In an interesting March 18, 2024, decision, a California federal district court, applying California law, has held that insurance coverage may be available under the D&O liability endorsement to a community association policy for a claim arising from funds misdirected due to fraudulent payment instructions in a spoofed email. The court held that because the non-payment happened due to the association’s treasurer’s alleged negligence, the vendor’s claim for non-payment arose out of “wrongful acts” of the treasurer, and therefore the vendor’s claim triggered coverage. The court’s decision raises some interesting possibilities about the potential for D&O insurance coverage for these kinds of misdirected payment claims, and it also raises interesting possibilities about potential coverage for breach of contract claims.
A copy of the Court’s March 18, 2024, opinion can be found here. A March 27, 2024, post on the Hunton Insurance Recovery Blog about the decision can be found here.
Background
In September 2022, the treasurer of the Bridlewood Estates Property Owners Association received an email from the project manager for a paving company that had performed asphalt repairs for the association, seeking payment $123,617 for the repairs. The treasurer also received a separate message that appeared to be from the project manager but in fact was a spoofed email sent by a hacker.
The spoofed email, which was sent from a slightly different email address than the first message, directed the treasurer to wire the payment funds to a specified account, rather than to mail a check. The treasurer wired the funds according to the wire transfer instructions in the spoofed email. The error was discovered a few days later when the vendor’s project manager contacted the treasurer wondering where the payment was. The paving company subsequently filed lawsuit against the association alleging breach of contract and related claims.
The association was insured under a Residential Community Association Policy which included a D&O insurance coverage endorsement. The association submitted the lawsuit to the insurer. The insurer denied coverage, and the association filed a coverage lawsuit against the insurer alleging breach of contract, breach of the implied covenant of good faith and fair dealing and seeking declaratory relief.
The insurer filed a motion to dismiss, arguing there is no coverage under the policy for the vendor’s lawsuit against the association because it is not based on a wrongful act of an officer within the meaning of the policy, but rather was based on the association’s failure to pay a contractual obligation and a debt owed.
The D&O Endorsement to the association’s policy states that the insurer will provide coverage for “sums the insured becomes legally obligated to pay as damages because of a ‘wrongful act.’” A wrongful act includes any “error … act, omission, neglect, or breach of duty” committed by an insured “arising solely out of his or her capacity as an director, officer, ‘manager’ or trustee relating to the operations of your organization.” The D&O endorsement does not contain a contractual liability endorsement.
The March 18, 2024, Opinion
In a March 18, 2024, Southern District of California Judge Anthony J. Battaglia, applying California law, denied the insurer’s motion to dismiss, holding that the allegations in the underlying complaint arose out of the association’s treasurer’s alleged “wrongful act” in misdirecting the funds pursuant to the fraudulent instructions in the spoofed email.
In concluding that the association has carried its burden of showing that the underlying claim is potentially covered under the Policy, Judge Battaglia first noted the absence of a contractual liability exclusion in the D&O endorsement, and then noted that the association had presented “extrinsic facts” known to the insurer which suggest “a potential claim for coverage based on the Treasurer’s error, negligence, or breach of duty.”
For example, the insurer, Judge Battaglia said, is aware that the intended payment was “misdirected due to the hacking of the contractor’s email system” and that the deception in the spoofed email led to the Treasurer’s payment error. The underlying complaint also faults the Treasurer for not contacting the contractor to confirm the wiring instruction.
Judge Battaglia found that this extrinsic evidence suggests a potential for coverage because it supports a finding that the treasurer committed a wrongful act when he transmitted payment to the wrong bank account. Had it not been for the treasurer’s mistake, the contractor would have received payment and had no cause to sue. “Defendant’s attempt to cast the Treasurer’s payment error as irrelevant to the breach of contract claim is unavailing.”
The insurer sought to argue that it is well settled under California law that an insured’s failure to pay amounts due under contract does not qualify as a wrongful act. This case, Judge Battaglia said, is “not a case where an insured simply refused to pay”; to the contrary, the treasurer did attempt to pay the invoice but the payment was sent to the hacker’s account. Because this case “is not one where a plaintiff is merely attempting to pass on its contractual obligations to its insurer, the Court does not find it falls within the purview of California case law.”
The underlying complaint alleges that the treasurer wired the payment to the hacker’s account by “failing to verify with proper diligence the proper wiring instruction to wire payment.” These allegations, Judge Battaglia said, show that the treasurer “committed an error, omission, neglect, or breach of duty arising out of his official capacity to process payments for Bridlewood.” To the extent liability is found in the underlying action, “the basis of liability would be the Treasurer’s alleged wrongful act.” Judge Battaglia found that but for the treasurer’s wrongful act, the payment would not have been misdirected into a hacker’s account. Accordingly, Judge Battaglia concluded that the association has shown that the “claimed loss falls within the basic scope of coverage.”
Discussion
This decision is interesting to me for two reasons. The first is that the decision shows the potential for coverage under a D&O policy (or at least under a D&O policy without a contractual liability exclusion) for an underlying breach of contract claim if the alleged breach arose out of underlying wrongful acts. The second is that the decision shows the potential for coverage under a D&O insurance policy for the loss of funds due to a misdirected payment based on fraudulent instructions in a spoofed email.
The latter point, about the possible coverage for a claim arising from the misdirected payment, may be the one that is of greatest interest and concern to readers of this blog. It is obviously a recurring problem in the current era that firms and organizations of all types of function and size are vulnerable to loss of funds due to fraudulent payment instructions from a hacker. The potential for coverage for this kind of loss under a D&O insurance policy raises interesting possibilities, at least in certain circumstances, as I discuss further below.
However, Judge Battaglia was only able to get to the conclusion that there might be coverage under the D&O Endorsement because he was able to get beyond the fact that the contractor’s claim in the underlying lawsuit against the association was based on the association’s alleged breach of contract for non-payment. The insurer had tried to argue under California law that an insured cannot simply fail to pay a debt and then turn to its insurer to pay the amount due. Judge Battaglia saw that here the association had tried to pay the debt, but the treasurer’s negligence had caused the misdirection of the intended payment.
Judge Battaglia was only able to get to the conclusion that the underlying claim arose out of alleged wrongful acts by reference to what he called “extrinsic facts,” which apparently courts are permitted to consider under California law in insurance coverage disputes. Not every jurisdiction permits courts to consider such extrinsic evidence in considering insurance coverage; indeed, some jurisdictions adhere to strict “four corners” (that is, the four corners of the policy) or “eight corners” (the four corners of the policy plus the four corners of the underlying complaint) which bar courts from considering other factors. A court applying one of these other jurisdiction’s laws might not have been able to consider the treasurer’s alleged negligence underlying the alleged breach of contract.
In thinking about the possibilities for coverage under a D&O insurance policy for payment instruction fraud loss, it is important to keep in mind that this insurance coverage dispute grew out of a third-party lawsuit. In many instances when organizations suffer loss due to payment instruction fraud, they simply want to get reimbursed for the amount of the loss. D&O insurance would not respond to that type of first party claim for coverage. The potential availability of D&O insurance, if at all, is going to be limited to third-party claims circumstances.