On insurance coverage issues, sometimes the boat seems to be listing in the wrong direction. For example, insurers have long tilted the decks to avoid coverage for “spoofing” attacks and similar kinds of email fraud by throwing their weight behind arguments that such transactions do not involve a “direct loss” from the use of company computers to implement a fraudulent scheme, which they claim their policies require. But in the first half of July, not one, but two federal appellate decisions—Medidata Solutions Inc. v. Federal Insurance Co. and American Tooling Center, Inc. v. Travelers Casualty & Surety Co.—rocked the insurers’ boats.
The Perils of Phamiliar-Looking Phish
You work in an accounts payable department. An email from a regular supplier provides instructions for several payments. You follow standard procedures. You verify the identity of the vendor and its individual employee. You confirm that the amounts are due. You phone the vendor’s employee; a live person answers to confirm payment details. You then initiate payment procedures using your company computer system, which requires a higher executive to log on and approve the payments before wire instructions can reach the bank.
But the familiar vendor, the name on the email, and the voice on the phone were impersonations, contrived by altering the “From” line on an email and supplying a phone number that the fraudster conveniently answered. It’s called “spoofing.”
Policyholders victimized by such scams commonly submit claims for coverage under the Computer Fraud provisions of their insurance policies. And just as commonly, to their surprise, their claims are denied. Insurers argue that such Computer Fraud provisions require a “direct loss” caused by “Computer Fraud,” which policies typically define to require “[t]he use of any computer to fraudulently cause a transfer of Money, Securities or Other Property” from the policyholder to or for the benefit of the fraudster.
Insurance companies contend that losses because of spoofing are not “direct” because when a company employee receives a fraudulent email, this alone does not cause money to transfer. Rather, the employee must decide how to respond. She must take intermediate steps like those described above to initiate the transfer of funds. This result, insurers argue, is indirect.
Insurers also argue that spoofing does not constitute computer fraud because such losses—unlike “hacking” incidents where an outsider actually commandeers and manipulates a company’s computers—do not involve the outsider’s use of company computers to execute the transfer. Rather, they involve tricking a company insider into doing so.
Medidata and American Tooling Center: New Currents?
Until now, those insurer arguments persuaded some courts. But two federal circuit court decisions, issued only seven days apart, may have shifted the balance. On July 6, 2018, in Medidata, the U.S. Court of Appeals for the Second Circuit affirmed a lower court ruling rejecting the insurer’s arguments. The policy at issue required “entry of Data into” or a “change to Data elements or program logic of” a computer system, which the insurer argued applies only to a hacking-type intrusion, not spoofing. But the court found that the sending of an email using a spoofing code to hide the sender’s identity constituted a fraudulent entry of data into the policyholder’s computer system, which made a change to a data element because the email system’s appearance was altered by the code. The court also rejected the insurer’s contention that Medidata did not suffer a “direct loss.” Recognizing that New York law equates the phrase “direct loss” to “proximate cause,” the court observed:
The chain of events was initiated by the spoofed emails, and unfolded rapidly following their receipt. While it is true that the Medidata employees themselves had to take action to effectuate the transfer, we do not see their actions as sufficient to sever the causal relationship between the spoofing attack and the losses incurred.
The court concluded that Medidata had suffered a direct loss covered by the policy.
In American Tooling Center, decided just a week later, on July 13, 2018, the U.S. Court of Appeals for the Sixth Circuit reversed a contrary district court ruling under Michigan law. The court rejected the insurer’s argument that the spoofing attack did not constitute computer fraud because it did not “cause any computer to do anything.” It further rejected the insurer’s arguments for limiting the definition of “Computer Fraud” to hacking-type events “in which a nefarious party somehow gains access to and/or controls the insured’s computer,” noting that if the insurer had wished to define computer fraud so narrowly, it could have used narrower language. (Notably, it cited as an example of such narrow language a provision similar to the language that passed muster in Medidata. So there are still rough seas ahead.)
The American Tooling Center court also rejected the insurer’s argument that the loss was not direct, concluding that the insured “received the fraudulent email at step one,” and its employees “then conducted a series of internal actions, all induced by the fraudulent email, which led to the transfer of the money to the impersonator at step two.” The decision suggested that a string of causation could become attenuated enough to sever the direct relationship between the email and the money transfer, but it would take more than the activity of company employees responding to a fraudulent email to vindicate the insurer’s defense to coverage.
Charting a Course to Coverage
Spoofing. Phishing. Social engineering. Email scamming. For those of us born in the 20th Century, it’s enough to make you lose your sea legs. And that’s what the scammers and social engineers are after. The two decisions in Medidata and American Tooling Center help chart a course to coverage for these losses. But they also underscore that securing the right policy language at the outset remains important. When placing coverage for computer fraud, it’s a good idea to have an experienced coverage lawyer, like a good captain, review the policy terms. And if you do face a loss, involve coverage counsel early to set a proper course for your claim.