Policy holders alleging that computer fraud provisions of their insurance policies extended to fraud that stemmed from an intercepted email and a spoofing attack notched wins before two separate appellate courts recently. The first involves Travelers Casualty and Surety of America and American Tooling Center Inc., and the second involves Chubb Ltd. and Medidata Solutions Inc.
American Tooling Center, Sixth Circuit Decision
American Tooling Center Inc. (ATC) is a tool and die manufacturer that produces stamping dies for the automotive industry and outsources some of its manufacturing orders. Shanghai YiFeng Automotive Die Co. Ltd (YiFeng) is one of ATC’s vendors. YiFeng emails ATC invoices after which ATC goes through a multi-step process that includes verification that the work is completed, review of a spreadsheet of outstanding accounts payable, and a wire transfer that takes place via a banking portal. ATC had a policy with Travelers that covered any “direct loss” that was “directly caused by” the use of a computer.
In 2015, ATC sent an email to YiFeng requesting a list of outstanding invoices. That email was intercepted through unknown means and a third party impersonating a YiFeng employee instructed ATC to wire its payment to a different bank account number. When the real YiFeng demanded payment, ATC realized it had wired the money to an imposter and sought to recover the loss from Travelers claiming that the loss fell within the “Computer Fraud” provision of the policy. Travelers denied the claim.
The Travelers policy provided: “The Company will pay the Insured for the Insured’s direct loss of, or direct loss from damage to, Money, Securities,” and “other Property directly caused by Computer Fraud.” Travelers argued that ATC did not suffer a “direct” loss,” there was no computer fraud, and the loss was not directly caused by computer fraud.
The U.S. Court of Appeals for the Sixth Circuit overturned the district court decision and found that the Travelers policy covered the loss. The Sixth Circuit concluded that the fraudulent email received by ATC was the “point of no return” because the loss occurred once ATC transferred the money in response to the fraudulent email and therefore, the computer fraud “directly caused” ATC’s “direct loss.” In late August, a motion for en banc rehearing was denied.
Medidata Solutions, Second Circuit Decision
Earlier this summer, the U.S. Court of Appeals for the Second Circuit held that a computer fraud provision covered an email spoofing attack.
Medidata claimed that it was the victim of an email “spoofing” attack that resulted in a $5.8 million loss. The Chubb, Ltd. computer fraud provision covered any “entry of data into” or “change to data elements or program logic of” a computer system. Chubb asserted that the spoofing attack was not covered because the policy applied only to hacking-type intrusions. In a summary order, the Second Circuit concluded that the plain and unambiguous language of the policy covers the losses incurred by Medidata.
The court found that the fraudsters crafted a computer-based attack that manipulated Medidata’s email system which the parties do not dispute constitutes a “computer system” within the meaning of the policy. The spoofing code enabled the fraudsters to send messages that inaccurately appeared to come from a high level Medidata employee. The court found that this attack represented a fraudulent entry of data into the computer system and were covered by the computer fraud provision of the policy. The court found that the chain of events was initiated by the spoofed emails.
These two rulings represent a shift from earlier court decisions that have more strictly construed policies and prompted carriers to offer more specific cyber policies. It is uncertain how future courts will rule when faced with similar facts. Nevertheless these rulings are a good reminder to carefully review any cyber insurance policies in order to determine what is best for your needs.