Category Archives: Computer Fraud

Taylor & Lieberman: Ninth Circuit finds No Coverage under Crime Policy for Client Funds lost in Social Engineering Fraud

By David S. Wilson and Chris McKibbin

In the recent decision of Taylor & Lieberman v. Federal Insurance Company, the Ninth Circuit Court of Appeals affirmed a decision of the U.S. District Court for the Central District of California holding that a business management firm did not have coverage in respect of client funds which it was fraudulently induced to wire overseas.

While the District Court had held that the insured had failed to establish that it had sustained any “direct” loss at all (see our July 14, 2015 post), the Ninth Circuit affirmed the result on other grounds, holding that the insured had also failed to establish that the loss came within the substantive requirements of any of the Forgery, Computer Fraud or Funds Transfer Fraud insuring agreements.

The Facts

Taylor & Lieberman (“T&L”) was an accounting firm which also performed business management and account oversight services for various clients, including the client in issue. Clients’ funds were held in separate bank accounts maintained with City National Bank. Clients granted Powers of Attorney over their accounts to a designated individual at T&L, permitting transactions to be made in the accounts.

A fraudster obtained access to the client’s email account and sent two emails from that account to a T&L employee, as follows:

  • The first email directed the employee to wire $94,280 to an account in Malaysia. The employee did so, and then sent a confirming email to the client’s email account.
  • The next day, the employee received another email from the client’s account directing her to wire $98,485 to an account in Singapore. The employee again complied, and again sent a confirming email to the client’s email account.

The employee then received a third email, purportedly from the client, but sent from a different email address. The employee contacted the client by phone, and discovered that all three emails were fraudulent. T&L was able to recover some of the funds, but had to reimburse its client and incurred a net loss of nearly $100,000.

T&L submitted a claim under each of its Forgery Coverage, its Computer Fraud Coverage and its Funds Transfer Fraud Coverage. The District Court held that each of these coverages required “direct loss sustained by an Insured” and that, as a matter of law, no direct loss had been sustained.

On appeal, the Ninth Circuit did not disturb the finding with respect to direct loss, but affirmed the result on the basis that T&L had failed to establish that the loss came within the scope of any of the insuring agreements.

The Forgery Coverage

The Ninth Circuit quickly dismissed T&L’s contention that this insuring agreement’s requirement of a “Forgery or alteration of a financial instrument” did not require proof of a “Forgery” of a financial instrument, because the insuring agreement required only proof of an alteration of a financial instrument or a free-standing “Forgery” of any document, of any type. The Court held that the insuring agreement plainly required either a “Forgery” or an alteration of a financial instrument.

More substantively, the Court rejected T&L’s contention that the emails to T&L were financial instruments:

Here, the emails instructing T&L to wire money were not financial instruments, like checks, drafts, or the like. See Vons Cos., Inc. v. Fed. Ins. Co. … (C.D. Cal. 1998) (holding that wire instructions, invoices, and purchase orders were not “documents of the same type and effect as checks and drafts.”). And even if the emails were considered equivalent to checks or drafts, they were not “made, drawn by, or drawn upon” T&L, the insured. Rather, they simply directed T&L to wire money from T&L’s client’s account. In sum, there is no forgery coverage.

The Computer Fraud Coverage

The Computer Fraud insuring agreement required T&L to demonstrate “an unauthorized (1) “entry into” its computer system, and (2) “introduction of instructions” that “propogate[d] themselves” through its computer system.” The Court held that the sending of an email, without more, did not constitute an unauthorized entry into T&L’s computer system. Further, the emails were not an unauthorized introduction of instructions that propagated themselves through T&L’s computer system:

The emails instructed T&L to effectuate certain wire transfers. However, under a common sense reading of the policy, these are not the type of instructions that the policy was designed to cover, like the introduction of malicious computer code. … Additionally, the instructions did not, as in the case of a virus, propagate themselves throughout T&L’s computer system; rather, they were simply part of the text of three emails.

The Funds Transfer Fraud Coverage

The Funds Transfer Fraud insuring agreement indemnified against:

fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver Money or Securities from any account maintained by an Insured Organization at such Institution, without an Insured Organization’s knowledge or consent.

The Court held that the requirements of the insuring agreement were not met:

This coverage is inapplicable because T&L requested and knew about the wire transfers. After receiving the fraudulent emails, T&L directed its client’s bank to wire the funds. T&L then sent emails confirming the transfers to its client’s email address. Although T&L did not know that the emailed instructions were fraudulent, it did know about the wire transfers.

Moreover, T&L’s receipt of the emails from its client’s account does not trigger coverage because T&L is not a financial institution.

As a result, there was no coverage available under the Federal policy.

Conclusion

Following the Fifth Circuit’s decision in Apache (see our October 24, 2016 post), the Ninth Circuit’s decision in Taylor & Lieberman provides another example of a clear trend on the part of the courts to refuse to find coverage for social engineering fraud losses under the “traditional” crime policy coverages (typically, computer fraud and funds transfer fraud coverages, but occasionally, as here, other coverages as well). The proliferation of social engineering frauds has created a new exposure for insureds, and fidelity insurers have responded by creating discrete social engineering fraud coverages. Like Apache, Taylor & Lieberman serves as a cautionary tale to businesses (and to their brokers) of how a business may be exposed to an uninsured loss in the event that it does not maintain such coverage.

Taylor & Lieberman v. Federal Insurance Company, 2017 WL 929211 (9th Cir.)

Leave a comment

Filed under Computer Fraud, Direct Loss, Forgery, Funds Transfer Fraud, Social Engineering Fraud

InComm: U.S. District Court holds that Computer Fraud Coverage does not respond in Prepaid Debit Card Scheme

By David S. Wilson, John Tomaine and Chris McKibbin

On March 16, 2017, the U.S. District Court for the Northern District of Georgia released its decision in InComm Holdings, Inc. v. Great American Insurance Company. The Court held that Great American’s computer fraud coverage did not respond where holders of prepaid debit cards used multiple simultaneous telephone calls to exploit a coding error in the insured’s computer system, thereby fraudulently increasing the balances on the cards. The Court also applied the recent appellate decisions in Apache (see our October 24, 2016 post) and Pestmaster (see our August 4, 2016 post) in holding that the loss scenario did not meet the direct loss requirement in the computer fraud insuring agreement.

The Facts

InComm was a debit card processor. Individuals could purchase prepaid debit cards issued by banks and then utilize InComm’s system to load funds onto those cards. InComm’s processing system consisted of an Interactive Voice Response (IVR) system and an Application Processing System (APS). The IVR system permitted cardholders, using telephone voice commands or touchtone codes, to load credit onto their cards. The APS provided transaction processing in respect of transaction instructions received through the IVR system. After the APS carried out the requested instruction, it would communicate the result to the IVR system, which would then report the result to the cardholder.

To add value to a card, a cardholder could purchase a chit from a retailer, which would then relay the funds to InComm by transferring them to an account maintained by InComm with Wells Fargo. To redeem the chit, the cardholder would call the IVR system and provide the unique PIN printed on the chit. The IVR system would then relay the information to the APS, which would verify the data and then add the value of the chit to the card.

After a chit is redeemed, InComm transfers the equivalent amount of funds to the bank that issued the card. The funds are then maintained by the issuing bank for the benefit of the cardholder until the cardholder makes a purchase, at which point the issuing bank remits funds to the vendor. InComm is not involved in payments by banks to vendors.

InComm contracted with Bancorp to serve as program manager for cards issued by Bancorp. When a Bancorp cardholder redeemed a chit, InComm would transfer the equivalent dollar amount from its Wells Fargo account to a special settlement account held at Bancorp in Bancorp’s name. The InComm-Bancorp contract provided that “[Bancorp] shall hold all Cardholder Balances in a fiduciary or custodial manner on behalf of [InComm] as holder[ ] of the Cardholder Balances for the benefit of Cardholders” and that “all Cardholder Balances shall be held in trust for the benefit of the Cardholders”.

For a period of several months in 2013 and 2014, there was a coding error in the IVR system which permitted a chit to be redeemed multiple times. Cardholders could exploit the coding error by making multiple simultaneous telephone calls to the IVR system, redeeming their chit multiple times, and obtaining multiples of the value of the chits, which were then used by the cardholders to make purchases. As a result of the misuse of the IVR system, InComm wired $10,769,039 to Bancorp in connection with these fraudulent transactions. Bancorp transmitted most of these funds to vendors, but currently retains $1,880,769 of the wrongfully-redeemed funds in its trust account.

The Computer Fraud Coverage

InComm submitted a claim under its computer fraud coverage, which provided that Great American would:

… pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises:

a. to a person (other than a messenger) outside those premises; or

b. to a place outside those premises.

Great American reasoned that the cardholders had not engaged in computer fraud within the meaning of the policy, as they had utilized telephones, not computers, to make the calls. Great American also took the view that any loss to InComm was not a loss “resulting directly” from computer fraud. The Court accepted Great American’s position on both issues.

Relying on the Ninth Circuit’s recent Pestmaster decision, the Court held that the cardholders’ telephone usage could not be construed as the “use” of a computer, notwithstanding that their telephones were ultimately communicating with a computer system:

Use” also is not defined in the Policy. The word commonly is defined as to “take, hold, or deploy (something) as a means of accomplishing or achieving something; … A person thus “uses” a computer where he takes, holds or employs it to accomplish something. That a computer was somehow involved in a loss does not establish that the wrongdoer “used” a computer to cause the loss. To hold so would unreasonably expand the scope of the Computer Fraud Provision, which limits coverage to “computer fraud.” Cf. Pestmaster … (“Because computers are used in almost every business transaction, reading [a computer fraud insurance policy] provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a ‘General Fraud’ Policy.”). It also would violate the Court’s obligation to read the Policy “as a layman would read it and not as it might be analyzed by an insurance expert or an attorney.” … Lawyerly arguments for expanding coverage to include losses involving a computer engaged at any point in the causal chain — between the perpetrators’ conduct and the loss — unreasonably strain the ordinary understanding of “computer fraud” and “use of a[ ] computer”. …

 The Policy does not cover InComm’s losses resulting from the unauthorized redemptions, because the cardholders used telephones, not computers, to perpetrate their scheme. [emphasis added]

Direct Loss

The Court also held that InComm had not established that it had sustained a loss “resulting directly” from the cardholders’ conduct. The Court observed that, under the terms of InComm’s contract with Bancorp, InComm retained an interest, as trustee, in the funds so long as they continued to be held by Bancorp. Consequently, a transfer from InComm’s Wells Fargo account to Bancorp was not itself a loss. The earliest that a loss could occur was when funds were paid out by Bancorp to vendors to settle the cardholders’ expenditure of the fraudulently-redeemed chits.

The Court continued:

This conclusion is underscored by the fact that funds wired to Bancorp, as a result of the fraudulent chit redemptions, are still in the Bancorp Account almost three years after the chits were wrongfully redeemed. That is, these funds have not been lost. InComm’s loss thus did not result “directly” from the fraudulent redemptions, because it occurred only after InComm wired money to Bancorp, after the cardholder used his card to pay for a transaction, and after Bancorp paid the seller for the cardholder’s transaction. … The losses here did not occur when funds were sent to Bancorp’s premises. They occurred when funds were sent, by Bancorp, to the premises or accounts of merchants from which cardholders purchased goods or services. [emphasis added]

The Court also observed that, even if the loss had occurred earlier in the process (i.e., when the funds left Wells Fargo), the loss still did not result directly from the chit redemptions. Great American pointed out that those fraudulent redemptions did not automatically transfer funds to issuers like Bancorp. A redemption did not reduce the available assets in InComm’s hands; instead, a redemption only triggered InComm’s contractual obligation to an issuer to fund the redemption.

The Court agreed. Relying on Pestmaster and Apache, the Court held that:

… InComm’s loss resulted directly — that is, immediately — from InComm’s decision to wire the funds to Bancorp, not from the cardholders’ redemptions. Apache, and the cases it discusses, warn that to find coverage based on the use of a computer, without a specific and immediate connection to a transfer, would effectively convert a computer fraud provision into a general fraud provision. … To accept InComm’s argument that the cardholders’ fraudulent redemptions resulted directly in the transfer of funds from InComm to Bancorp — where InComm itself chose to make the transfer — would violate the admonition in Apache and the other cases addressing computer fraud coverage.

The computer fraud insuring agreement in InComm’s policy is identical to the one at issue in Apache. Apache involved a social engineering fraud where someone impersonating a representative of Apache’s vendor sent “new” bank information to Apache via email, resulting in invoice payments being misdirected. In that case, the Fifth Circuit pointedly used language to lay the loss at the feet of the insured:

Doubtless, had the confirmation call been properly directed, or had Apache performed a more thorough investigation, it would never have changed the vendor-payment account information. Moreover, Apache changed the account information, and the transfers of money to the fraudulent account were initiated by Apache to pay legitimate invoices … Arguably, Apache invited the computer-use at issue, through which it now seeks shelter under its policy, even though the computer-use was but one step in Apache’s multi-step, but flawed, process that ended in its making required and authorized, very large invoice-payments, but to a fraudulent bank account.  

Similarly, the Court in InComm noted that:

InComm chose to wire funds to Bancorp because it was contractually required to do so and because, despite any reconciliation or verification process it had in place, it believed the redemptions were legitimate.

Then, borrowing language from Apache, the Court stated:

As in Apache, “the authorized transfer was made to the [Bancorp] account only because, after receiving [notice of the duplicate chit redemptions], [InComm] failed to investigate accurately new, but fraudulent, information provided to it.” [emphasis added].

Not only did the Apache and InComm courts refuse to find an “immediate” relationship between the alleged conduct and the claimed losses, they each observed that investigatory lapses on the part of the insureds could be considered intervening and superseding causes of their losses.

Conclusion

Although it arises from a rather complicated set of facts and legal relationships, InComm provides helpful general guidance on both the “use of a computer” and the “direct loss” requirements found in computer fraud insuring agreements.

The courts in Apache and Pestmaster recognized that computers are involved in virtually every business transaction, and that interpreting computer fraud coverage to cover every loss that involves both a computer and fraud at some point in the transaction would turn such coverage into a “general fraud policy”. The Court in InComm built on this insight by interpreting “the use of any computer to fraudulently cause a transfer” to require the fraudster’s use of a computer, not the use of a telephone to interact with the insured’s computer.

Further, the Court implicitly applied a “direct means direct” causation approach in finding that the loss was not one resulting directly from the cardholders’ conduct. This is underscored by the Court’s requiring a “specific and immediate connection” between the conduct and the loss, which could not be established, given the intervening steps which occurred here.

[Editors’ Note: Our guest co-author, John Tomaine, is the owner of John J. Tomaine LLC, a fidelity insurance and civil mediation consultancy in New Jersey.  After over thirty-one years with the Chubb Group of Insurance Companies, he retired as a Vice President in 2009.  He is an attorney admitted in Connecticut and New Jersey, and holds a Master’s Degree in Diplomacy and International Relations.  He is available to serve as an expert witness in fidelity claim litigation and to consult on fidelity claim and underwriting matters.]

InComm Holdings, Inc. v. Great American Insurance Company, 2017 WL 1021749 (N.D. Ga.)

Leave a comment

Filed under Computer Fraud, Direct Loss

Apache Corporation: Fifth Circuit holds that Commercial Crime Policy’s Computer Fraud Coverage does not extend to Social Engineering Fraud Loss

By David S. Wilson and Chris McKibbin

On October 18, 2016, the U.S. Court of Appeals for the Fifth Circuit released its opinion in Apache Corporation v. Great American Insurance Company.  This is one of the first appellate decisions to consider coverage for a social engineering fraud loss under “traditional” commercial crime policy wording since the widespread introduction of social engineering fraud endorsements.  In holding that the loss did not trigger indemnity under the Computer Fraud coverage, the Fifth Circuit adopted the interpretive approach to Computer Fraud coverage taken by the Ninth Circuit in Pestmaster Services v. Travelers (which we discussed in our August 4, 2016 post) and applied it in the context of social engineering fraud.

The Facts

Apache is an oil production company which is headquartered in Texas and which operates internationally.  In March 2013, an Apache employee in Scotland received a call from a person claiming to be a representative of Petrofac, a legitimate vendor of Apache.  The caller instructed the employee to change the bank account information which Apache had on record for Petrofac.  The Apache employee advised that such a change request would not be processed without a formal request on Petrofac letterhead.

A week later, Apache’s accounts payable department received an email from a @petrofacltd.com email address.  Petrofac’s legitimate email domain name is @petrofac.com.  The email advised that Petrofac’s bank account details had changed, and included as an attachment a signed letter on Petrofac letterhead setting out the old and new account numbers and requesting that Apache “use the new account with immediate effect.”

An Apache employee called the telephone number on the letterhead and confirmed the authenticity of the change request.  Next, a different Apache employee approved and implemented the change.  A week later, Apache was transferring funds for payment of Petrofac’s invoices to the new bank account.

Within a month, Petrofac advised Apache that it had not received payment of approximately $7 million which Apache had transferred to the new account.  Apache recovered some of the funds, but still incurred a net loss of approximately $2.4 million.

The Computer Fraud Coverage

Apache maintained a Crime Protection Policy with Great American, but it does not appear that the policy included social engineering fraud coverage.  Apache asserted a claim under its Computer Fraud coverage, which provided that:

We will pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises:

 a) to a person (other than a messenger) outside those premises; or

 b) to a place outside those premises.

In Great American’s view, no indemnity was available because the @petrofacltd.com email did not cause the transfers in issue, and because the coverage was limited to losses resulting from hacking and other incidents of unauthorized computer use.

The Fifth Circuit accepted Great American’s position.  Noting that there was no Texas law directly on point, the Court embarked on what it described as a “detailed — but numbing — analysis” of the authorities interpreting the Computer Fraud coverage.  Chief among these was the Ninth Circuit’s recent decision in Pestmaster, in which that Court interpreted the coverage to require an unauthorized transfer of funds, rather than simply any transfer which involved both a computer and a fraud at some point.

The Fifth Circuit contrasted that requirement with the lengthy chain of events that had resulted in Apache’s loss:

Here, the “computer use” was an email with instructions to change a vendor’s payment information and make “all future payments” to it; the email, with the letter on Petrofac letterhead as an attachment, followed the initial telephone call from the criminals and was sent in response to Apache’s directive to send the request on the vendor’s letterhead.  Once the email was received, an Apache employee called the telephone number provided on the fraudulent letterhead in the attachment to the email, instead of, for example, calling an independently-provided telephone contact for the vendor, such as the pre-existing contact information Apache would have used in past communications.  Doubtless, had the confirmation call been properly directed, or had Apache performed a more thorough investigation, it would never have changed the vendor-payment account information.  Moreover, Apache changed the account information, and the transfers of money to the fraudulent account were initiated by Apache to pay legitimate invoices. 

The Court observed that the authorities generally refuse to extend the scope of the Computer Fraud coverage to situations where the fraudulent transfer is not a direct result of computer use, but rather results from other events.

In concluding that no indemnity was available under the Computer Fraud coverage, the Court held that:

The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money.  To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would, as stated in Pestmaster…, convert the computer-fraud provision to one for general fraud.  …  We take judicial notice that, when the policy was issued in 2012, electronic communications were, as they are now, ubiquitous, and even the line between “computer” and “telephone” was already blurred.  In short, few — if any — fraudulent schemes would not involve some form of computer-facilitated communication.  [emphasis added]

Conclusion

The Fifth Circuit’s decision in Apache is broadly significant to the fidelity insurance industry not only because, like Pestmaster, it reaffirms the intended scope of the Computer Fraud coverage, but also because it reinforces the purpose behind insurers’ introduction of discrete social engineering fraud coverage in the last few years, i.e., the lack of coverage for social engineering frauds under traditional computer and funds transfer coverages.

The proliferation of social engineering fraud has undoubtedly exposed insureds to greater risk.  However, insurers have responded by underwriting discrete social engineering fraud coverages.  There is no need for courts to depart from the traditional interpretation of computer fraud and funds transfer fraud coverages in order to address this perceived problem, because a solution is already available.

As a practical matter, Apache confirms that insureds need Social Engineering Fraud coverage for these types of  losses.  The decision provides greater certainty on the part of insureds, insurers and brokers as to the intended scope of each coverage, and makes it easier for all industry participants to ensure that insureds obtain the coverages they require for the types of potential losses that they face.

Apache Corporation v. Great American Insurance Company, 2016 WL 6090901 (5th Cir.)

Leave a comment

Filed under Computer Fraud, Social Engineering Fraud

Pestmaster: Ninth Circuit affirms Fidelity Insurer’s Intent on Scope of Computer Fraud and Funds Transfer Fraud Coverages

By David S. Wilson and Chris McKibbin

In our January 6, 2015 post, we analyzed the decision of the U.S. District Court for the Central District of California in Pestmaster Services, Inc. v. Travelers Casualty and Surety Company of America and its implications for the interpretation of the Computer Fraud and Funds Transfer Fraud coverages.  On July 29, 2016, the Ninth Circuit Court of Appeals released a brief opinion affirming the District Court’s interpretations of these coverages.

The Facts

Pestmaster, a pest control business, was insured under a Travelers Wrap+ policy.  In 2009, Pestmaster hired a payroll company, Priority 1, to handle its payroll and payroll tax obligations.  Pestmaster executed an ACH authorization which authorized Priority 1 to obtain payment of Priority 1’s approved invoices by initiating ACH transfers of funds from Pestmaster’s bank account to Priority 1’s bank account.  These amounts included both payroll and payroll taxes, the latter of which Priority 1 was supposed to remit to the IRS.

In 2011, Pestmaster discovered that Priority 1 had failed to remit $373,000 in payroll taxes, and had instead diverted these funds to its own uses.  Pestmaster sought indemnity from Travelers under both its Funds Transfer Fraud and Computer Fraud coverages.

Funds Transfer Fraud

The Funds Transfer Fraud coverage indemnified Pestmaster for direct loss of money or securities contained in its transfer account on deposit at a financial institution, directly caused by Funds Transfer Fraud.  Funds Transfer Fraud was defined as:

an electronic, telegraphic, cable, teletype or telephone instruction fraudulently transmitted to a Financial Institution directing such institution to debit your Transfer Account and to transfer, pay or deliver Money or Securities from your Transfer Account which instruction purports to have been transmitted by you, but was in fact fraudulently transmitted by someone other than you without your knowledge or consent …

The Ninth Circuit affirmed the District Court’s holding that the Funds Transfer Fraud insuring agreement does not cover transactions that are authorized by the insured:

… Pestmaster argues that the transfer of funds from its bank account to Priority 1’s bank account is covered by the Funds Transfer Fraud provision.  The district court found that this provision “does not cover authorized or valid electronic transactions … even though they are, or may be, associated with a fraudulent scheme.” We agree that there is no coverage under this clause when the transfers were expressly authorized.

Computer Fraud

The Computer Fraud coverage indemnified Pestmaster for direct loss of money, securities or other property directly caused by Computer Fraud, i.e., the use of a computer to cause a transfer of money, securities or other property from inside the insured’s premises or the insured’s bank’s premises.  The Ninth Circuit interpreted Travelers’ wording as requiring an unauthorized transfer, which is consistent with the Computer Fraud jurisprudence requiring an element of unauthorized access or a “hacking” incident.  The Ninth Circuit continued:

When Priority 1 transferred funds pursuant to authorization from Pestmaster, the transfer was not fraudulently caused.  Because computers are used in almost every business transaction, reading this provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a “General Fraud” Policy.  While Travelers could have drafted this language more narrowly, we believe protection against all fraud is not what was intended by this provision, and not what Pestmaster could reasonably have expected this provision to cover.  [emphasis added]

As such, coverage was not available in respect of the authorized transfers.

The Court remanded to the District Court the narrow issue of whether two individual transactions, made shortly before the discovery of the fraud and totalling $11,991, were unauthorized transfers.

Conclusion

The Ninth Circuit’s decision in Pestmaster provides an endorsement of fidelity insurers’ intentions as to the proper scope of the Computer Fraud and Funds Transfer Fraud coverages.  The Court’s observation with respect to the Computer Fraud coverage is of particular significance, insofar as it represents one of the clearest articulations as to how the merely-incidental involvement of a computer at some stage in a fraudulent transaction is insufficient to trigger indemnity.  Insureds often point to such merely-incidental involvement of a computer in attempting to bring a loss within the Computer Fraud coverage, even though this is not the intended scope of the coverage, and notwithstanding that there are other products (such as Social Engineering Fraud coverage) which may respond to certain types of losses involving authorized computer transfers.

Pestmaster Services, Inc. v. Travelers Casualty and Surety Company of America, 2016 WL 4056068 (9th Cir.)

Leave a comment

Filed under Computer Fraud, Funds Transfer Fraud

Aqua Star: U.S. District Court applies “Authorized Entry” Exclusion to claim under Computer Fraud Coverage

By David S. Wilson and Chris McKibbin

On July 8, 2016, the U.S. District Court for the Western District of Washington released its decision in Aqua Star (USA) Corp. v. Travelers Casualty and Surety Company of America.  The decision offers guidance to fidelity insurers with respect to the application of the “authorized entry” exclusion found in the base wording of many commercial crime policies (sometimes referred to as the “authorized access” exclusion), and illustrates how this exclusion may operate in the context of a social engineering fraud loss.

The Facts

The insured, Aqua Star (USA) Corp. (“Aqua Star”), is a seafood importer that had a pre-existing relationship with a legitimate vendor, Zhanjiang Longwei Aquatic Products Industry Co. Ltd. (“Longwei”).  In the summer of 2013, Longwei’s computer system was hacked.  The hacker apparently monitored email exchanges between an Aqua Star employee and a Longwei employee before intercepting those email exchanges and using “spoof” email domains to send fraudulent emails to the Aqua Star employee.  In the spoofed emails, the hacker directed the Aqua Star employee to change the bank account information Aqua Star had on record for Longwei for future wire transfer payments.

The Aqua Star employee inserted the revised banking information into Aqua Star’s computer system.  This revised information was then used to create Wire Confirmation Detail instructions that were transmitted to Aqua Star’s bank, the Bank of America.  As a result, $713,890 was wired to the hacker’s account before the fraud came to light.

The Travelers Coverage

Aqua Star maintained a Wrap+ Crime Policy with Travelers.  The policy covered Aqua Star for its “direct loss of, or direct loss from damage to, Money, Securities, and Other Property directly caused by Computer Fraud”, as defined.  Travelers relied on Exclusion G to the policy, which provided that the policy:

will not apply to loss resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System. 

As a general observation, this type of exclusion is intended to encompass (among other things) social engineering fraud losses.  At present, social engineering fraud coverage is typically added to commercial crime policies by endorsement, with the endorsement providing that the exclusion in the base wording does not apply in respect of coverage afforded by the endorsement.  The intent is to reinforce that only social engineering fraud coverage, and not the “traditional” computer or funds transfer fraud coverages, responds to social engineering fraud losses.

It is not clear from the Court’s decision whether Aqua Star also maintained social engineering fraud coverage.

The Decision

On the parties’ cross-motions for summary judgment, the Court confined itself to the question of whether Exclusion G applied to the loss, and did not opine on whether the loss fell prima facie within coverage.  The Court held that, on its face, Exclusion G clearly applied to the facts.  The “revised” banking details were information, which fell within the meaning of “Electronic Data”.  The employee in question was a natural person and had the authority to enter banking details into Aqua Star’s computer system.  As a result, the exclusion applied.

Aqua Star advanced two substantive arguments in an effort to avoid the application of the exclusion.  First, Aqua Star asserted that the exclusion did not apply because, in order to initiate the wire transfers, an Aqua Star employee had to enter data into the computer system of a third party (i.e., its bank, the Bank of America).  The Court rejected this contention, observing that:

Although entering data into a third party’s computer system may have been the final step that led to Aqua Star’s loss, necessary intermediate steps prior to the transfer involved entering Electronic Data into Aqua Star’s own Computer System. Aqua Star does not explain why the involvement of a third party computer system would render Exclusion G inapplicable.

Second, Aqua Star contended that Exclusion G was actually intended to preclude coverage where a fraud is perpetrated by an authorized user of an insured’s computer system, such as an employee or legitimate customer.  The Court did not accept this argument either, but did note that:

the clear language of the policy does not limit the exclusion to fraud perpetrated by an authorized user, although … it certainly could apply in that situation [as well]. 

As a result, Exclusion G applied to the loss.

Conclusion

In providing a detailed analysis of Exclusion G to the Travelers Wrap+ policy, Aqua Star reflects the intended boundary between social engineering fraud coverage and “traditional” computer fraud and funds transfer fraud coverages.  Courts have generally interpreted the computer fraud coverage as being intended to cover loss due to unauthorized hacking by third parties (see, for example, Pestmaster, which we discussed in our January 6, 2015 post), not employees’ authorized entries of data that are induced by external fraud.

To address this perceived gap, many insurers have introduced social engineering fraud endorsements to respond to the latter scenario.  The “authorized entry” exclusion reinforces insurers’ intent that the two coverages respond to different loss scenarios.  In our view, it is appropriate to keep this context in mind in assessing both the applicability of “authorized entry” exclusions and the dividing line between social engineering fraud coverage and other coverages.

Aqua Star (USA) Corp. v. Travelers Casualty and Surety Company of America, 2016 WL 3655265 (W.D. Wash.)

Leave a comment

Filed under Authorized Access/Entry Exclusion, Computer Fraud, Social Engineering Fraud

Blaneys Fidelity Year in Review – Fidelity Subrogation Podcast – Fidelity at the OBA

Blaneys Fidelity Year in Review

In 2015, American and Canadian courts released a number of decisions of interest to fidelity claims professionals.   We are pleased to present Blaneys Fidelity Year in Review, which provides summaries of the decisions that appeared on Blaneys Fidelity Blog in 2015.  Blaneys Fidelity Year in Review is available here.

Blaneys Podcast: Fidelity Subrogation and Fraud Recovery

For those fidelity claims professionals dealing with fraud recovery and subrogation in Canada, the Blaneys Podcast series now features our podcast on fraud recovery and fidelity subrogation.  The podcast sets out the different strategies available for identifying and pursuing fraud recovery targets and for maximizing recoveries from defaulters, beneficiaries, co-conspirators, auditors and financial institutions.  The podcast is available here; SoundCloud users may access the podcast here.

Fidelity at the OBA: A Primer on Insurance Coverage (Toronto, May 12, 2016)

The Ontario Bar Association is presenting a program on insurance coverage issues on May 12 in Toronto.  Blaneys’ Chris McKibbin will be presenting on Computer Fraud and Funds Transfer Fraud Coverages in Fidelity and Commercial Crime Policies.  The program also includes presentations on recent developments regarding the duty of good faith and the duty to defend; the “lack of fortuity” defence; and a perspective from the Bench, presented by the Honourable Mr. Justice Jamie K. Trimble.  Co-chairs Laura Hodgins of Liberty and Andrew Mercer of Mercer Law have assembled a fantastic group of speakers, and the program is eligible for four substantive hours of CPD credit.  The program agenda is available here.

Leave a comment

Filed under Computer Fraud, Funds Transfer Fraud, Subrogation, Year in Review

Pestmaster: U.S. District Court affirms Fidelity Insurer’s Intent on Scope of Computer Fraud and Funds Transfer Fraud Coverages

By Chris McKibbin

In Pestmaster Services, Inc. v. Travelers Casualty and Surety Company of America, the U.S. District Court for the Central District of California granted partial summary judgment in favour of Travelers on a claim advanced under its Computer Fraud and Funds Transfer Fraud coverages.  The decision provides valuable guidance regarding the scope of these coverages.

The Facts

Pestmaster, a pest control business, was insured under a Travelers Wrap+ policy.  In 2009, Pestmaster hired a payroll company, Priority, to handle its payroll and payroll tax obligations.  Pestmaster executed an ACH authorization which authorized Priority to obtain payment of Priority’s approved invoices by initiating ACH transfers of funds from Pestmaster’s bank account to Priority’s bank account.  These amounts included both payroll and payroll taxes, the latter of which Priority was supposed to remit to the IRS.

In 2011, Pestmaster discovered that Priority had failed to remit $373,000 in payroll taxes, and had instead diverted these funds to its own uses.  Pestmaster sought indemnity from Travelers under its Funds Transfer Fraud coverage or, alternatively, its Computer Fraud coverage.

Funds Transfer Fraud

The Funds Transfer Fraud coverage indemnified Pestmaster for direct loss of money or securities, contained in its transfer account on deposit at a financial institution, directly caused by Funds Transfer Fraud.  Funds Transfer Fraud was, in turn, defined as (in relevant part):

an electronic, telegraphic, cable, teletype or telephone instruction fraudulently transmitted to a Financial Institution directing such institution to debit your Transfer Account and to transfer, pay or deliver Money or Securities from your Transfer Account which instruction purports to have been transmitted by you, but was in fact fraudulently transmitted by someone other than you without your knowledge or consent;

Pestmaster contended that Priority’s transferring funds from Pestmaster’s bank account to its own bank account, in furtherance of Priority’s fraudulent scheme, constituted a fraudulent instruction to Pestmaster’s bank.

The Court rejected Pestmaster’s contention, holding that the insuring agreement does not cover authorized or valid transactions, such as the authorized ACH transfers in this case, even where such transactions are associated with an underlying fraudulent scheme.  The Court found that there was no evidence that Priority had gained unauthorized access to Pestmaster’s bank’s electronic fund transfer system or had otherwise provided any fraudulent or altered instructions to the bank in order to divert funds from the rightful recipient.  As Priority wrongfully converted the funds only after they had been transferred to Priority, pursuant to Pestmaster’s express authorization, the elements of the Funds Transfer Fraud coverage were not made out.

The Court accepted Travelers’ position that the intention of the coverage is to protect the insured or its bank from someone breaking into the electronic funds transfer system and pretending to be an authorized representative, or altering electronic instructions to divert funds from the rightful recipient.

Computer Fraud Coverage

The Computer Fraud coverage indemnified Pestmaster for direct loss of money, securities or other property directly caused by Computer Fraud, i.e., the use of a computer to cause a transfer of money, securities or other property from inside the insured’s premises or the insured’s bank’s premises.

Pestmaster contended that Priority’s use of a computer to transfer funds from Pestmaster’s bank account to Priority’s bank account, in furtherance of Priority’s fraudulent scheme, met the requirements of the coverage.

The Court rejected this contention as well, accepting Travelers’ position that the Computer Fraud coverage is engaged when someone “hacks” or obtains unauthorized access or entry to a computer in order to make an unauthorized transfer of funds.  The Court relied on Universal American, a 2013 New York decision in which a computer was used to submit fraudulent health insurance claims.  The Universal American court had concluded that Computer Fraud coverage did not apply “where an authorized user utilized the system as intended, i.e., to submit [health insurance] claims, but where the claims themselves were fraudulent.”

The Court concluded that Priority had acted pursuant to Pestmaster’s ACH authorization, and could not in any sense be considered a “hacker” or unauthorized user.  Priority’s fraudulent conduct occurred only after the authorized transfer had been completed and the funds had already been transferred into Priority’s account.

No Direct Loss

The Court also held, as alternative bases for denying coverage, that Priority’s use of its computer was merely incidental to, and not directly related to, Pestmaster’s losses, and that Pestmaster had not satisfied the “direct loss” requirement in either of the coverages.  Rather, Pestmaster’s loss was “entirely contingent on a series of events and decisions, including Priority 1’s decision to divert the funds in its account to pay its own obligations instead of using them for their agreed upon purpose of paying Pestmaster’s federal payroll taxes.

The Pestmaster decision is helpful in explaining (and endorsing) fidelity insurers’ intentions as to the proper scope of the Computer Fraud and Funds Transfer Fraud coverages, confirming that the coverage is intended to be limited to unauthorized access and “hacking” situations.  The decision is also helpful in rebutting arguments which attempt to create coverage by reliance on the merely-incidental involvement of a computer, or an electronic transfer, in the loss scenario.

Pestmaster Services, Inc. v. Travelers Casualty and Surety Company of America, 2014 WL 3844627 (C.D. Cal.)

Leave a comment

Filed under Computer Fraud, Funds Transfer Fraud