In the second policyholder-favorable federal appellate court decision on the issue in a matter of days, the Sixth Circuit has held that the Computer Fraud provisions of a commercial crime policy cover a company’s losses from an email payment instruction fraud scheme. Just last week, the Second Circuit ruled in the Medidata case that Computer Fraud coverage applied to losses incurred in a similar email scam. However, the Sixth Circuit’s decision may be even more helpful for policyholders as, unlike the Second Circuit’s decision, the policyholder-favorable ruling is not as dependent on very specific factual determinations about the way the fraudster manipulated the harmed company’s email program. The Sixth Circuit’s July 13, 2018 decision in the American Tooling Center (ATC) opinion can be found here.
ATC is a tool-and-die manufacturer in Michigan. The company outsourced some manufacturing to a Chinese company. ATC paid the Chinese vendor by wire transfer to the vendor’s bank account. In early 2015, an imposter purporting to be the Chinese vendor sent ATC an email requesting payment on outstanding invoices and directed ATC to have the funds sent to a different bank account. ATC transferred the funds to the new account. ATC transferred additional funds in response to subsequent emails from the imposter. By the time ATC discovered the fraud, it had transferred a total of about $830,000 to the imposter’s bank account. ATC sought coverage for the lost funds from its commercial crime insurer. The carrier denied coverage, and ATC filed suit. The parties filed cross-motions for summary judgment. The district court granted the insurer’s motion for summary judgment. ATC filed an appeal.
The policy’s computer crime coverage section states that “The Company will pay the Insured for the Insured’s direct loss of, or direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud.” The term “Computer Fraud” is defined as “The use of any computer to fraudulently cause a transfer of Money, Securities, or Other Property from inside the Premises or Financial Institution Premises: 1. to a person (other than a Messenger) outside the Premises or Financial Institution Premises; or 2. to a place outside the Premises or Financial Institution Premises.”
The July 13 Opinion
In a July 13, 2018 opinion written by Judge Karen Nelson Moore, a three-judge panel of the Sixth Circuit unanimously reversed the district court’s ruling, rejecting each of the arguments on which the insurer relied to support its denial of coverage.
First, the appellate court rejected both the insurer’s argument that ATC had not suffered a “direct loss” as the Computer Fraud section required in order for coverage to be triggered, and that ATC had not suffered a “direct loss” that was “directly caused” by the computer fraud. The District Court had agreed with this argument, relying on the various administrative actions ATC had to undertaken as part of its internal payment processing procedures after it had received the fraudulent email and before it transferred the funds. The appellate court disagreed, saying that ATC suffered a “direct loss,” whether the phrase is meant to refer to “proximate” causation or “immediate” causation. The court said, ATC “immediately lost its money when it transferred the approximately $834,000 to the impersonator; there was no intervening event.”
In reaching this conclusion, Judge Moore analogized to a situation in which an individual who owed another person money was about the hand over cash in payment of the debt, when a third-party came along and snatched the money before the money could be paid. Judge Moore said that to say that the third-party caused the payor no direct loss “defies common sense.”
In concluding that the fraudulent email “directly caused” ATC’s losses, and rejecting the argument that intervening administrative actions broke the causal connection, the court said “ATC received the email at step one. ATC employees then conducted a series of internal actions, all induced by the fraudulent email, which led to the transfer of the money to the impersonator at step two.” This, the court said, was the “point of no return” because the loss occurred once ATC transferred the money in response to the fraudulent emails” and therefore “the computer fraud ‘directly caused’ ATC’s ‘direct loss.’”
The appellate court also rejected the insurer’s argument that the Computer Fraud section requires the use of the computer to cause the transfer; it is not sufficient, the insurer argued, it there is a computer and a transfer that is fraudulent. The appellate court said that the insurer’s attempt in effect to “limit the definition of ‘Computer Fraud’ to hacking and similar behaviors in which a nefarious party somehow gains access to and/or controls the insured’s computer is not well-founded.” If the insurer had wished to limit the definition of computer fraud to such criminal behavior it could have done so. The appellate court found the email scheme met the policy’s definition of “Computer Fraud.”
Finally, the appellate court also rejected the insurer’s arguments that several policy exclusions precluded coverage for ATC’s losses, finding that the insurer had failed to show that the various exclusions’ requirements in order for coverage to be precluded had not been met.
This appellate decision, especially in combination with the Second Circuit’s ruling in the Medidata case just last week, will be very helpful for policyholders seeking to establish that their commercial crime policies cover losses the policyholders have suffered as a result of payment instruction fraud (sometimes known as social engineering fraud).
As I also noted in connection the similar holding in the Medidata case, the court’s holding here that the policyholder had suffered a “direct loss” from the email scam will be particularly helpful to policyholders seeking coverage for this kind of loss. In many instances, insurers try to argue that loss from the fraudulent transfer did not result directly from the phony email, because intervening actions induced by the email were required in order for the funds transfer to take place. The Sixth Circuit’s opinion here and the opinion in the Medidata case will aid policyholders in arguing that actions in making the transfer are not intervening actions sufficient to make the transfer something other than a direct loss.
The Sixth Circuit’s holding that the email fraud scheme represented “Computer Fraud” within the meaning of the policy may be even more helpful to policyholders than the similar conclusion in the Medidata case. The Second Circuit’s ruling that the scheme that caused Medidata’s losses was “Computer Fraud” depended on the fact that in that case the fraudster had manipuled Medidata’s email system so that the phony email looked legitimate. The Sixth Circuit’s conclusion here that the email scheme that caused ATC’s losses represented “Computer Fraud” does not depend on a similar type of factual conclusion about the manipulation of electronic systems. The Sixth Circuit expressly rejected the suggestion that the policy’s Computer Fraud provisions were not triggered unless the Computer itself sent the damaging payment instruction as a result of hacking or some other manipulation. This holding will be very helpful for policyholders seeking to counter insurers’ arguments that the payment instruction fraud is not covered because the transfer was made as a result of voluntary actions by company employees rather than as a result of a hacking or other manipulation.
The Sixth Circuit’s opinion is more helpful to policyholders in one other way that the Medidata decision was not. The Medidata opinion was issued in the form of a Summary Order, which limits the precedential value of the opinion. The Sixth Circuit’s decision was issued as a published opinion of the Court, making the data more valuable precedentially, particularly within the Sixth Circuit.
While these two decisions are very helpful to policyholders, we have not reached the point that policyholders can just assume that the Computer Fraud provision of the commercial crime policy will cover losses caused by payment instruction fraud. There are contrary decisions from a number of other courts. In addition, in both the Medidata decision and the ATC decision the courts emphasized the particular wordings of the policies at issue. This leaves open the possibility that a court interpreting a policy with differing language might reach a different conclusion. As a result of the current contested state of affairs with respect to the coverage available under the Computer Fraud section of the commercial crime policy, well-advised insurance buyers will still want to consider purchasing the express social engineering fraud extension that many commercial crime insurers now offer.