Social Engineering Fraud: Current Trend in Coverage for Insureds

Social engineering fraud, which has been defined broadly as “scams used by criminals to trick, deceive and manipulate their victims into giving out confidential information and funds,” may be carried out online, by telephone, or even in person.¹ Four insurance coverage cases involving social engineering fraud were on appeal in four federal circuit courts of appeal last year; by the year’s end, three had been decided, and the fourth was pending decision.

The four cases on appeal all involved two of the more common social engineering fraud scenarios found in claims made under fidelity/crime policies. In one, a thief who pretends to be a high-ranking officer of the insured sends an email to a subordinate with instructions to process a wire transfer to a new third-party account. In the other, a thief who pretends to be a vendor of the insured sends an email to an employee of the insured advising that the vendor has changed its bank account and requests that the insured send payments to the new account. In both scenarios, the sender’s email address slightly differs from the actual person’s email address such that the discrepancy goes undetected by the casual observer or, more rarely, appears in all respects to be the actual person’s email address. These email-based social engineering frauds sometimes have been referred to as “spoofing” scams.²

The four cases on appeal have tested the majority view that had developed from a handful of cases in federal courts that coverage is not available under the traditional electronic coverages provided in crime/fidelity policies, namely, computer fraud provisions. A decision in the spring of 2018 buttressed the majority view, but, by the summer, two more decisions turned the nascent majority on its head. The decision in the fourth case will break the current circuit split.

We discuss the majority view on coverage for social engineering fraud losses going into 2018, the appeals court decisions rendered in (and pending from) 2018, and where insurers go from here.

A Recap of the Pre-2018 Majority View

Prior to 2018, only two decisions interpreting the availability of coverage for losses arising from social engineering fraud had been resolved through appeal: Apache Corp. v. Great American Insurance Co.³ and Taylor & Lieberman v. Federal Insurance Co.⁴ Along with a few other federal court decisions that will be discussed throughout this piece, Apache and Taylor & Lieberman represented the majority view that email-based social engineering fraud is not the type of activity that computer fraud provisions are meant to cover.

Apache. In Apache, the U.S. Court of Appeals for the Fifth Circuit vacated the U.S. District Court for the Southern District of Texas’s determination that the loss arising from a fraudulent email scam was covered under the computer fraud provision in a crime policy issued to the insured, Apache Corporation (Apache).

The fraud began when someone posing as one of Apache’s vendors called an Apache employee and requested that all future payments be made to the vendor’s new bank account. The employee instructed the caller to submit the request on the vendor’s letterhead. The imposter complied by submitting via email a change request letter with the new account information. A second Apache employee verified the change request by calling the number listed on the fraudulent letter, and a third employee approved the change request. Apache transferred a total of $2.4 million to the imposter’s account as payment for the actual vendor’s legitimate invoices.

The computer fraud provision at issue applied to loss resulting directly from “the use of any computer to fraudulently cause a transfer.”⁵ The Fifth Circuit zeroed in on a fundamental problem with extending such coverage to social engineering losses. It stated that allowing coverage for any scheme merely because it involves an email somewhere in the chain of events would improperly convert the computer fraud provision into a general fraud provision. Accordingly, the court held that the fraudulent emails were not sufficient to constitute covered computer use. It also found that the emails did not directly cause the insured’s loss because Apache had responded to the emails by engaging in a multiple-step process and flawed investigation of the new, but fraudulent, information, which ended in Apache making authorized transfers to the imposter.

Taylor & Lieberman. In Taylor & Lieberman, the U.S. Court of Appeals for the Ninth Circuit affirmed the U.S. District Court for the Central District of California’s determination of no coverage for loss arising from a fraudulent email scam.

The insured, accounting firm Taylor & Lieberman (T&L), received emails from someone who had taken hold of a client’s email account and, in a series of emails to a T&L employee, requested that T&L wire money from the client’s bank account to accounts in Malaysia, Singapore, and Hong Kong. Believing that the emails were from the client, the T&L employee obtained authorization and initiated the first two transfers pursuant to a power of attorney over the client’s account. The fraud was uncovered when the employee noticed that the request for payment to the Hong Kong account came from a different email address. T&L reimbursed its client for the two transfers totaling approximately $192,000 and then made a claim for the amounts that it was unable to recover.

T&L’s policy had a narrow computer fraud provision, which applied to direct loss resulting from “computer fraud,” defined in the policy as an unauthorized “entry into” or “introduction of instructions” that “propagated themselves through” the insured’s computer system.⁶ The court found that merely sending an email, without more, was not sufficient to satisfy either definition of computer fraud, and it distinguished emails from “the type of instructions that the policy was designed to cover, like the introduction of malicious code.”⁷ The court upheld the lower court’s ruling that a direct loss could only occur if a hacker entered the insured’s computer system and was able to withdraw funds that immediately depleted an account owned by or attributed to the insured.

The lower court’s determination of no coverage under a funds-transfer fraud provision was also upheld. The provision applied to direct loss resulting from fraudulent instructions “issued to a financial institution directing such institution to transfer” funds from the insured’s account without the insured’s knowledge or consent.⁸ The fraudulent email instructions had been sent to T&L, not to a financial institution, and T&L knew about the transfers.

Hacking as a necessary element of computer fraud. Apache and Taylor & Lieberman both considered a hacking of the insured’s computer system to be an essential feature of a covered computer fraud loss. Under their reasoning, there can be no direct loss unless the thief himself hacks into the insured’s computer system and directly causes the loss by initiating a bank transfer on his own.

These courts placed responsibility for the social engineering losses squarely on the insureds, the entities with the means to control the risk of loss through a proper investigation of requests to transfer funds to a new bank account.

The decisions also underscore that policy language matters: computer fraud provisions do not cover any fraud merely because they involve a computer or an email.

Poscoe Daewoo. The last social engineering–related decision of 2017, Poscoe Daewoo America Corp. v. Allnex USA, Inc.,⁹ did not involve a circuit court appeal or even focus on the computer fraud provision, but it is worth noting as it affirmed the majority view about social engineering claims in general.

This case actually involved a reverse social engineering scam. The fraudster, pretending to be an employee of Daewoo, the insured, sent fraudulent emails not to Daewoo but to its vendor Allnex requesting that it wire payment of outstanding Daewoo invoices to a new bank account; Allnex complied.

Daewoo made a claim under its crime policy, which provided coverage for “the Insured’s direct loss of, or direct loss from damage . . . directly cause by Computer Fraud,” which in turn was defined as “[t]he use of any computer to fraudulently cause a transfer” from inside the premises or financial institution premises to any person or place outside those premises.¹⁰

The court declined to interpret the computer fraud provision and instead dismissed Daewoo’s complaint pursuant to the policy’s ownership clause, which limited coverage to property “that the Insured owns or leases,” “that the Insured holds for others,” or “for which the Insured is legally liable.”¹¹ The court determined that the diverted funds did not meet the parameters of the ownership clause because, at most,

before Daewoo actually received the monies due, it owned a receivable, or a right to payment, as well as a potential cause of action for payment if it was not made.¹²

The 2018 Social Engineering Fraud Coverage Decisions

Aqua Star. In Aqua Star (USA) Corp. v. Travelers Casualty & Surety Co. of America,¹³ an April 2018 decision, the Ninth Circuit affirmed the U.S. District Court for the Western District of Washington’s determination of no coverage for an email-based social engineering scam, based on an electronic data exclusion in a crime policy issued to the insured, Aqua Star (USA) Corporation (Aqua Star).

The fraud began when someone hacked into the computer system of one of Aqua Star’s vendors in China and intercepted emails between Aqua Star and the vendor. Pretending to be the vendor, the imposter then sent emails to Aqua Star from an email address that was nearly identical to the actual vendor’s email address and requested that Aqua Star wire payments to a new bank account. Aqua Star’s treasury manager received the emails but did not notice the discrepancy. She entered the new account information in an Excel spreadsheet that she used to facilitate payments to vendors, and the payments were approved and initiated. In all, Aqua Star wired to the imposter’s account four payments totaling more than $713,000.

The exclusion at issue (Exclusion G) applied to loss “resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System.”¹⁴ Rather than focusing on the fraudulent emails, the court found that the treasury manager’s authorized entry of the new account information into Aqua Star’s computer system, i.e., the Excel spreadsheet, was an intermediate step in a chain of events that indirectly resulted in Aqua Star transferring funds to the imposter’s accounts; therefore, the loss was excluded.

Notably, the district court and the Ninth Circuit passed on the opportunity to decide whether Aqua Star’s claim was covered under the policy’s computer fraud provision, but their decisions supported the majority view that computer fraud coverage is only intended to cover losses resulting from someone’s unauthorized access into the insured’s computer system.

Medidata Solutions. The tide in favor of insurers shifted in July 2018, beginning with the U.S. Court of Appeals for the Second Circuit’s decision in Medidata Solutions, Inc. v. Federal Insurance Co.¹⁵ The court affirmed the U.S. District Court for the Southern District of New York’s finding of computer fraud coverage for loss arising from a spoofing scam—the first federal circuit court of appeal decision to find such coverage for a social engineering loss.

The spoofed emails sent to employees of the insured, Medidata Solutions, Inc. (Medidata), which had an address that appeared identical to the company president’s email address, directed employees to assist the company’s outside attorney with a confidential matter. After the purported attorney called a Medidata employee and requested a wire transfer, the president’s imposter emailed his approval. The fraud was discovered after an employee replied to the imposter regarding a second requested payment and noticed a different, suspicious email address in the “Reply to” field. Medidata made a claim for the first transfer of more than $4.7 million.

The unusual computer fraud provision in Medidata’s crime policy applied to direct loss resulting from “the unlawful taking or the fraudulently induced transfer . . . resulting from a Computer Violation,” which in turn was defined as “the fraudulent entry of Data into” or a “change to Data elements or program logic of” a computer system.¹⁶ The imposter was able to alter the appearance of the sender’s email address shown within the body of the email message, which thereby triggered Medidata’s system to populate the email message with other identifying information associated with the email address; thus, the court held that the imposter had introduced spoofing code into Medidata’s computer system, which represented both a fraudulent entry of data into and a change of data elements in Medidata’s computer system.

The court also found that the emails proximately caused Medidata’s loss. Equating direct loss with proximate causation,¹⁷ the court appeared to interpret proximate causation to mean “immediately”: it set forth that the chain of events initiated by the spoofed emails “unfolded rapidly” and that the employees made the transfer the same day.¹⁸

The court’s finding that the imposter had introduced malicious code into Medidata’s computer was critical to its coverage determination; however, according to Federal, no code was ever introduced.¹⁹ Federal laid out how the imposter created the emails entirely on his own computer so that the email address of the actual president of the company would appear on the recipients’ screens, and how Medidata’s system simply read the incoming message’s false content and displayed it.²⁰ Medidata’s email software used to route and deliver emails did receive the imposter’s true email address and directed “reply” emails to it.²¹

The court appeared to believe that Medidata’s computer system had been hacked despite Medidata’s acknowledgment that the emails did not alter or introduce any virus, malware, or instruction into its computer system. Regardless, the court affirmed that coverage may be triggered by something less than a thief hacking into the insured’s system and executing a bank transfer on his own. This conclusion contradicted Universal American Corp. v. National Union Fire Insurance Co. of Pittsburgh, Pennsylvania,²² the controlling New York authority on whether a hacking of the insured’s system is required under similar policy language. Universal involved a scheme whereby health-care providers who were authorized to submit claims for reimbursement in the insured’s computerized billing system submitted false claims. New York’s high court held that there was no coverage under the computer systems fraud rider, which provided coverage for losses directly resulting from a “fraudulent” “entry of Electronic Data or Computer Program into, or . . . change of Electronic Data or Computer Program within” the insured’s computer system that causes a transfer.²³ The court held that the rider language showed an intent to cover “a violation of the integrity of the computer system through deceitful and dishonest access,” which it determined addresses the fraudulent accessing of a computer system and not the input of fraudulent content into the system by someone allowed to use it.²⁴ The court expressly held that the covered acts constituted a “hacking” of the computer system.²⁵ Having found that malicious code had been used in the Medidata case, the Medidata court distinguished Universal on the grounds that the fraudsters in Medidata had perpetrated a fraud on the insured’s computer system itself.

Medidata was issued as a summary order, which has no precedential effect,²⁶ and was the Second Circuit’s best guess as to how the New York Court of Appeals will interpret the same policy provision and circumstances. Until a New York appellate court determines Universal’s application to social engineering fraud, the issue of whether a traditional hacking event is necessary to trigger computer fraud coverage for email spoofing claims will remain unresolved under New York law.

American Tooling. One week after Medidata, the U.S. Court of Appeals for the Sixth Circuit issued a decision in American Tooling Center, Inc. v. Travelers Casualty & Surety Co. of America,²⁷ reversing the U.S. District Court for the Eastern District of Michigan’s finding of no computer fraud coverage for loss arising from a fraudulent email scam.

The matter began after the insured, American Tooling Center, Inc. (ATC), sent an email to a vendor in China requesting all outstanding invoices. Someone posing as the vendor intercepted that email and replied with a request that ATC wire payments to the vendor’s new bank account. ATC verified the vendor’s entitlement to payment based on completion of work and then authorized and initiated the wire to the new account. When all was said and done, the imposter had provided three different bank accounts, and ATC only became suspicious in the midst of processing payment to the third account. ATC transferred more than $834,000 to the imposter’s accounts in payment of legitimate invoices.

The computer fraud provision at issue in ATC’s crime policy applied to direct loss of money “directly caused by Computer Fraud,” which the policy defined as “[t]he use of any computer to fraudulently cause a transfer” from inside the insured’s premises or financial institution to a place outside of the insured’s premises or financial institution.²⁸ The court’s computer crime ruling contained three parts. First, the court held that ATC’s loss was “direct” because ATC immediately lost money upon the transfers to the imposter under either a “direct means immediate” or a “direct means immediate or proximate” definition.²⁹ The court declined to resolve whether its previous ruling in Tooling Manufacturing & Technologies Ass’n v. Hartford Fire Insurance Co.³⁰—that direct means “immediate”—applies only to employee fidelity coverage or to all coverages in a fidelity policy, although it suggested the former. Second, the court held that “[t]he use of any computer to fraudulently cause a transfer” does not require that a thief hack into the insured’s computer system to make the transfer on his own, and it placed responsibility on Travelers for not expressly limiting coverage to hacking-type events. Finally, the court held in a fairly tortured conclusion that the fraudulent emails “directly caused” ATC’s loss because they “induced” ATC to conduct a series of internal actions “[that] led to the transfer” of money to the imposter.³¹

The court also determined that a number of exclusions in the policy did not apply. It held that an exclusion for losses resulting from the “giving or surrendering of” money “in any exchange or purchase, whether or not fraudulent” (Exclusion R) did not apply because ATC did not receive anything from the imposter.³² It also held that an exclusion for losses resulting from the “input of Electronic Data” by someone “having the authority to enter the Insured’s Computer System” (Exclusion G) and an exclusion for losses resulting from “forged, altered or fraudulent documents or written instructions used as source documentation in the preparation of Electronic Data” (Exclusion H) did not apply because the ATC employee’s manual entries into the banking portal were instructions to the computer, and instructions to a computer system were specifically excluded from the policy’s definition of electronic data.³³

Principle Solutions. The last of the four 2018 appeals, Principle Solutions Group, LLC v. Ironshore Indemnity, Inc.,³⁴ a U.S. District Court for the Northern District of Georgia case, is currently pending decision in the U.S. Court of Appeals for the Eleventh Circuit. The lower court determined that losses resulting from an email scam were covered under a commercial crime policy issued to the insured, Principal Solutions Group, LLC (Principal Solutions).

The matter began when Principal Solutions’s controller received two fraudulent emails: one from someone posing as a managing director of the company instructing her to work with an attorney on a bank transfer, and the second from someone posing as the attorney. Between the fraudulent emails and the wire transfer, the controller had multiple calls with the purported attorney and Principal Solutions’s bank before Principal Solutions authorized and initiated the transfer of more than $1.7 million to a foreign bank account.

The computer and funds-transfer fraud provision at issue applied to “loss resulting directly from a ‘fraudulent instruction’ directing a financial institution . . . to transfer, pay or deliver” money from the insured’s account.³⁵ The court found the term directly to be ambiguous and construed it in favor of Principal Solutions. Citing the Southern District of Texas’s decision in Apache,³⁶ the court held that some employee activity between the fraudulent emails and the insured’s bank transfers must be allowed and that limiting computer fraud coverage to hacking incidents would render the coverage illusory.

However, Principal Solutions was decided in 2016, and the Fifth and Eleventh Circuits have since rendered decisions that bode well for its reversal on appeal. In 2016, the Fifth Circuit vacated Apache on the grounds that fraudulent emails are not sufficient to constitute covered computer use and did not directly cause the loss.³⁷ And in May 2018, the Eleventh Circuit handed down a decision in Interactive Communications International, Inc. v. Great American Insurance Co. (InComm)³⁸—a case that did not involve social engineering fraud but in which the court interpreted the meaning of direct loss in a computer fraud provision consistent with the Fifth Circuit’s Apache ruling.

In InComm, the insured, InComm, was defrauded in a prepaid debit card scheme. It provided a service whereby prepaid debit cards could be reloaded with funds through the purchase of “chits.” InComm would process the redemption and then transfer the funds from the purchase of the chits to a settlement account maintained by a third-party bank. After a cardholder made a purchase with the card, the bank remitted the funds to the merchant to pay for the purchase, the point at which InComm no longer had any control over the funds. The fraud occurred when cardholders exploited a programming error in InComm’s system that allowed them to redeem the same chit multiple times.

The Eleventh Circuit affirmed the Northern District of Georgia’s finding of no computer fraud coverage under direct loss grounds. The court determined that the fraudsters’ phone calls to InComm’s system constituted the “use” of a computer but did not “directly” cause the loss under the computer fraud provision.³⁹ The court applied the ordinary meaning of directly as “follows straightaway, immediately, and without any intervention or interruption,” concluding that InComm’s loss was not “directly” caused by the fraudulent redemptions because of the intervening events that occurred between the fraudulent redemptions and the transfer of funds to the merchants.⁴⁰

Summary of 2018 decisions. To summarize, as a result of the 2018 decisions, a clear split has emerged among courts interpreting insurance coverage for social engineering losses on both the hacking and direct loss issues. Medidata and American Tooling represent a break from the other federal circuit courts of appeal, which have determined that there is no coverage for social engineering fraud losses, by dispensing with any hacking requirement and allowing at least some intervening activity by the insured’s own employees.

Takeaways for Insurers

What is clear from the decisions to date is that computer fraud coverage for social engineering fraud is an unresolved matter. The various jurisdictions that have determined the question of coverage are evenly split, with the Fifth Circuit (Apache) and the Ninth Circuit (Taylor & Lieberman and Aqua Star) finding that coverage is unavailable and the Second Circuit (Medidata) and Sixth Circuit (American Tooling) finding that coverage is available. The closely watched outcome of Principal Solutions in the Eleventh Circuit will create a slim majority view in one direction or the other. Based on Apache and InComm, there is reason to predict that the Eleventh Circuit will determine that no computer fraud coverage is available on the grounds that merely sending an email to the insured, even if it contains false information, is not a hacking event and is incapable of directly causing a loss of money.

In the meantime, Medidata and American Tooling are subject to challenge as wrongly decided, nonbinding decisions. The interpretation of insurance policies, like contracts generally, is an issue of state law. In our view, Medidata is particularly vulnerable given its disputed interpretation of Universal, in which New York’s high court held that under similar computer fraud language there must be a violation of the integrity of the insured’s computer system, which means hacking; furthermore, Medidata is vulnerable due to its unusual fact pattern and dispute over whether the insured’s computer system had actually been attacked via malicious code. Medidata will continue to be a disputed decision until New York’s high court determines whether Universal extends to social engineering losses. Similarly, with respect to American Tooling, Michigan state courts have not determined whether direct means “immediate” or means “immediate or proximate” in the context of a fidelity policy, leaving the coverage issue unsettled under Michigan law. Of these two decisions, American Tooling is the more troubling decision for insurers given its undisputed, run-of-the-mill facts and standard computer fraud policy language.

Notably, none of the social engineering decisions to date has involved fraudulently induced transfers / social engineering fraud coverage. In general, such coverage dispenses with the “direct loss” terms that have, until Medidata and American Tooling, disqualified claims; and it covers loss resulting from the insured’s voluntary transfer of money resulting from its reliance on a fraudulent communication. The coverage is typically available by endorsement and is characterized by its sublimits; high retentions; and, in some endorsements, conditions precedent to coverage that require the insured’s employees to strictly follow preestablished out-of-band authentication procedures when they receive requests to transfer money. It draws a clear contrast to the limited coverage provided under computer fraud provisions. Of course, in the aftermath of Medidata and American Tooling, we do not foresee the availability of social engineering fraud coverage deterring insureds from making claims for computer fraud coverage, unless the loss is within the endorsement’s sublimit and the insureds are able to satisfy any authentication conditions.

Alternatively, insurers may determine that it is time to rewrite the computer fraud provisions to explicitly limit coverage to attacks on the insured’s computer system itself. This approach recognizes that a split over computer fraud coverage from one state to the next, with no clear majority view in sight, undermines insurers’ interest in uniformity in the meaning of their policy forms. This approach, however, may be premature. The current jurisdictional split derives from only six federal court cases, with at least one of the breakaway cases, Medidata, resting on a unique factual dispute and a highly disputed interpretation of a binding state high court decision. In addition, the limits of computer fraud coverage for social engineering losses still are being put to the test in courts across the country. Moreover, claims that the insurer agrees are covered under social engineering fraud provisions, but not covered under the traditional electronic coverages, have yet to be fully litigated. Accordingly, the jurisdictional split over coverage for social engineering fraud will stand for the near future, but a clearer overall picture of how a majority of courts around the country view the issue is just a matter of time. 

Notes

1. Social Engineering Fraud, Interpol, www.interpol.int/Crime-areas/Financial-crime/Social-engineering-fraud/Types-of-social-engineering-fraud (last visited Feb. 20, 2019).

2. In Karvaly v. eBay, Inc., 245 F.R.D. 71, 91 n.34 (E.D.N.Y. 2007) (citing Federal Trade Comm’n v. Westby, No. 03-C-2540, 2004 WL 1175047, at *2 (N.D. Ill. Mar. 4, 2004)), the court accepted the definition of spoofing as

the practice of disguising a commercial email to make the e-mail appear to come from an address from which it actually did not originate. Spoofing involves placing in the “From” or “Reply-to” lines, or in other portions of e-mail messages, an email address other than the actual sender’s address, without the consent or authorization of the user of the e-mail address whose address is spoofed.

In contrast, in Aqua Star (USA) Corp. v. Travelers Casualty & Surety Co. of America, No. C14-1368RSL, 2016 WL 3655265, at *1 (W.D. Wash. 2016), aff’d, 719 F. App’x 701 (9th Cir. Apr. 17, 2018), the court casually used the term “spoofed” email to refer to a distinctly different type of fraudulent email—one with an address that appeared similar but not identical in all respects to the purported sender’s actual email address, having changed a character in the address.

3. 662 F. App’x 252 (5th Cir. Oct. 18, 2016), vacating 2015 WL 7709584 (S.D. Tex. Aug. 7, 2015).

4. 681 F. App’x 627 (9th Cir. Mar. 9, 2017), aff’g 2015 WL 3824130 (C.D. Cal. Jun. 18, 2015).

5. Apache, 662 F. App’x at 255.

6. Taylor & Lieberman, 681 F. App’x at 629.

7. Id.

8. Id.

9. Civil Action No. 17-483, 2017 WL 4922014 (D.N.J. Oct. 31, 2017).

10. Id. at *2.

11. Id. at *3.

12. Daewoo was allowed to amend its complaint with respect to the ownership of funds issue, but that complaint was also dismissed on the same grounds. 2018 WL 6077983 (D.N.J. Nov. 19, 2018).

13. 719 F. App’x 701 (9th Cir. Apr. 17, 2018), aff’g 2016 WL 3655265 (W.D. Wash. 2016).

14. Id. at *702.

15. 729 F. App’x 117 (2d Cir. July 6, 2018), aff’g 268 F. Supp. 3d 471 (S.D.N.Y. July 21, 2017), reh’g en banc denied, Aug. 23, 2018.

16. 268 F. Supp. 3d at 474.

17. The Medidata court stated that New York courts generally equate the phrase direct loss with proximate cause. However, prior to Medidata, this proposition had been asserted in the context of fidelity policies only twice; and, in both instances, the courts equated proximate with immediacy. The first instance was in Aetna Casualty & Surety Co. v. Kidder, Peabody & Co. Inc., 246 A.D.2d 202 (1st Dep’t 1998), leave denied, 93 N.Y.2d 805, 689 N.Y.S.2d 429 (1999), which cited two decisions involving real property policies for the proposition. Nevertheless, the court held that insured Kidder’s settlement of lawsuits arising from its employee’s insider trading was not a “direct loss” under the employee fidelity coverage because of the series of intervening acts that had occurred over a period of years. Id. at 210–11. The second instance was 15 years later in New Hampshire Insurance Co. v. MF Global, Inc., 108 A.D.3d 463, 970 N.Y.S.2d 16 (1st Dep’t 2013), which involved a claim for insured MF Global’s contractually required payment to its clearing broker arising from alleged unauthorized trading by one of its brokers. The court held that the payment was both a direct and proximate result of the trading activity because, unlike in Kidder, it was made within hours of the loss and MF Global was “automatically and directly responsible” to pay it. Id. at 467.

18. 729 F. App’x at 119.

19. See Federal’s Petition for Panel Rehearing and Rehearing en Banc at 12, Case No. 17-2492, Doc. 156.

20. Id.

21. Id.

22. 25 N.Y.3d 675, 37 N.E.3d 78 (2015).

23. Id. at 679, 37 N.E.3d at 79.

24. Id. at 681, 37 N.E.3d at 81.

25. Id.

26. See id. at 675, 37 N.E.3d at 78; Fed. R. App. P. 32.1.

27. 895 F.3d 455 (6th Cir. July 13, 2018), rev’g 2017 WL 3263356 (E.D. Mich. Aug. 1, 2017), reh’g en banc denied, Aug. 28, 2018.

28. Id. at 459, 461.

29. Id. at 463.

30. 693 F.3d 665 (6th Cir. 2012).

31. 895 F.3d at 463.

32. Id.

33. Id. at 464–65.

34. Civil Action No. 1:15-CV-4130-RWS, 2016 WL 4618761 (N.D. Ga. Aug. 30, 2016).

35. Id. at *2.

36. 2015 WL 7709584 (S.D. Tex. Aug. 7, 2015), vacated by 662 F. App’x 252 (5th Cir. Oct. 18, 2016).

37. Id.

38.731 F. App’x 929 (11th Cir. May 10, 2018), aff’g 2017 WL 1021749 (N.D. Ga. Mar. 16, 2017).

39. Contrary to the lower court’s ruling, the court of appeals held that the cardholders’ use of telephones constituted the use of a computer because the cardholders used the phones to interface directly with InComm’s computer system to commit their fraudulent redemptions.

40. 731 F. App’x at 934.