was discovered. Apache made a claim for the loss under its computer fraud coverage.
The trial court found that the policy covered Apache for the loss. It rejected Great American’s argument that the loss was not direct because of intervening factors, explaining that “the intervening steps of the [post-email] confirmation phone call and supervisory approval do not rise to the level of negating the emails as being a ‘substantial factor.’”17
The Fifth Circuit reversed, finding that the only computer use was the use of the email as part of the overall scheme. The Fifth Circuit found that the email was “merely incidental” to the occurrence of the authorized transfer of money. The court stated thus:
To interpret the computer fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would . . . convert the computer fraud provision to one for general fraud.18
Medidata Solutions v. Federal Insurance. In Medidata Solutions, Inc. v. Federal Insurance Co.,19 the U.S. District Court for the Southern District of New York analyzed coverage under the policy’s “Crime Coverage Section” in light of Medidata’s loss involving spoofed emails.
Medidata provides cloud-based services to scientists conducting research in clinical trials. . . . Medidata used Google’s Gmail platform for company emails[,] . . . [with] email addresses consist[ing] of an employee’s first initial and last name followed by the domain name “msdol.com” [in lieu] of “gmail.com”. Email messages sent to Medidata employees were routed through Google computer servers. Google systems processed and stored the email messages[] [and,] [d]uring [this] processing, . . . compared . . . incoming email address[es] with Medidata employee profiles in order to find . . . match[es]. If a match was found, Gmail [showed] the sender’s full name, email address, and picture in the “From” field of the message. After processing, the emails were displayed in the Medidata employee’s email account.20
Medidata’s tale unfolded in September 2014. Around that time,
Medidata notified its finance department of the company’s short-term business plans which included a possible acquisition. Medidata instructed [its] finance personnel “to be prepared to assist with significant transactions on an urgent basis.”21
An employee in the finance department “received an email purportedly sent from Medidata’s president,” informing her that he was finalizing a strictly confidential acquisition and that an attorney would be calling her with payment instructions demanding her immediate attention.22 The email message contained the president’s name, email address, and picture in the “From” field.
That same day, the employee received a phone call from a man claiming to be the referenced attorney. He requested that the employee process a wire transfer. The employee explained that she would need an email from Medidata’s president requesting the transfer and also would need to obtain approval from Medidata’s vice president and director of revenue. She then received an email that appeared to be from Medidata’s president authorizing a $4.7 million wire transfer, copying the vice president and director of revenue. As instructed, the employee initiated the wire transfer; and, as further instructed, the vice president and director of revenue authorized the wire transfer.
A few days later, the purported attorney contacted the employee again, requesting a second wire transfer. She began initiating the wire transfer; however, the vice president hesitated in granting his authorization for the transfer. He was suspicious. He reached out to the president, who explained that he had not requested either wire transfer. Medidata had been defrauded.
Medidata submitted a claim to Federal, which issued a denial. Federal explained that under the computer fraud provision, “there had been no ‘fraudulent entry of [d]ata into Medidata’s computer system.’”23 Federal denied coverage under the funds-transfer fraud clause, as well, noting that “the wire transfer had been authorized by Medidata employees and thus was made with the [knowing] consent of Medidata.”24 Finally, “Federal rejected Medidata’s claim for Forgery Coverage because the emails did not contain an actual signature and did not meet the Policy’s definition of Financial Instrument.”25 Federal emphasized that “no loss would have taken place if Medidata employees had not acted on the instructions contained in those [spoofed] emails.”26
Litigation ensued. After analyzing the policy language and discussing landmark hacking cases such as Pestmaster, the court found coverage for the loss under the computer fraud and funds-transfer fraud provisions (but not the forgery coverage provision).27 It is perhaps the first time that a court performed a granular analysis of the means by which a fraudulent engineering scheme was carried out to determine coverage.
The court began by emphasizing the distinct facts at issue in Medidata that were not at issue in some of these prior cases:
[T]he fraud on Medidata was achieved by entry into Medidata’s email system with spoofed emails armed with a computer code that masked the thief’s true identity. The thief’s computer code also changed data from the true email address to Medidata’s president’s address to achieve the email spoof.28
The court was not persuaded by Federal’s argument that “‘there [was] no direct nexus’ between the spoofed emails and the fraudulent wire transfer” given a number of intervening acts. After all, “Medidata employees received telephone calls from the thief and took other steps in approving the fraudulent transfer.”29 In contrast to the court in Apache, the court was not bothered by this “muddy chain of events,” noting that the “Medidata employees only initiated the transfer as a direct cause of the thief sending spoof emails posing as Medidata’s president.”30 The court found that the “validity of the wire transfer depended upon several high level employees’ knowledge and consent which was only obtained by trick. . . . [And] larcency by trick is still larceny.”31
Federal appealed the ruling to the Second Circuit. Briefs were filed on November 27, 2017, and December 4, 2017. An amicus brief was filed in support of Federal’s position by the Surety and Fidelity Association of America.
On July 6, 2018, the U.S. Court of Appeals for the Second Circuit affirmed the decision.32 The Second Circuit “agree[d] with the district court that the plain and unambiguous language of the policy cover[ed] the losses incurred by Medidata. . . .”33 The Second Circuit explained that
[w]hile Medidata concede[d] that no hacking occurred, the fraudsters nonetheless crafted a computer-based attack that manipulated Medidata’s email system, which . . . constitutes a “computer system” within the meaning of the policy.34
The Second Circuit stressed that the “email system itself was compromised” and that the loss sustained was a direct loss.35 The Second Circuit noted that “New York courts generally equate the phrase ‘direct loss’ to proximate cause” and that “the spoofing attack was the proximate cause of Medidata’s losses.”36 Thus, the Second Circuit explained,
[w]hile it is true that the Medidata employees themselves had to take action to effectuate the transfer, we do not see their actions as sufficient to sever the causal relationship between the spoofing attack and the losses incurred.37
American Tooling v. Travelers. In American Tooling Center, Inc. v. Travelers Casualty & Surety Co. of America,38 the U.S. District Court for the Eastern District of Michigan, relying in part on Apache, ruled that Travelers did not have to cover American Tooling’s $800,000 in losses from an email-based theft scheme.
As in Apache, the thieves that targeted American Tooling used bogus emails to impersonate a vendor and deceive the toolmaker into wiring funds. American Tooling argued “that it suffered a loss that [was] covered under the ‘computer fraud’ provision of its . . . insurance policy.”39 Travelers disagreed, “contend[ing] that [American Tooling]’s loss was not a ‘direct loss’ that was ‘directly caused by the use of a computer,’ as required by the policy.”40
The court agreed with Travelers, explaining that,
[g]iven the intervening events between the receipt of the fraudulent emails and the (authorized) transfer of funds, it cannot be said that [American Tooling] suffered a “direct” loss “directly caused” by the use of any computer.41
The court noted that the U.S. Court of Appeals for the Sixth Circuit interprets direct to mean “ ‘immediate,’ without anything intervening.”42 The court explained that the spoofed emails
did not . . . immediately cause the transfer of funds from [American Tooling]’s bank account. Rather, intervening events between [American Tooling]’s receipt of the fraudulent emails and the transfer of funds . . . preclude[d] a finding of “direct” loss.43
Indeed, after receiving the emails, American Tooling had “verified production milestones, authorized the transfers, and initiated the transfers without verifying the bank account information” provided.44
American Tooling appealed the court’s holding to the Sixth Circuit. Briefs were filed on November 15, 2017; December 12, 2017; and January 3, 2018. An amicus brief was filed by the Surety and Fidelity Association of America.
On July 13, 2018, the Sixth Circuit reversed the decision.45 The Sixth Circuit found that the district court erred in granting summary judgment to Travelers, ruling that American Tooling “suffered a ‘direct loss’ under the policy” because it “immediately lost its money when it transferred the [funds] to the impersonator.”46 The Sixth Circuit further found that “the impersonator’s conduct constitute[d] ‘computer fraud,’ ” which was not limited to hacking.47 The Sixth Circuit noted thus:
Travelers’ attempt to limit the definition of “Computer Fraud” to hacking and similar behaviors in which a nefarious party somehow gains access to and/or controls the insured’s computer is not well-founded. If Travelers had wished to limit the definition of computer fraud to such criminal behavior it could have done so.48
The Sixth Circuit also found that the “direct loss” was “directly caused by computer fraud” because the insured “received the fraudulent email at step one,” and its “employees then conducted a series of internal actions . . . which led to the transfer of money to the impersonator at step two.”49
Cross-Jurisdictional Uniformity Slowly Emerging
“Out there things can happen, and frequently do, to people as brainy and footsy as you,” warned Dr. Seuss. This is certainly true in terms of phishing attacks. According to the Federal Bureau of Investigation, phishing attacks continue to increase exponentially and have resulted in losses of more than $5.3 billion from 2014 to 2016.50
Given these jarring statistics, it is likely that insureds seeking to recover funds lost in phishing schemes will continue to assert coverage under their Computer Fraud Coverage Form— despite an increasing number of cases, nationwide, clarifying that the form will not cover numerous computer fraud–related situations. As emphasized in Apache, there appears to be “cross-jurisdictional uniformity in declining to extend coverage when the fraudulent transfer was the result of other events and not directly by the computer use.”51
Nonetheless, the recent decision by the Sixth Circuit in American Tooling may threaten this uniformity. And as Medidata proves, when spoofed emails are armed with a computer code that masks the thief’s true identify and/or where that code changes data, the question of whether a loss is “directly caused” by the use of a computer becomes a closer call.
Notes
1. Jonathan Crowe, Phishing by the Numbers: Must-Know Phishing Statistics 2016, Barkly (July 2016), https://blog.barkly.com/phishing-statistics-2016 (internal citations omitted).
2. Eitan Katz, Phishing Statistics: What Every Business Needs to Know, Dashlane (Jan. 17, 2018), https://blog.dashlane.com/phishing-statistics/.
3. Mika Aalto, Statistics Showing Five Phishing Trends for 2019, Hoxhunt (Sept. 20, 2018), www.hoxhunt.com/blog/statistics-showing-5-phishing-trends-for-2019/.
4. Cindy Ng, What’s the Difference Between Hacking and Phishing, Varonis (July 3, 2018), https://blog.varonis.com/whats-difference-hacking-phishing/.
5. See, e.g., 4 ISO CR 00 07 (10 90) (Form F).
6. Ins. Inst. of Am., Fidelity Bonds 179 (1992).
7. IRMI, Computer Fraud Coverage Form 1/1 (2016).
8. See, e.g., Methodist Health Sys. v. Hartford Fire Ins. Co., 834 F. Supp. 2d 493 (D. La. 2011); Pinnacle v. Hartford Cas. Ins. Co., No. C10-1126-RSM, 2011 U.S. Dist. LEXIS 128203 (W.D. Wash. Nov. 4, 2011); Brightpoint v. Zurich, No. 1:04-cv-2085-SEB-JPG, 2006 U.S. Dist. LEXIS 26018 (S.D. Ind. Mar. 10, 2006); Universal Am. v. Nat’l Union, 25 N.Y.3d 675 (N.Y. 2015).
9. No. 14-56294, 2016 U.S. App. LEXIS 13829 (9th Cir. July 29, 2016).
10. Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., No. CV 13-5039-JFW, 2014 U.S. Dist. LEXIS 108416, *19–20 (C.D. Cal. July 17, 2014).
11. Id. at *21.
12. No. 1:15-cv-2671-WSD, 2017 U.S. Dist. LEXIS 38132 (N.D. Ga. Mar. 16, 2017).
13. Id. at *23–24.
14. No. 15-20499, 2016 U.S. App. LEXIS 18748 (5th Cir. Oct. 18, 2016).
15. Id. at *2–3.
16. Id. at *3.
17. Apache Corp. v. Great Am. Ins. Co., No. 4:14-cv-237, 2015 U.S. Dist. LEXIS 161683 (S.D. Tex. Aug. 7, 2015).
18. 2016 U.S. App. LEXIS 18748, at *17.
19. 268 F. Supp. 3d 471 (S.D.N.Y. 2017).
20. Id. at 472 (internal citations omitted).
21. Id. at 473 (internal citations omitted).
22. Id.
23. Id. at 474.
24. Id. at 475.
25. Id.
26. Id.
27. Id. at 478–81.
28. Id. at 478.
29. Id.
30. Id. at 479.
31. Id. at 480.
32. No. 17-2492-CV, 2018 U.S. App. LEXIS 18376 (2d Cir. July 6, 2018).
33. Id. at *2.
34. Id.
35. Id. at *4–5.
36. Id. at *5.
37. Id.
38. No. 16-12108, 2017 U.S. Dist. LEXIS 120473 (E.D. Mich. Aug. 1, 2017).
39. Id. at *1–2.
40. Id. at *3.
41. Id. at *5.
42. Id. (citation omitted).
43. Id. at *5–6.
44. Id.
45. 895 F.3d 455 (6th Cir. 2018).
46. Id. at 460.
47. Id. at 461 (caps omitted).
48. Id. at 462.
49. Id. at 462–63.
50. AJ Dellinger, Phishing Scams: FBI Says Businesses Have Lost $5 Billion in Phishing, Social Engineering Attacks, Int’l Bus. Times (May 8, 2017), www.ibtimes.com/phishing-scams-fbi-says-businesses-have-lost-5-billion-phishing-social-engineering-2536205.
51. Apache Corp. v. Great Am. Ins. Co., No. 4:14-cv-237, 2015 U.S. Dist. LEXIS 161683, at *16 (S.D. Tex. Aug. 7, 2015).