As companies experienced cyber-related incidents, they have sought coverage for their losses under a variety of different kinds of insurance policies. As discussed in the following guest post, courts have struggled to address the coverage issues these claims present. The article’s author is Peter Selvin, a member of TroyGould
The insurer on the receiving end of the recent Sixth Circuit ruling that the a payment instruction fraud loss is covered under the Computer Fraud section of a Commercial Crime policy has filed a petition for rehearing or rehearing en banc. In its July 27, 2018 petition (here), the insurer contends that in its decision, the Sixth Circuit’s analysis was at odds with its own prior precedent, and as a result the appellate court applied the wrong causation analysis in determining whether or not the fraudulent email “directly” caused the loss of the policyholder, American Tooling Center (ATC).
Continue Reading Insurer Seeks Rehearing of Ruling That Payment Instruction Fraud is Covered
In the second policyholder-favorable federal appellate court decision on the issue in a matter of days, the Sixth Circuit has held that the Computer Fraud provisions of a commercial crime policy cover a company’s losses from an email payment instruction fraud scheme. Just last week, the Second Circuit ruled in the Medidata case that Computer Fraud coverage applied to losses incurred in a similar email scam. However, the Sixth Circuit’s decision may be even more helpful for policyholders as, unlike the Second Circuit’s decision, the policyholder-favorable ruling is not as dependent on very specific factual determinations about the way the fraudster manipulated the harmed company’s email program. The Sixth Circuit’s July 13, 2018 decision in the American Tooling Center (ATC) opinion can be found here.
Continue Reading 6th Circ.: Crime Policy’s Computer Fraud Section Covers Email Scheme Losses
In a much anticipated decision, on July 6, 2018 the Second Circuit, applying New York law, affirmed a district court ruling that the computer fraud provisions of a commercial crime coverage section covered the losses Medidata incurred when the company’s employees transferred funds in response to a spoofed email. The appellate court’s opinion could prove valuable for other policyholders seeking to establish that their crime policies provide coverage for losses incurred as a result of social engineering fraud (also known as payment instruction fraud). The Second Circuit’s July 6, 2018 opinion can be found here.
Continue Reading Second Circuit: Computer Fraud Coverage Section Covers Fraudulent Email Funds Transfer
Along with all of the other risks arising from companies’ increasing dependence on electronics communications and data storage technology has come not only the risks of a data breach caused by a hacker, but also the risk of a company’s transfer of funds by one of its employees who has been duped into believing the transfer was legitimate and authorized. These kinds of losses, which have been called “payment instruction fraud” or “social engineering fraud,” raise of a host of potential issues under traditional insurance policies, owing to the voluntary nature of the funds transfer made by a person authorized to access the company’s computer system. A recent decision by the Ninth Circuit illustrates the kinds of coverage problems that can arise from these circumstances. The Ninth Circuit’s unpublished April 17, 2018 opinion in Aqua Star (USA) Corp. v. Travelers Casualty & Surety Company of America can be found here. The Wiley Rein’s law firm’s April 19, 2018 post about the Ninth Circuit decision can be found here.
Continue Reading Ninth Circuit: No Crime Policy Coverage for Social Engineering Fraud Losses
Over the last several days, I have published several posts discussing important insurance developments relating to social engineering fraud, sometimes called payment instruction fraud. In the following guest post, Peter S. Selvin of the TroyGould PC law firm takes a detailed look at one of these recent decisions, the July 2017 decision in the Southern District of New York involving Medidata (discussed here), and compares it to the subsequent American Tooling Center decision out of the Eastern District of Michigan (discussed here). A version of this article previously appeared in the San Francisco Daily Journal. I would like to thank Peter for his willingness to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors in topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Peter’s article.
Continue Reading Guest Post: Groundbreaking Cyber Insurance Decision
Just days after a Southern District of New York judge ruled in the Medidata Solutions decision that the Computer Fraud section of a commercial crime policy covered losses from social engineering fraud (as I discussed in a post last week), a judge in the Eastern District of Michigan has held that a crime policy’s computer fraud section did not apply to social engineering fraud. Eastern District of Michigan Judge John Corbett O’Meara concluded, based on the specific policy language at issue, that the computer fraud coverage only applied when the fraud directly caused the loss, and that because there had been intervening steps between the computer fraud and the transfer of funds, the coverage did not apply. As discussed below, these recent decisions underscored the problems facing policyholders as they seek insurance coverage for social engineering fraud losses. Judge O’Meara’s August 1, 2017 opinion can be found here.
Continue Reading More about Crime Coverage and Social Engineering Fraud
One of the more vexing threats in the current business environment is the rise of “social engineering fraud” or “payment instruction fraud.” In these schemes scammers using official-seeming email communications induce company employees to transfer company funds to the imposters’ account. Among the many issues involved when these kinds of scams occur is the question of insurance coverage for the loss. In many instances, insurers take the position that because the schemes do not involve a “hacking” of the company’s systems and because the actual funds transfers are voluntary, the loss of funds is not covered under commercial crime policies.
However, in a July 21, 2017 decision (here), Southern District of New York Judge Andrew L. Carter, Jr., applying New York law, held that Mediadata Solutions Inc.’s commercial crime policy covered the company’s loss of $4.77 million transferred in response to an email instruction that falsely appeared to be from the company’s President. The court’s decision raises and addressed a number of interesting issues, as discussed below.
Continue Reading District Court Holds Crime Policy Covers Payment Instruction Fraud