Social engineering fraud, or as it is sometimes called, business instruction fraud, has unfortunately become all too common. In many instances, the defrauded companies’ losses are huge. In a recent insurance coverage dispute, the social engineering fraud loss involved was not as large as some of the others have been. Unfortunately, and notwithstanding the relatively small size of the loss, the court concluded that coverage for the company’s loss was precluded by the “voluntary parting” exclusion in its crime policy. As discussed below, there are still some lessons to be drawn from this case. Eastern District of Virginia Judge John A. Gibney, Jr.’s February 20, 2020 opinion in the case can be found here.
On October 5, 2018, JoAnne Davis, an employee of Midlothian Enterprises, received an email that purported to be from Midlothian’s president, E. Bryce Powell, directing her to wire money to a specified bank account, to purchase a subscription and membership interest in another business. After Davis wired $42,302 to a bank account in Alabama, Midlothian discovered that hackers, not Powell, had send the email to Davis.
Midlothian submitted a claims for its loss under its crime policy. The crime insurer denied coverage for the claim in reliance on the policy’s “voluntary parting” exclusion. Midlothian filed a lawsuit against the insurer seeking a declaratory judgment that the policy covered the loss and also asserting a claim for bad faith. The parties filed cross-motions for summary judgment.
The Relevant Policy Provisions
The policy’s “money and securities” endorsement expressly amends the policy’s “Property Not Covered” provision to specify that “’money’ and ‘securities’ are covered as provided by this endorsement” and the Additional Coverage section of the Policy’s coverage provision expressly provides that “We will pay for loss of ‘money’ or ‘securities’ inside the ‘premises’ resulting directly from (a) ‘Theft’’ or (b) Disappearance or destruction.”
The “voluntary parting” exclusion provides that “We will not pay for loss cause by any one of the following: …. Loss resulting from your, or anyone acting on your express or implied authority, being induced by any dishonest act to voluntarily part with title to or possession of any property.”
The February 20, 2020 Opinion
In his February 20, 2020 opinion, Judge Gibney, applying Virginia law, granted the insurer’s summary judgment motion and denied Midlothian’s motion for summary judgment.
In granting the insurer’s motion, Judge Gibney held that “the plain language of this exclusion unambiguously includes Midlothian’s loss.” The exclusion, he said, “applies to any voluntary parting ‘induced by any dishonest act’ – a broad category that certainly includes fraud.”
In response to Midlothian’s arguments that the exclusion is ambiguous, Judge Gibney said Midlothian asks the court to “strain to find ambiguities” in the exclusion “without suggesting any reasonable alternative interpretation.” The exclusion, he said, “excludes the loss based on its plain language.”
Judge Gibney also rejected Midlothian’s argument that in transferring the funds Davis did not act with Powell’s express or implied authority because, not having sent the email, Powell did not authorize the transaction. This argument, Judge Gibney said, “fails because it leads to absurd results.” Allowing coverage for a fraudulently authorized transaction despite an exclusion based on “any dishonest act” would “unreasonably limit the exclusion and render the provision meaningless.”
The fact that another individual pretended to authorize the transaction “does not negate the voluntariness of the transfer or the authority that Davis had to make these types of transfers.” The exclusion, Judge Gibney said, “is not ambiguous” and “the Court will enforce its interpretations as a matter of law.”
Finally, Judge Gibney rejected Midlothian’s argument that the policy’s forgery or alteration endorsement applied to provide coverage to the loss. The endorsement extends coverage to the forgery or alteration of a “covered instrument,” which is defined as “checks, drafts, promissory notes, or similar written promises, orders, or directions to pay a sum certain of ‘money.’” Judge Gibney said, “simply put, an email from a business owner telling an employee to wire money to a bank account does not have the same form or legal effect as a check, draft, or promissory note.” This it does not constitute a “covered instrument” under the express terms of the endorsement.
Perhaps as a direct result of the ubiquity of email communications as a fundamental part of business processes these days, social engineering losses have become all too frequent. All too often, businesses like Midlothian have been struggling to find insurance coverage for their losses.
As readers of this blog well know, there have been a number of judicial decisions interpreting crime policies in disputes over social engineering losses. If you were to survey the various cases out there on this issue, you would find a variety of outcomes. In some cases, the courts have found coverage for these kinds of losses under crime policies, and in other cases the courts have concluded that a loss of this kind is not covered under the policy. (For a detailed discussion of a December 2019 decision in which the Eleventh Circuit, applying Georgia law, found coverage for a social engineering loss, refer here.)
The variation in these decisions is very much a reflection of two factors: the differences in the circumstances of what actually happened in connection with the payment instruction fraud; and the differences in policy wording at issue. Because of these important variables, I think it is very important to guard against over-generalizing about the significance of the outcome of any one case. Whether or not there is going to be coverage in the next case is going to depend on what happened and on what the policy at issue says.
It is absolutely no consolation to Midlothian here that courts in other cases applying different policy language have found coverage for other companies’ social engineering fraud losses. Midlothian can of course try to appeal Judge Gibney’s opinion, but I have to say that the company’s chances on appeal do not look good.
For companies worried about the possibility of these kinds of losses, it is important to note that many carriers are now offering an optional coverage extension expressly providing coverage for social engineering fraud losses. It is usually viewed as a shortcoming of these kinds of coverage extensions that they usually offered only on a sublimited basis, with the sublimits usually no more than $250,000. As the long track record for these kinds of cases show, the losses involved in these circumstances often are far in excess of what would be covered under the typical sublimit.
However, in this case, Midlothian’s losses were not nearly so massive, and would have been well within the sublimit of the typical social engineering fraud coverage endorsement. (Please note that in making this observation, I do not intend to make any comment on the way that Midlothian’s crime policy was structured or placed; I do not know the circumstances of Midlothian’s coverage placement and I am in no position to judge.)
The fact that Midlothian’s losses here would have been well within the sublimit of the typical social engineering fraud extension is a practical and concrete reminder that these endorsements, even though subject to a sublimit, do provide real coverage, and in at least some instances (like, for example, the circumstances here) might be sufficient to cover a policyholder’s entire loss.
In other words, just because the social engineering fraud endorsements are subject to sublimits does not mean that they are not valuable.
One issue that often does come up in these social engineering fraud cases, but that apparently did not come up here, is the issue whether the losses caused by a phony email like this result “directly” from the fraud. In that regard, it is worth noting that the Inside-the-Premises provision in Midlothian’s policy, extending coverage to the loss of money or securities “resulting directly from” theft, disappearance, or destruction, does indeed expressly require the loss to result “directly” from the specified actions.
At least based on Judge Gilbey’s opinion, it does not appear that the insurer raised this argument (to be sure, it might have been raise elsewhere but just not address by Judge Gilbey). However, as discussed, for example, in the recent Eleventh Circuit opinion to which I linked above, the “direct” loss issue is in many of these kinds of disputes one of the hotly contested concerns.
In any event, given the limitation of coverage frequently applicable to these kinds of losses, it unquestionably is in the interests of all companies to focus their risk management strategy on a loss prevention approach. Well-designed company systems can be implemented to try to reduce these kinds of incidents and avoid the losses in the first place. Education and training obviously are an indispensable part of any loss prevention approach. In addition, the adoption of control processes to try to prevent the unauthorized transfer of funds can also help to avoid these kinds of losses. For example, mandatory requirement of second channel confirmation of payment requests is one such approach; another is dual authorization requirements for any payments above a certain threshold.
In the absence of complete risk transfer solutions for social engineering fraud, well-advised companies will want to try to implement a full range of risk avoidance strategies, starting with the inculcation among all employees of the danger that these kinds of frauds present. While the possibility of losses from social engineering fraud represents a growing threat, there are proactive steps companies can take to try to protect themselves from these kinds of losses.