As many readers are aware, there have been a number of recent case decisions addressing insurance coverage issues arising out of social engineering fraud, sometimes known as payment instruction fraud. The recent round of judicial decisions includes a ruling by a Canadian court. In the following guest post, Jamieson Halfnight and Anne Juntunen of the Lerners law firm in Toronto review the recent Canadian decision and discuss it in the context of several recent rulings in the U.S. I would like to thank Jamie and Anne for their willingness to allow me to publish their guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Jamieson and Anne’s guest post is set out below.
2017 has seen something of a wave of decisions addressing coverage for social engineering frauds under crime policies. In July, a court in Alberta issued Canada’s first such decision in which the court – like most of its U.S. counterparts to opine on the matter so far this year – found that a social engineering fraud was not covered by a crime policy.
In The Brick Warehouse LP v. Chubb Insurance Co. of Canada, 2017 ABQB 413 (here), the Court of Queen’s Bench of Alberta – a provincial trial-level court – held that a social engineering fraud did not meet the requirements for coverage under the Funds Transfer Fraud insuring agreement of a commercial crime policy. That decision is now final, as the time for appealing the decision has passed with no appeal being filed.
The Brick is a Canadian furniture retailer that fell victim to a vendor impersonation scam. A fraudster, posing as a representative of one of The Brick’s trusted vendors, obtained enough information from The Brick’s accounts payable department to understand the department’s internal procedures for changing a vendor’s account information. Through a series of emails and phone calls, the fraudster then used that knowledge to submit a request to The Brick to update its records to reflect that the vendor had a “new” bank account. The Brick’s accounts payable department complied, unaware that the request was illegitimate.
After The Brick changed the information in its internal accounting records, it instructed its bank to make a series of electronic transfer payments to the account it had on file for the vendor – i.e., the “new” account. The purpose of the payments was to pay the vendor’s legitimate receivables. By the time the fraud was discovered, the bank had already made several payments to the “new” bank account. The Brick attempted to recall the previous transactions, with only partial success.
The Brick turned to its commercial crime policy, which was issued by Chubb. It made a claim under the Funds Transfer Fraud insuring agreement of that policy, which covered “direct loss sustained by an Insured, resulting from . . . Funds Transfer Fraud by a Third Party”. The policy defined “Funds Transfer Fraud” as:
… the fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver Money or Securities from any account maintained by an Insured at such institution, without an Insured’s knowledge or consent.
Coverage was denied and The Brick sued in Alberta. The matter proceeded to a judgment through a procedure similar to a U.S.-style motion for summary judgment. The material facts were not disputed.
In its reasons, the court concluded that coverage was not available under the Funds Transfer Fraud insuring agreement. Part of the court’s reasoning focused on the role of the “Third Party” in the fraud. At issue was whether the third party must play the specific role of issuing the transfer instructions to the insured’s bank or whether, as the insured argued, it is sufficient for coverage purposes if the third party simply masterminds the scheme as a whole.
The court sided with the insurer, holding that the wording of the insuring agreement required the fraudulent instructions to be sent to the insured’s bank by a third party. Referencing the similarity of the facts to those in Taylor & Lieberman, which had been decided by the Ninth Circuit shortly before oral arguments were held in The Brick, the Alberta court held that the Funds Transfer Fraud insuring agreement required The Brick to “show that its bank transferred funds out of [T]he Brick’s account under instructions from a third party impersonating [T]he Brick.” Under the facts of this case, it was an employee – not a third party – who issued the instructions.
The court also addressed the requirement that the instructions in question be issued “without an Insured’s knowledge or consent”. At issue was the meaning of “knowledge or consent” where, as in this case, the employee who initiated the transfer was aware that the transfer was taking place, but was not aware of all the facts surrounding the transfer (such as the true identity of the holder of the recipient bank account). The court applied a plain meaning interpretation to “knowledge or consent”, holding that, because “consent” was not otherwise defined in the policy, it should be defined simply as: “permission for something to happen”. Here, the court explained, The Brick’s employee permitted the bank to transfer funds out of The Brick’s account and this was sufficient to show the transfer took place “with either [T]he Brick’s knowledge or consent”.
The court did not see the need to deal explicitly with several other arguments raised in the parties’ submissions, such as the direct-loss requirement or the applicability of the Computer Fraud insuring agreement (which was not seriously pursued by the insured).
The Alberta court’s decision in The Brick has arrived amidst a spate of U.S. decisions addressing the applicability of crime coverage to typical social engineering fact scenarios. In particular:
- In March 2017, in Taylor & Lieberman v. Federal Insurance Co., 681 F. App’x 627 (9th Cir. 2017), the Ninth Circuit Court of Appeals upheld a decision of the U.S. District Court for the Central District of California, holding that neither the Computer Fraud nor the Funds Transfer Fraud insuring agreements of a crime policy applied to provide coverage for a social engineering fraud. The insured had followed instructions received from someone it believed to be its client – though actually sent by a fraudster – and instructed its client’s bank to wire funds to a fraudster’s account. When the insured made a claim under its crime policy, the Ninth Circuit determined that there was no unauthorized entry of data into the recipient’s computer system and therefore, no coverage under the Computer Fraud insuring agreement. Further, the insured requested and knew about the wire transfers, so there was no coverage under the Funds Transfer Fraud insuring agreement.
- In InComm Holdings, Inc. v. Great American Insurance Co., No. 15-cv-2671-WSD, 2017 WL 1021749 (N.D.Ga. Mar. 16, 2017), the U.S. District Court for the Northern District of Georgia held that no coverage was available under a Computer Fraud insuring agreement for losses suffered after a vulnerability in the insured’s processing system allowed consumers to load duplicate amounts onto their debit cards via phone calls in which they redeemed chits they had purchased. The court held that the insured’s loss resulted from the use of telephones, not computers as required by the policy. In addition, the loss did not result “directly” from the fraudulent chit redemptions.
- More recently, the U.S. District Court for the Eastern District of Michigan held that there was no coverage for a social engineering fraud under a Computer Fraud insuring agreement. That case, American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of America, No. 16-cv-12108, 2017 WL 3263356 (E.D.Mich. Aug. 1, 2017), involved a vendor impersonation scam similar to the one in The Brick. The court explained that emails received by an insured from a fraudster impersonating its vendor were not tantamount to a third party using a computer to fraudulently cause a transfer and, therefore, that no coverage was available under the Computer Fraud insuring agreement. That decision was discussed on this blog here.
- There was also the decision of the U.S. District Court for the Southern District of New York in Medidata Solutions, Inc. v. Federal Insurance Co., 15-cv-00907-ALC, 2017 WL 3268529 (S.D.N.Y. Jul. 21, 2017), in which the court found that both the Computer Fraud and the Funds Transfer Fraud coverages did apply to a social engineering fraud scenario. That decision was discussed at length on this blog here.
A review of these recent decisions shows that, notwithstanding Medidata, courts are generally finding that social engineering frauds do not present the factual circumstances necessary to meet the requirements for coverage under most Funds Transfer Fraud and Computer Fraud insuring agreements. The Alberta court’s decision in The Brick is consistent with these U.S. decisions. The following reasons have been given:
- Funds Transfer Fraud coverages commonly require instructions to an insured’s bank “without [the insured’s] knowledge or consent.” As found in Taylor & Lieberman and The Brick, where an insured’s own employee directed the transfer, albeit under a mistaken impression as to the surrounding facts, the insured had knowledge or consent.
- A fraudster’s sending of an email does not, without more, amount to using a computer to fraudulently cause a transfer, as required under Computer Fraud wordings (as found in Taylor & Lieberman and American Tooling).
- As found in InComm and American Tooling, emails sent by a fraudster as part of a social engineering fraud do not necessarily cause a direct loss where intervening events – such as the insured’s own internal payment procedures and its failure to confirm the correct account information – were the more immediate causes of the loss.
There are nearly 5 months left in 2017, which leaves plenty of time for courts to publish further decisions on the insurance coverage issues presented by social engineering frauds.