Category Archives: Social Engineering Fraud

American Tooling Center: U.S. District Court finds no Coverage for Social Engineering Fraud Loss under Crime Policy’s Computer Fraud Insuring Agreement

By David S. Wilson, Chris McKibbin and Stuart M. Woody

On August 1, 2017, the U.S. District Court for the Eastern District of Michigan released its decision in American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America. The Court held that a vendor impersonation fraud loss did not fall within the terms of a crime policy’s computer fraud coverage. In coming to this conclusion, the Court found there was no direct causal link between the receipt of fraudulent emails by an insured requesting payment to the fraudster’s bank account, and the insured’s authorized transfer of funds to that bank account.

The Facts

American Tooling Center (“ATC”) is a tool and die manufacturer that outsources some of its work to third-party vendors. One of its legitimate third-party vendors is Shanghai YiFeng Automotive Die Manufacture Co., Ltd. (“YiFeng”). ATC typically sends payment to YiFeng at the completion of various production milestones.

ATC fell victim to a vendor impersonation fraud, which is one of the most common forms of social engineering fraud. On March 18, 2015, ATC’s Vice-President and Treasurer received an email purportedly sent by YiFeng requesting payment to a new bank account. The email in question was sent from the domain name “@yifeng-rnould.com”, which resembled the legitimate domain name “@yifeng-mould.com”. ATC’s Vice-President and Treasurer verified that the applicable production milestones were satisfied, but did not verify the new banking information before wiring approximately $800,000 to the new bank account. When it came to light that YiFeng had never been paid the amounts it was owed, ATC submitted a claim to Travelers.

The Computer Fraud Coverage

ATC’s policy with Travelers provided coverage for:

… the Insured’s direct loss of, or direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud.

The Travelers policy defined “Computer Fraud” as:

The use of any computer to fraudulently cause a transfer of Money, Securities or Other Property from inside the Premises or Financial Institution Premises:

1. to a person (other than a Messenger) outside the Premises or Financial Institution Premises; or

2. to a place outside the Premises or Financial Institution Premises.

Travelers took the view that, given the intervening events between the receipt of the fraudulent emails and the authorized transfer of funds, ATC had not suffered a direct loss directly caused by the use of any computer.

The Court agreed, observing that:

the fraudulent emails did not “directly” or immediately cause the transfer of funds from ATC’s bank account. Rather, intervening events between ATC’s receipt of the fraudulent emails and the transfer of funds (ATC verified production milestones, authorized the transfer, and initiated the transfer without verifying bank account information) preclude a finding of “direct” loss “directly caused” by the use of any computer.

The Court relied upon the Fifth Circuit’s recent Apache decision (see our October 24, 2016 post), making specific reference to that court’s observation that:

To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would … convert the computer-fraud provision to one for general fraud.

The Court then considered other recent computer fraud decisions, such as Pestmaster (see our August 4, 2016 post) and InComm (see our March 22, 2017 post). Applying the principles from these decisions to the case at bar, the Court concluded:

Although fraudulent emails were used to impersonate a vendor and dupe ATC into making a transfer of funds, such emails do not constitute the “use of any computer to fraudulently cause a transfer.” There was no infiltration or “hacking” of ATC’s computer system. The emails themselves did not directly cause the transfer of funds; rather, ATC authorized the transfer based upon the information received in the emails. The Ninth Circuit [in Pestmaster] has interpreted the phrase “fraudulently cause a transfer” to “require the unauthorized transfer of funds.”[:] “Because computers are used in almost every business transaction, reading this provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a ‘General Fraud’ Policy.” See also Incomm … (noting that “courts repeatedly have denied coverage under similar computer fraud provisions, except in cases of hacking where a computer is used to cause another computer to make an unauthorized, direct transfer of property or money”). [emphasis added]

The Court granted summary judgment in favour of Travelers.

Conclusion

 American Tooling Center represents another decision in a growing line of jurisprudence which holds that there is no coverage for vendor impersonation and other social engineering fraud losses under traditional commercial crime coverages. The insurance industry has responded by introducing social engineering fraud-specific coverage, which allows insureds to obtain coverage for certain types of losses that fall outside the coverage provided under traditional policy wordings.

Given the increasing frequency of vendor impersonation and other social engineering fraud losses, insureds would be well-advised to consult with their brokers and insurers about the risks that social engineering fraud poses to their business, and the availability of social engineering fraud-specific coverage.

American Tooling Center, Inc. v. Travelers Casualty & Surety Company of America, 2017 WL 3263356 (E.D. Mich.)

Leave a comment

Filed under Computer Fraud, Direct Loss, Social Engineering Fraud

The Brick: Alberta Court of Queen’s Bench finds no Coverage for Social Engineering Fraud Loss under Crime Policy’s Funds Transfer Fraud Insuring Agreement

By David S. Wilson and Chris McKibbin

On July 4, 2017, the Alberta Court of Queen’s Bench released its decision in The Brick Warehouse LP v. Chubb Insurance Company of Canada. The Court found that a vendor impersonation loss did not fall within the terms of a crime policy’s Funds Transfer Fraud coverage. The case represents the first social engineering fraud decision in Canada since the widespread introduction of discrete social engineering fraud coverage, and confirms the principles adopted in several recent American social engineering fraud decisions, including the Ninth Circuit’s decision in Taylor & Lieberman (see our April 3, 2017 post), on which the Court expressly relied.

The Facts

The Brick is a retailer of furniture, appliances and home electronics. In August 2010, an individual called the Brick’s accounts payable department. The caller indicated that he was calling from Toshiba and that he was missing some payment details. He added that he was new to Toshiba. The Brick employee faxed certain payment documentation to a number provided by the caller.

On August 20, 2010, a different individual in the Brick accounts payable department received an email from an individual purporting to be “R. Silbers”, using the email address silbers_toshiba@eml.cc. The individual claimed to be the controller of Toshiba, and indicated that Toshiba had changed banks from the Bank of Montreal (“BMO”) to the Royal Bank of Canada (“RBC”). The email indicated that all payments should be made to the new RBC account, and provided the necessary information to transfer money into the account.

That Brick employee proceeded to change the bank information for Toshiba in the Brick’s payment system to reflect the RBC account information. The employee simply followed the Brick’s standard practice on changing account information. No one from the Brick took any independent steps to verify the change in bank accounts, nor did anyone contact Toshiba.

As a result of the fraud, the Brick directed payment on 10 Toshiba invoices to the RBC account. The real Toshiba eventually followed up on its outstanding receivables, at which point the fraud came to light. The Brick incurred a net loss of $224,475.

The Brick submitted a claim to Chubb under its Funds Transfer Fraud coverage. Chubb denied the claim on March 15, 2012, on the basis that the Brick’s instructions to its own bank had emanated from an authorized employee of the Brick, and that the instructions were not themselves fraudulent. The matter was tried in 2017.

The Funds Transfer Fraud Coverage

The Chubb policy indemnified for “Funds Transfer Fraud by a Third Party”, and defined Funds Transfer Fraud as:

… the fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver money or securities from any account maintained by an insured at such institution without an insured’s knowledge or consent.

The Court interpreted the insuring agreement as requiring that the Brick demonstrate that its bank transferred funds out of the Brick’s account under instructions from a third party impersonating the Brick. Coverage would not be available if the Brick knew about, or consented to, the instructions given to its bank.

The Court then considered how U.S. decisions such as Taylor & Lieberman had addressed this point:

There is no doubt that funds were transferred out of the Brick’s account. The question really is whether the funds were transferred under instructions from an employee who did not know about or consent to the fraudulent transactions.

 In this case, the funds were transferred by a Brick employee as a result of fraudulent emails. [Chubb] seeks to have the court follow [Taylor & Lieberman]. In [that] case, the Ninth Circuit Court of Appeals examined a case with very similar facts. Emails were sent to a company employee who then acted upon them, transferring money out of the insured’s account. The emails were fraudulent. The court held that the insurer was not liable because the Taylor & Lieberman employee requested and knew about the transfers. Although the employee did not know that the email instructions were fraudulent, the employee did know about the transfers. [emphasis added]

The Court further considered the meaning of the terms “knowledge” and “consent” in the definition of Funds Transfer Fraud, noting that:

The Brick contends that the policy provision states that Chubb will pay for direct loss resulting from funds transfer fraud by a third-party, and the focus should be on the fraud itself and not on the fraudulent instructions. While it is true that [the Funds Transfer Fraud insuring agreement] does state that, that clause must be examined in conjunction with the definition of fund transfer fraud contained in the contract. That definition includes the words “insured’s knowledge or consent”. There is no definition in the contract of either the term “knowledge” or “consent”. …

 When a word or a term is undefined, the word should be given its “plain, ordinary and popular” meaning, “such as the average policy holder of ordinary intelligence, as well as the insurer, would attach to it”. One of the definitions of consent is “permission for something to happen, or agreement to do something.” Examining the facts, a Brick employee did give instructions to the bank to transfer funds. The employee was permitting the bank to transfer funds out of the Brick’s account. Consequently, the transfer was done with either the Brick’s knowledge or consent. Even applying the contra proferentem rule, the Brick still consented to the funds transfer. [emphasis added]

The Court concluded by noting that, while the fraudulent emails were undoubtedly the work of a Third Party, the actual transfer instructions were issued by a Brick employee; the transfer itself was not effected by a Third Party. Consequently, the requisite elements of the insuring agreement were not made out.

Conclusion

The Brick provides a Canadian counterpart to recent American social engineering fraud decisions such as Taylor & Lieberman and Apache (see our October 24, 2016 post). The decision covers two points of interest to fidelity claims professionals. First, it confirms that the “fraudulent instructions” to a financial institution contemplated by the Funds Transfer Fraud insuring agreement must be instructions which are themselves fraudulent, rather than authorized instructions issued by the insured which contain mistaken information due to an antecedent fraud. Second (and, effectively, a corollary of the first), it confirms that the instructions to the financial institution must emanate from a third party, rather than from the insured or an employee thereof.

The proliferation of social engineering frauds has created new risks for insureds, and fidelity insurers have responded by creating discrete social engineering fraud coverages. Like its American predecessors, The Brick serves as a reminder to businesses (and to their brokers) of how a business may be exposed to an uninsured loss in the event that it does not maintain such coverage.

The Brick Warehouse LP v. Chubb Insurance Company of Canada, 2017 ABQB 413 [Note: this decision does not appear to be accessible online; please contact us if you would like a copy.]

Leave a comment

Filed under Funds Transfer Fraud, Social Engineering Fraud

Taylor & Lieberman: Ninth Circuit finds No Coverage under Crime Policy for Client Funds lost in Social Engineering Fraud

By David S. Wilson and Chris McKibbin

In the recent decision of Taylor & Lieberman v. Federal Insurance Company, the Ninth Circuit Court of Appeals affirmed a decision of the U.S. District Court for the Central District of California holding that a business management firm did not have coverage in respect of client funds which it was fraudulently induced to wire overseas.

While the District Court had held that the insured had failed to establish that it had sustained any “direct” loss at all (see our July 14, 2015 post), the Ninth Circuit affirmed the result on other grounds, holding that the insured had also failed to establish that the loss came within the substantive requirements of any of the Forgery, Computer Fraud or Funds Transfer Fraud insuring agreements.

The Facts

Taylor & Lieberman (“T&L”) was an accounting firm which also performed business management and account oversight services for various clients, including the client in issue. Clients’ funds were held in separate bank accounts maintained with City National Bank. Clients granted Powers of Attorney over their accounts to a designated individual at T&L, permitting transactions to be made in the accounts.

A fraudster obtained access to the client’s email account and sent two emails from that account to a T&L employee, as follows:

  • The first email directed the employee to wire $94,280 to an account in Malaysia. The employee did so, and then sent a confirming email to the client’s email account.
  • The next day, the employee received another email from the client’s account directing her to wire $98,485 to an account in Singapore. The employee again complied, and again sent a confirming email to the client’s email account.

The employee then received a third email, purportedly from the client, but sent from a different email address. The employee contacted the client by phone, and discovered that all three emails were fraudulent. T&L was able to recover some of the funds, but had to reimburse its client and incurred a net loss of nearly $100,000.

T&L submitted a claim under each of its Forgery Coverage, its Computer Fraud Coverage and its Funds Transfer Fraud Coverage. The District Court held that each of these coverages required “direct loss sustained by an Insured” and that, as a matter of law, no direct loss had been sustained.

On appeal, the Ninth Circuit did not disturb the finding with respect to direct loss, but affirmed the result on the basis that T&L had failed to establish that the loss came within the scope of any of the insuring agreements.

The Forgery Coverage

The Ninth Circuit quickly dismissed T&L’s contention that this insuring agreement’s requirement of a “Forgery or alteration of a financial instrument” did not require proof of a “Forgery” of a financial instrument, because the insuring agreement required only proof of an alteration of a financial instrument or a free-standing “Forgery” of any document, of any type. The Court held that the insuring agreement plainly required either a “Forgery” or an alteration of a financial instrument.

More substantively, the Court rejected T&L’s contention that the emails to T&L were financial instruments:

Here, the emails instructing T&L to wire money were not financial instruments, like checks, drafts, or the like. See Vons Cos., Inc. v. Fed. Ins. Co. … (C.D. Cal. 1998) (holding that wire instructions, invoices, and purchase orders were not “documents of the same type and effect as checks and drafts.”). And even if the emails were considered equivalent to checks or drafts, they were not “made, drawn by, or drawn upon” T&L, the insured. Rather, they simply directed T&L to wire money from T&L’s client’s account. In sum, there is no forgery coverage.

The Computer Fraud Coverage

The Computer Fraud insuring agreement required T&L to demonstrate “an unauthorized (1) “entry into” its computer system, and (2) “introduction of instructions” that “propogate[d] themselves” through its computer system.” The Court held that the sending of an email, without more, did not constitute an unauthorized entry into T&L’s computer system. Further, the emails were not an unauthorized introduction of instructions that propagated themselves through T&L’s computer system:

The emails instructed T&L to effectuate certain wire transfers. However, under a common sense reading of the policy, these are not the type of instructions that the policy was designed to cover, like the introduction of malicious computer code. … Additionally, the instructions did not, as in the case of a virus, propagate themselves throughout T&L’s computer system; rather, they were simply part of the text of three emails.

The Funds Transfer Fraud Coverage

The Funds Transfer Fraud insuring agreement indemnified against:

fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver Money or Securities from any account maintained by an Insured Organization at such Institution, without an Insured Organization’s knowledge or consent.

The Court held that the requirements of the insuring agreement were not met:

This coverage is inapplicable because T&L requested and knew about the wire transfers. After receiving the fraudulent emails, T&L directed its client’s bank to wire the funds. T&L then sent emails confirming the transfers to its client’s email address. Although T&L did not know that the emailed instructions were fraudulent, it did know about the wire transfers.

Moreover, T&L’s receipt of the emails from its client’s account does not trigger coverage because T&L is not a financial institution.

As a result, there was no coverage available under the Federal policy.

Conclusion

Following the Fifth Circuit’s decision in Apache (see our October 24, 2016 post), the Ninth Circuit’s decision in Taylor & Lieberman provides another example of a clear trend on the part of the courts to refuse to find coverage for social engineering fraud losses under the “traditional” crime policy coverages (typically, computer fraud and funds transfer fraud coverages, but occasionally, as here, other coverages as well). The proliferation of social engineering frauds has created a new exposure for insureds, and fidelity insurers have responded by creating discrete social engineering fraud coverages. Like Apache, Taylor & Lieberman serves as a cautionary tale to businesses (and to their brokers) of how a business may be exposed to an uninsured loss in the event that it does not maintain such coverage.

Taylor & Lieberman v. Federal Insurance Company, 2017 WL 929211 (9th Cir.)

Leave a comment

Filed under Computer Fraud, Direct Loss, Forgery, Funds Transfer Fraud, Social Engineering Fraud

Apache Corporation: Fifth Circuit holds that Commercial Crime Policy’s Computer Fraud Coverage does not extend to Social Engineering Fraud Loss

By David S. Wilson and Chris McKibbin

On October 18, 2016, the U.S. Court of Appeals for the Fifth Circuit released its opinion in Apache Corporation v. Great American Insurance Company.  This is one of the first appellate decisions to consider coverage for a social engineering fraud loss under “traditional” commercial crime policy wording since the widespread introduction of social engineering fraud endorsements.  In holding that the loss did not trigger indemnity under the Computer Fraud coverage, the Fifth Circuit adopted the interpretive approach to Computer Fraud coverage taken by the Ninth Circuit in Pestmaster Services v. Travelers (which we discussed in our August 4, 2016 post) and applied it in the context of social engineering fraud.

The Facts

Apache is an oil production company which is headquartered in Texas and which operates internationally.  In March 2013, an Apache employee in Scotland received a call from a person claiming to be a representative of Petrofac, a legitimate vendor of Apache.  The caller instructed the employee to change the bank account information which Apache had on record for Petrofac.  The Apache employee advised that such a change request would not be processed without a formal request on Petrofac letterhead.

A week later, Apache’s accounts payable department received an email from a @petrofacltd.com email address.  Petrofac’s legitimate email domain name is @petrofac.com.  The email advised that Petrofac’s bank account details had changed, and included as an attachment a signed letter on Petrofac letterhead setting out the old and new account numbers and requesting that Apache “use the new account with immediate effect.”

An Apache employee called the telephone number on the letterhead and confirmed the authenticity of the change request.  Next, a different Apache employee approved and implemented the change.  A week later, Apache was transferring funds for payment of Petrofac’s invoices to the new bank account.

Within a month, Petrofac advised Apache that it had not received payment of approximately $7 million which Apache had transferred to the new account.  Apache recovered some of the funds, but still incurred a net loss of approximately $2.4 million.

The Computer Fraud Coverage

Apache maintained a Crime Protection Policy with Great American, but it does not appear that the policy included social engineering fraud coverage.  Apache asserted a claim under its Computer Fraud coverage, which provided that:

We will pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises:

 a) to a person (other than a messenger) outside those premises; or

 b) to a place outside those premises.

In Great American’s view, no indemnity was available because the @petrofacltd.com email did not cause the transfers in issue, and because the coverage was limited to losses resulting from hacking and other incidents of unauthorized computer use.

The Fifth Circuit accepted Great American’s position.  Noting that there was no Texas law directly on point, the Court embarked on what it described as a “detailed — but numbing — analysis” of the authorities interpreting the Computer Fraud coverage.  Chief among these was the Ninth Circuit’s recent decision in Pestmaster, in which that Court interpreted the coverage to require an unauthorized transfer of funds, rather than simply any transfer which involved both a computer and a fraud at some point.

The Fifth Circuit contrasted that requirement with the lengthy chain of events that had resulted in Apache’s loss:

Here, the “computer use” was an email with instructions to change a vendor’s payment information and make “all future payments” to it; the email, with the letter on Petrofac letterhead as an attachment, followed the initial telephone call from the criminals and was sent in response to Apache’s directive to send the request on the vendor’s letterhead.  Once the email was received, an Apache employee called the telephone number provided on the fraudulent letterhead in the attachment to the email, instead of, for example, calling an independently-provided telephone contact for the vendor, such as the pre-existing contact information Apache would have used in past communications.  Doubtless, had the confirmation call been properly directed, or had Apache performed a more thorough investigation, it would never have changed the vendor-payment account information.  Moreover, Apache changed the account information, and the transfers of money to the fraudulent account were initiated by Apache to pay legitimate invoices. 

The Court observed that the authorities generally refuse to extend the scope of the Computer Fraud coverage to situations where the fraudulent transfer is not a direct result of computer use, but rather results from other events.

In concluding that no indemnity was available under the Computer Fraud coverage, the Court held that:

The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money.  To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would, as stated in Pestmaster…, convert the computer-fraud provision to one for general fraud.  …  We take judicial notice that, when the policy was issued in 2012, electronic communications were, as they are now, ubiquitous, and even the line between “computer” and “telephone” was already blurred.  In short, few — if any — fraudulent schemes would not involve some form of computer-facilitated communication.  [emphasis added]

Conclusion

The Fifth Circuit’s decision in Apache is broadly significant to the fidelity insurance industry not only because, like Pestmaster, it reaffirms the intended scope of the Computer Fraud coverage, but also because it reinforces the purpose behind insurers’ introduction of discrete social engineering fraud coverage in the last few years, i.e., the lack of coverage for social engineering frauds under traditional computer and funds transfer coverages.

The proliferation of social engineering fraud has undoubtedly exposed insureds to greater risk.  However, insurers have responded by underwriting discrete social engineering fraud coverages.  There is no need for courts to depart from the traditional interpretation of computer fraud and funds transfer fraud coverages in order to address this perceived problem, because a solution is already available.

As a practical matter, Apache confirms that insureds need Social Engineering Fraud coverage for these types of  losses.  The decision provides greater certainty on the part of insureds, insurers and brokers as to the intended scope of each coverage, and makes it easier for all industry participants to ensure that insureds obtain the coverages they require for the types of potential losses that they face.

Apache Corporation v. Great American Insurance Company, 2016 WL 6090901 (5th Cir.)

Leave a comment

Filed under Computer Fraud, Social Engineering Fraud

Aqua Star: U.S. District Court applies “Authorized Entry” Exclusion to claim under Computer Fraud Coverage

By David S. Wilson and Chris McKibbin

On July 8, 2016, the U.S. District Court for the Western District of Washington released its decision in Aqua Star (USA) Corp. v. Travelers Casualty and Surety Company of America.  The decision offers guidance to fidelity insurers with respect to the application of the “authorized entry” exclusion found in the base wording of many commercial crime policies (sometimes referred to as the “authorized access” exclusion), and illustrates how this exclusion may operate in the context of a social engineering fraud loss.

The Facts

The insured, Aqua Star (USA) Corp. (“Aqua Star”), is a seafood importer that had a pre-existing relationship with a legitimate vendor, Zhanjiang Longwei Aquatic Products Industry Co. Ltd. (“Longwei”).  In the summer of 2013, Longwei’s computer system was hacked.  The hacker apparently monitored email exchanges between an Aqua Star employee and a Longwei employee before intercepting those email exchanges and using “spoof” email domains to send fraudulent emails to the Aqua Star employee.  In the spoofed emails, the hacker directed the Aqua Star employee to change the bank account information Aqua Star had on record for Longwei for future wire transfer payments.

The Aqua Star employee inserted the revised banking information into Aqua Star’s computer system.  This revised information was then used to create Wire Confirmation Detail instructions that were transmitted to Aqua Star’s bank, the Bank of America.  As a result, $713,890 was wired to the hacker’s account before the fraud came to light.

The Travelers Coverage

Aqua Star maintained a Wrap+ Crime Policy with Travelers.  The policy covered Aqua Star for its “direct loss of, or direct loss from damage to, Money, Securities, and Other Property directly caused by Computer Fraud”, as defined.  Travelers relied on Exclusion G to the policy, which provided that the policy:

will not apply to loss resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System. 

As a general observation, this type of exclusion is intended to encompass (among other things) social engineering fraud losses.  At present, social engineering fraud coverage is typically added to commercial crime policies by endorsement, with the endorsement providing that the exclusion in the base wording does not apply in respect of coverage afforded by the endorsement.  The intent is to reinforce that only social engineering fraud coverage, and not the “traditional” computer or funds transfer fraud coverages, responds to social engineering fraud losses.

It is not clear from the Court’s decision whether Aqua Star also maintained social engineering fraud coverage.

The Decision

On the parties’ cross-motions for summary judgment, the Court confined itself to the question of whether Exclusion G applied to the loss, and did not opine on whether the loss fell prima facie within coverage.  The Court held that, on its face, Exclusion G clearly applied to the facts.  The “revised” banking details were information, which fell within the meaning of “Electronic Data”.  The employee in question was a natural person and had the authority to enter banking details into Aqua Star’s computer system.  As a result, the exclusion applied.

Aqua Star advanced two substantive arguments in an effort to avoid the application of the exclusion.  First, Aqua Star asserted that the exclusion did not apply because, in order to initiate the wire transfers, an Aqua Star employee had to enter data into the computer system of a third party (i.e., its bank, the Bank of America).  The Court rejected this contention, observing that:

Although entering data into a third party’s computer system may have been the final step that led to Aqua Star’s loss, necessary intermediate steps prior to the transfer involved entering Electronic Data into Aqua Star’s own Computer System. Aqua Star does not explain why the involvement of a third party computer system would render Exclusion G inapplicable.

Second, Aqua Star contended that Exclusion G was actually intended to preclude coverage where a fraud is perpetrated by an authorized user of an insured’s computer system, such as an employee or legitimate customer.  The Court did not accept this argument either, but did note that:

the clear language of the policy does not limit the exclusion to fraud perpetrated by an authorized user, although … it certainly could apply in that situation [as well]. 

As a result, Exclusion G applied to the loss.

Conclusion

In providing a detailed analysis of Exclusion G to the Travelers Wrap+ policy, Aqua Star reflects the intended boundary between social engineering fraud coverage and “traditional” computer fraud and funds transfer fraud coverages.  Courts have generally interpreted the computer fraud coverage as being intended to cover loss due to unauthorized hacking by third parties (see, for example, Pestmaster, which we discussed in our January 6, 2015 post), not employees’ authorized entries of data that are induced by external fraud.

To address this perceived gap, many insurers have introduced social engineering fraud endorsements to respond to the latter scenario.  The “authorized entry” exclusion reinforces insurers’ intent that the two coverages respond to different loss scenarios.  In our view, it is appropriate to keep this context in mind in assessing both the applicability of “authorized entry” exclusions and the dividing line between social engineering fraud coverage and other coverages.

Aqua Star (USA) Corp. v. Travelers Casualty and Surety Company of America, 2016 WL 3655265 (W.D. Wash.)

Leave a comment

Filed under Authorized Access/Entry Exclusion, Computer Fraud, Social Engineering Fraud