Third party email scams covered by insurance policies | Erwin Cohen & Jessup LLP

in Medidata Solutions, Inc. v. Federal Insurance Company, 268 F.Supp. 3d 471 (SDNY 2017), aff’d, 729 Fed. Appx. 117 (2nd Cir. 2018), the Court found that there was insurance coverage where a company was the victim of an email spoofing scheme that resulted in funds being transferred to a fraudster’s account. More recent cases have also found insurance coverage for losses arising from similar incidents of this nature. See e.g. Ernst & Haas v. United States. Hiscox, Inc., 23 F. 4th 1125 (9th Cir. 2022)

in Meditate, the fake email came in the form of an email purporting to be from the company’s president instructing the payment to be made to a specific external account. Believing the email to be genuine, a subordinate at the company transfers the funds to the fraudster’s account.

The company’s loss coverage was found in the Meditate because the Court determined that entering and manipulating the fraudster’s e-mail system met the policy’s requirement that there be “fraudulently entering data into a computer system and altering data elements or program logic of a computer system.”

But what if the fake email comes from someone posing as an external supplier, as opposed to someone posing as an executive at the victim company? In the case of email impersonating an external vendor, the argument that the company’s own email system was tampered with may be less strong depending on the specific language of the policy. However, three recent cases have confirmed coverage where a salesperson was impersonated and the company suffered a loss as a result.

in Am. Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co. of Am.895 F.3d 455 (6th Cirth Cir. 2018), a company has fallen victim to a fraudster posing as one of the company’s Chinese suppliers. The company received a series of emails, purportedly from its Chinese supplier, claiming that the seller had changed bank accounts and the company should transfer payments to these new accounts. After transferring $834,000, the company realized the emails were fraudulent.

The company was insured by Travelers under a business insurance policy that included computer fraud coverage. The computer fraud coverage grant stipulates that Travelers will indemnify the company for any losses resulting from the “use of a computer to fraudulently induce the transfer of funds…from within [the company’s] premises … facing … outside [the company’s] premises…”

The company sued Travelers, but it was denied and the trial court granted summary judgment to Travelers.

The Court of Appeal reversed. As it did before the trial court, Travelers argued on appeal that computer fraud coverage requires that the computer be used to commit fraud reason the transfers. In other words, Travelers argued that coverage under the computer fraud subsidy should be limited to “hacking and similar conduct where a rogue party somehow gains access to and/or controls the insured’s computer.” The court rejected this interpretation of the policy and held that the company’s loss was covered by the Travelers policy.

in Cincinnati Ins. Co. v. Norfolk Truck Ctr., Inc., 430 F.Supp. 116 (ED .Va. 2019) the Court addressed a similar fact pattern. There, the victim company receives an email from an unidentified fraudster posing as an employee of the company’s supplier. The fraudster provided fraudulent payment instructions via email and the company then authorized its bank to issue a wire transfer of $333,724 in accordance with the fraudster’s instructions.

The provision of coverage for the computer fraud policy in question in Cincinnati Ins. was essentially similar to that in Am. Tool equipmentexcept that Cincinnati Ins. the policy requires that the loss result “directly” from the use of any computer to fraudulently induce the transfer of funds. In this case, the carrier argued that the loss did not arise “directly” from the fraudulent email because the company and its employees took subsequent steps to make the underlying transfer after receiving the fraudulent email. This argument was essentially a variation of Traveler’s argument in Am. Tool equipment that to be covered, the loss must arise from the fraudster actually entering and manipulating a company’s computer system.

Both carriers essentially argued that because the fraudsters in these cases did not penetrate or manipulate the companies’ computer systems and therefore did not make the funds transfers themselves, there would be no coverage. As in many other cases in this area, the Court rejected this argument and held that the company’s reliance on the fraudulent email provided a sufficient nexus to satisfy the “directly” requirement in the tortious coverage. See also Principle Salts. Group V. Ironshore Indem., Inc., 944 F.3d 886 (11th Cir. 2019); Ernst & Haas v. United States. Hiscox, Inc., above.

Finally, in City of Unalaska v. Nat’l Union Fire Ins. Co., 2022 USA Dist. LEXIS 51387 (D. Alaska Mar. 18, 2022), the City’s Accounts Payable Assistant received an email purportedly from one of the City’s regular vendors requesting a copy of the City’s ACH/EFT form in order to change its method of receiving invoice payments from paper checks to payments electronic ACH transfers. The email was not from the city’s supplier, but from an impostor, but relying on it, the city made significant payments.

The city had an insurance policy with National Union that included a computer fraud insurance agreement. This policy includes grants for impersonation fraud as well as computer fraud. The latest grant states that National Union will pay for the loss of money “that results directly from the use of any computer to fraudulently induce a transfer [of money] from the inside [the company’s] room facing outside [the company’s] premises…”

Following National Union’s partial denial of coverage, the City sued and the City filed a motion for summary judgment while National Union filed a motion for judgment on the pleadings. Relying on two unpublished Fifth Circuit decisions, Apache Corp. vs. Great Am. Ins. Co., 662 Fed. Appendix 252 (5th Cir. 2016) and Mississippi Silicon Holdings, LLC v. Axis Ins. Co., 843 Fed. App’x 581 (5th Cir. 2021), the National Union argued that the city’s loss was not covered by the computer fraud grant because computer use was not the “proximate cause” of the loss. As the insurers in Am. Tool equipment and Cincinnati Ins., the National Union argued that coverage would only be triggered if “the fraudster’s use of a computer … directly brings[s] on the transfer of funds’.

The District accepted the proposal of the Municipality and rejected the proposal of the National Union. Thus, the court ruled that the email from the fraudster caused funds to be transferred from the city to the fraudster’s bank account. The court observed that “the pervasive use of a computer does not alter the fact that a reasonable layperson would consider the expression “use of a computer” to cover a wide range of activities, including sending e-mails, rather than being limited to instances of computer hacking.”

Although in all three of the above cases coverage was found for losses caused by persons impersonating a company supplier, the determining factor in all cases will be the policy language itself. In policies defining “computer fraud” in the same manner as the policies at issue in these cases, coverage would most likely be found in similar circumstances.

Leave a Comment

Your email address will not be published.