Note: We blogged about a very similar 2nd Circuit case earlier this year in CyberheistNews, the first paragraph below refers to that case.
"On the heels of a widely reported decision by the U.S. Court of Appeals for the Second Circuit holding that an insured was covered by a computer fraud policy for social engineering-related loss, the U.S. Court of Appeals for the Sixth Circuit recently issued a decision extending computer fraud coverage to losses incurred by a company as a result of a fraudulent email scam that wired over $800,000 to the fraudster's account.
"On July 13, 2018, the Sixth Circuit reversed a district court decision in favor of Michigan-based tool and die manufacturer, American Tooling Center, Inc. (ATC), concluding that its computer fraud insurer Travelers Casualty and Surety Company of America (Travelers) must cover an $834,000 loss suffered after ATC employees were tricked by an email spoofing scam that caused them to fraudulently wire company money to an imposter's bank account.3
The Fraudulent Transfers and ATC's Insurance Claim
The lawsuit, which we discussed in our December 2017 Privacy & Cybersecurity Update,4 arose in 2015, when a fraudster impersonating ATC's Chinese manufacturing vendor, Shanghai YiFeng Automotive Die Manufacturers Co. Inc. (YiFeng), emailed ATC from an address closely resembling YiFeng's and requested payment of over $800,000 in legitimate outstanding invoices to a new bank account that, unbeknownst to ATC, was controlled by the fraudster. After confirming that YiFeng was entitled to payment — but without verifying the new banking information — ATC wired payment to the fraudster-controlled bank account. By the time ATC detected the fraud, the money could not be retrieved.
ATC filed a claim under its Travelers crime policy, which provided computer fraud coverage for any "direct loss" that was "directly caused" by "Computer Fraud," which was defined in part as "[t]he use of any computer to fraudulently cause a transfer." Travelers denied the claim on the basis that ATC's loss was not a direct loss that was directly caused by the use of a computer, and litigation ensued.
The District Court Denies Coverage
The U.S. District Court for the Eastern District of Michigan agreed with Travelers' interpretation of the policy's computer fraud coverage and granted summary judgment in Travelers' favor, holding that ATC's loss was not covered under the policy. The court reasoned that "[g]iven the intervening events between the receipt of the fraudulent emails and the (authorized) transfer of funds" — ATC's verification that YiFeng was entitled to payment and initiation of the transfers without verifying bank account information — "it cannot be said that ATC suffered a 'direct' loss 'directly caused' by the use of any computer." The court relied on Sixth Circuit precedent stating that "direct" is defined as "immediate" without any intervening events, as well as other district court decisions declining to extend computer fraud coverage to scenarios where an email is merely incidental to a fraudulent transfer.
The Sixth Circuit Reverses
A three-judge panel of the U.S. Court of Appeals for the Sixth Circuit reversed the district court's decision, holding that ATC, not Travelers, was entitled to summary judgment. The panel rejected Travelers' argument that the loss was not a "direct loss" as required under the policy and declined to follow the district court's more narrow interpretation that "defie[d] common sense." The mere fact that ATC legitimately owed $834,000 to YiFeng at the time it made the fraudulent transfer, and that ATC did not realize the fraud (or its loss) until later, did not bar ATC from "direct loss" coverage. The court concluded that there was no intervening event sufficient to break the required "direct" connection and that a direct loss occurred at the time ATC wired money to the fraudster, regardless of the fact that ATC did not find out about the fraud until later.
Similarly, the court rejected Travelers' attempt to limit the meaning of "computer fraud" to "hacking and similar behaviors in which a nefarious party somehow gains access to and/or controls the insured's computer." The policy did not require the fraud to cause the computer's actions and the Sixth Circuit panel refused to limit the definition in this way. Instead, the court held that the money transfer — prompted by the fraudster's email spoofing — was covered by the meaning of "computer fraud" and that the fraud caused the direct loss, as required under the policy, since the ATC employees' actions were all "induced by the fraudulent email." The court declined to apply any coverage exclusions and ultimately reversed the district court's decision, holding that Travelers was required to cover the loss.
On July 27, 2018, Travelers filed a petition for rehearing or rehearing en banc.
The Sixth Circuit's decision is one of the latest decisions in what appears to be a growing trend in favor of broadly interpreting computer fraud coverage to extend to social engineering scams, even in the absence of a hacking incident or where the loss did not occur immediately after being tricked by the fraudster. Just last month, the Second Circuit similarly found that computer fraud coverage extended to a fraudulent transfer induced by email spoofing.5
Policyholders and insurers alike should keep an eye on the growing body of case law addressing coverage for social engineering loss, and insurance policies should be carefully drafted and reviewed to make sure that they properly reflect the parties' intent.
Cross-posted with grateful acknowledgment from MONDAQ, article by Skadden, Arps, Slate, Meagher & Flom (UK) LLP