Two Federal Appellate Courts Rule That Policyholders Are Entitled to Insurance Coverage for Losses Arising from Social Engineering Schemes

9 August 2018

INTRODUCTION

In recent years, courts across the country have considered policyholder’s claims for insurance coverage for so-called social engineering losses, e.g., losses that result from a criminal tricking a policyholder into wiring funds to a criminal’s bank account, reaching mixed results. [1] In early July 2018, two federal appellate courts ruled that policyholders were entitled to insurance coverage for such losses.

  • First, in Medidata Solutions, Inc. v. Federal Insurance Co., [2] the Second Circuit held that a policyholder was entitled to coverage after an employee wired funds to a criminal’s account after receiving a spoofing email from the criminal (that appeared to be from a company executive) requesting the payment.
  • Then, in American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of America, [3] the Sixth Circuit reversed a district court order in favor of the insurer, holding that the policyholder was entitled to coverage after an employee wired funds to a criminal’s account after receiving an email from the criminal (that appeared to be from a known vendor) that provided new banking details for anticipated payments to the vendor.

In both cases, the court rejected a standard insurer defense, namely that there is not a “direct” loss (and, hence, no coverage) if a criminal tricks an employee into wiring funds to the criminal (as opposed to the criminal hacking a system and directly stealing funds). The Medidata court rejected the insurer’s position based on analysis of New York law related to “proximate cause,” reasoning that the spoofing email from the criminal remained the proximate cause of the loss notwithstanding the fact that a deceived employee initiated the wire transfer. The American Tooling court reasoned that if the insurer had wished to limit coverage to situations in which a hacker gains controls over the policyholder’s computer system to steal money from the policyholder, it should have done so expressly.

Case law continues to develop rapidly in this area, but the two recent federal appellate opinions should provide policyholders with strong support for coverage for such claims.

SUMMARY OF CASES

A. Medidata

In Medidata, an employee of the policyholder wired $4.7 million to a criminal’s account after receiving a spoofing email requesting the payment that appeared to be from a company executive (the email was in fact sent by the criminal). The policyholder then sought coverage under various coverage grants in a policy issued by Federal Insurance Company, including a computer fraud provision, which covered “direct losses” that arose from any “entry of Data into” or “change to Data elements or program logic of” a computer system. [4] The Second Circuit held that the policyholder was entitled to coverage.

The Medidata opinion is significant for two reasons. First, the Second Circuit expressly rejected Federal Insurance Company’s position that the policy applied only to “hacking-type intrusions” and that there was not a “direct loss” because it was the policyholder’s employees who initiated the wire transfer. [5] In so holding, the court reasoned that “Medidata is correct that New York courts generally equate the phrase ‘direct loss’ to proximate cause.” [6] The court then held that the criminal’s spoofing attack was the proximate cause of Medidata’s loss, reasoning that:

[t]he chain of events was initiated by the spoofed emails, and unfolded rapidly following their receipt. While it is true that the Medidata employees themselves had to take action to effectuate the transfer, we do not see their actions as sufficient to sever the causal relationship between the spoofing attack and the losses incurred. [7]

Notably, the Second Circuit held that “New York [proximate causation] law does not have so strict a rule about intervening actors as Federal Insurance argues.” [8]

Second, in contrast to other opinions that focus primarily on legal issues (e.g., does employee involvement defeat causation?), the Medidata court also considered the technical details of the criminal’s scheme at issue. In earlier proceedings, the district court denied the parties’ initial motions for summary judgment and ordered the parties to conduct expert discovery related to the technical aspects of the criminal’s scheme. Ultimately, based on the expert discovery, the Second Circuit found that the criminal “crafted a computer-based attack that manipulated Medidata’s email system,” in particular, the criminal introduced code into the policyholder’s computer system that “enabled the fraudsters to send messages that inaccurately appeared, in all respects, to come from a high-ranking member of Medidata’s organization.” [9] Specifically, the criminal introduced code that tricked the policyholder’s computer system into adding the high-ranking member’s email address and photograph to the criminal’s emails.

The relevance of the technical details of the criminal’s scheme in any given claim may turn on the facts, policy language, and state law at issue. For example, the Medidata court’s discussion of this technical evidence is tied to the specific policy language at issue; in particular, the court held that the criminal’s conduct was both a “fraudulent entry of Data into” or “change to Data elements or program logic of” a computer system. [10] In contrast to Medidata’s policy, some policies require only some “use” of a computer to fraudulently transfer money. In that context, some courts have held that a criminal’s email requesting payment triggers coverage and have not considered other technical evidence (see discussion of American Tooling below).

But a few courts have held that the mere sending of an email by criminal is not the type of “usage” that could trigger coverage, reasoning that “[t]o interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would … convert the computer-fraud provision to one for general fraud.” [11] Other courts have criticized such holdings as “unpersuasive,” [12] but if a court rules in this manner, Medidata provides a blueprint for policyholders to overcome this defense via the presentation of evidence on the technical details of the criminal’s scheme. It is important to note that many schemes do not originate with an email from a criminal requesting payment to the criminal’s account. Rather, criminals often spend considerable time studying their targets, their ongoing projects, their process for paying vendors, the timing of anticipated payments, etc. [13] In many cases, based on this background research, the criminal will send an email to the person in charge of making a payment to a known vendor shortly before the time an anticipated payment is due or when they know a company executive is out of the office and/or unavailable to confirm a payment request in person. In conducting this investigation, the criminal may use various techniques, at times hacking the policyholder’s system, intercepting the policyholder’s communications, or introducing malware that enables them to monitor the policyholder’s activities for the purpose of identifying opportune times to send the ultimate email requesting payment. While the relevance of technical details may vary by case, policyholders should be aware of this issue and should consider the need or benefit of developing this evidence when they suffer a social engineering loss.

B. American Tooling

In American Tooling, the policyholder received a series of emails from a criminal, purportedly from a known vendor, stating that the vendor had changed its bank account and requesting that the policyholder make scheduled payments to the new account (actually the criminal’s account). The policyholder transferred $834,000 to the criminal before detecting the fraud. The policyholder and the vendor then negotiated an arrangement whereby the policyholder would pay 50% of the debt to the vendor and agreed that the remaining 50% would be contingent on American Tooling Center’s insurance claim.

The policyholder sought coverage under a computer fraud provision in its computer crime policy issued by Travelers, which afforded coverage for the insured’s “direct loss from damage to, Money, Securities, and Other Property directly caused by Computer Fraud.” [14] The policy defined computer fraud as “the use of any computer to fraudulent cause a transfer of Money ... from inside the Premises … to a person … outside the Premises.” [15]

Travelers argued that the policyholder did not suffer a “direct loss”; that this was not a case of “Computer Fraud”; and that the loss was not “directly caused by Computer Fraud.” Reversing the district court, the Sixth Circuit rejected all of Travelers’ arguments.

First, the court rejected Travelers’ argument that the “loss” did not “directly” occur when the policyholder wired funds to the criminal, but rather later when the policyholder agreed to pay the vendor at least 50% of the money owed. The court stated that Travelers’ position was “weak,” offering the following analogy:

Imagine Alex owes Blair five dollars. Alex reaches into her purse and pulls out a five-dollar bill. As she is about to hand Blair the money, Casey runs by and snatches the bill from Alex’s fingers. Travelers’ theory would have us say that Casey caused no direct loss to Alex because Alex owed that money to Blair and was preparing to hand him the five-dollar bill. This interpretation defies common sense. [16]

In so holding, the court considered Michigan law related to the meaning of the term “direct,” including (1) a Michigan appellate court ruling that the term “direct loss” in an insurance policy means a loss resulting from an immediate or proximate cause, as distinct from remote or incidental causes, and (2) a Sixth Circuit opinion related to employee-fidelity bonds holding that, given the special context of such bonds, “direct” means “immediate” (but not proximate). The Sixth Circuit held that it need not consider whether to extend its prior ruling related to employee-fidelity bonds (e.g., direct means immediate) to the crime policy at issue, reasoning that the policyholder’s loss was both proximate and immediate, notwithstanding the fact that an employee initiated the wire transfers at issue.

The court also rejected the insurers’ argument that coverage was restricted to situations in which a computer fraudulently causes the transfer, as opposed to situations where a criminal “simply use[s] a computer and [has] a transfer that is fraudulent.” [17] The court reasoned that:

Travelers’ attempt to limit the definition of “Computer Fraud” to hacking and similar behaviors in which a nefarious party somehow gains access to and/or controls the insured’s computer is not well-founded. If Travelers had wished to limit the definition of computer fraud to such criminal behavior it could have done so. [18]

The court also held that the loss was “directly caused” by the computer fraud, notwithstanding the fact that employees initiated the wire transfer. The court reasoned that “ATC received the fraudulent email at step one. ATC employees then conducted a series of internal actions, all induced by the fraudulent email, which led to the transfer of the money to the impersonator at step two…. Thus, the computer fraud ‘directly caused’ ATC’s ‘direct loss.’” [19]

In contrast to Medidata’s consideration of the technical details of the criminal’s scheme, the American Tooling court noted that the scheme started when an “unidentified third party, through means unknown, intercepted” an email between the policyholder and the vendor discussing payment procedures. [20] The criminal then sent a series of email with the fraudulent payment instructions. Notably, in contrast to Medidata’s policy (e.g., fraudulent entry of data and/or change to a data element), American Tooling’s policy defines computer fraud in part as “use of any computer” to cause a fraudulent transaction. In any event, American Tooling does not consider who “intercepted” the policyholder’s emails to the vendor in the first instance or how this was done.

American Tooling expressly distinguishes two other opinions frequently cited by insurers related to social engineering losses. As above, the American Tooling court described the scheme at issue in that case as a two-step process: (1) the criminal’s email requesting payment, and (2) the actions of the employees to initiate the payment (the “point of no return” with respect to control of the money). As noted, the court held that the criminal’s acts directly caused the loss.

In contrast, American Tooling distinguished the recent, pro-insurer ruling by the Eleventh Circuit in Interactive Communications International, Inc. v. Great American Insurance Co. (“InComm”) [21] based on the facts. The American Tooling court described the InComm scheme as a four-step process; suggested that InComm’s ruling in favor of the insurer was based on the “lack of [temporal] immediacy” between the criminal’s conduct at step one and the “point of no return” at step four; and stated that the InComm court itself “suggested that if the ‘point of no return’ was at step two — when the insured transferred the money — this would have been a direct result of the computer fraud at step one.” [22]

Further, the American Tooling court rejected the insurer’s reliance on the Ninth Circuit’s opinion in Pestmaster Services, Inc. v. Travelers Casualty & Surety Co. of America. [23] In that case, the policyholder hired a vendor who was responsible for paying taxes to the Internal Revenue Service (“IRS”) on behalf of the policyholder. The vendor would send valid invoices to the policyholder for approval. Once approved, the vendor had authority to withdraw funds from the policyholder’s account to pay the IRS. The vendor, however, withdrew money from the policyholder’s account but then used the money for its own purposes, leaving the policyholder’s debt to the IRS unpaid. American Tooling distinguished Pestmaster on the grounds that “[t]he fraud occurred when [the vendor] failed to pay the taxes and kept the money instead…. [I]n Pestmaster, everything that occurred using the computer was legitimate and the fraudulent conduct occurred without the use of a computer.” [24]

In other words, American Tooling suggests that two cases frequently cited by insurers — InComm and Pestmaster — are limited to their unique facts or, at a minimum, should not apply to a two-step scheme like the scheme at issue in American Tooling.

CONCLUSION

While case law is continuing to develop rapidly is this area, the two federal circuit court opinions should strongly support the efforts of policyholders to secure coverage for social engineering losses. Notably, both Medidata and American Tooling expressly reject the typical argument of insurers that there is no “direct” loss when a criminal tricks an employee into initiating a wire transfer. The courts took different approaches on the relevance of the technical details of the scheme at issue, arguably due to differences between the policies at issue. Policyholders should be aware of this distinction and, if and when they suffer a social engineering loss, should consider whether to investigate and document the technical details of the criminal’s scheme. Policyholders also should be aware that some insurers are now offering specific endorsements that address this risk with more specificity. [25]


[1] See discussion of case law in Gregory S. Wright, Insurance Coverage for Business Email Compromise Losses, COVERAGE, VOL. 27, ISSUE 4, Nov. 20, 2017.

[2] No. 17-2492-cv (2d Cir. July 6, 2018) (Summary Order). On July 26, 2018, Federal Insurance Company filed a petition for a panel rehearing.

[3] No. 17-2014 (6th Cir. July 13, 2018) (Opinion). On July 27, 2018, Travelers Casualty and Surety Company of America filed a petition for rehearing en banc.

[4] Medidata, Summary Order, at 3. The Second Circuit held that, given that the policyholder was entitled to coverage under the computer fraud provision at issue, “we decline to consider whether additional provisions in the policy might also provide coverage.” Id. at 3. In a prior opinion, the district court held that the policyholder was entitled to coverage under other coverage parts, including the policy’s fund transfer clause. Medidata Solutions, Inc. v. Fed. Ins. Co., No. 15-cv-907, 2017 U.S. Dist. LEXIS 122210 (S.D.N.Y. July 21, 2017).

[5] Medidata, Summary Order, at 2.

[6] Id. at 3.

[7] Id.

[8] Id.

[9] Id. at 2.

[10] Id.

[11] Apache Corp. v. Great Am. Ins. Co., 662 F. App’x 252, 258 (5th Cir. 2016) (per curium).

[12] Medidata Solutions, 2017 U.S. Dist. LEXIS 122210, at *18.

[13] See discussion of the technical aspects on social engineering schemes in Gregory S. Wright, Insurance Coverage for Business Email Compromise Losses, COVERAGE, VOL. 27, ISSUE 4, Nov. 20, 2017.

[14] American Tooling, Opinion at 2.

[15] Id. at 7.

[16] Id. at 7.

[17] Id. at 8.

[18] Id.

[19] Id. at 10.

[20] Id. at 3.

[21] No. 17-11712, 2018 WL 2149769 (11th Cir. May 10, 2018).

[22] Id. at 9–10.

[23] No. cv 13-5039-JFW, 2014 WL 3844627 (C.D. Cal. July 17, 2014), aff’d in part and rev’d in part, 656 F. App’x 332 (9th Cir. 2016).

[24] American Tooling, Opinion at 8.

[25] See Chubb, Social Engineering Fraud Endorsement, available at http://www.chubb.com/businesses/csi/chubb19110.pdf.

Please enable JavaScript, then refresh this page. JavaScript is required on this site.