A recent appeal decided by the United States Court of Appeals for the Ninth Circuit in the case of Aqua Star (USA) Corp. v. Travelers Casualty & Surety Co. of America affirmed summary judgment for an insurer by holding that an exclusion in a crime policy unambiguously barred coverage for theft by social engineering, where the insured’s employees were duped into authorizing several fraudulent international electronic fund transfers. The case highlights the importance of the method used by criminals to trick employees, as well as the method used by employees to transfer funds. Additionally, Aqua Star provides a reminder that insureds should review their crime coverage and consider whether to revise or remove overly restrictive exclusionary language or obtain more specialized cyber liability insurance to afford coverage for the increasingly common threat of social engineering crimes.
In Aqua Star (USA) Corp. v. Travelers Casualty & Surety Co. of America, the parties disputed whether the insured’s “Computer Fraud” policy covered losses from a social engineering scheme that duped the insured’s employees into transferring funds to a fraudster rather than to the intended recipient in China. The policy excluded coverage for “loss or damages resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System.” Pursuant to Washington law, the Ninth Circuit held that the policy exclusion unambiguously applied because the insured’s employees had used the insured’s systems with authority when they changed wire transfer information and approved payments to the fraudster, affirming the district court’s grant of summary judgment to the insurer.
To explain the facts in more detail, the insured was the victim of a criminal scheme that ultimately caused it to lose more than $700,000 to an overseas fraudster. The fraudster intercepted legitimate emails between the American-based insured and its long-time foreign contractor, a merchant based in China. The fraudster gained control over the email stream by hacking into the merchant’s computer systems and rerouting the messages. The fraudster then created email domains and addresses very similar in appearance to those used by the insured and the merchant, allowing it to falsify emails.
After receiving false instructions from the fraudster, the insured’s employees updated the merchant’s bank account information in the insured’s database and later used that information to direct the Jennifer Senior Edward Vrtis insured’s financial institution to send funds intended for the merchant to the fraudster’s account. The fraudster tricked the insured’s employees by sending emails purporting to justify the change on taxrelated and other grounds. As a result of the fraudster’s lies, the insured’s employees misunderstood when the merchant legitimately informed the insured that its system had been hacked. The insured’s employees did not know that they were facilitating the fraudulent transfer of funds from their employer to the fraudster. In total, more than $700,000 of the insured’s funds were stolen before the fraud was discovered.
The insured submitted this loss for coverage pursuant to its $10,000,000 computer crime policy. The insurer denied coverage on several grounds, including based upon a specific policy exclusion. The policy exclusion stated: “This Crime Policy will not apply to loss or damages resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System.” The insured filed suit in the United States District Court for the Western District of Washington, seeking a declaratory judgment and damages on common-law claims under Washington law for breach of contract and breach of the covenant of good faith and fair dealing.
The insurer moved for summary judgment, arguing that the exclusion applied because the insured’s employees had voluntarily used their authorized access to the insured’s computer system to prepare, initiate and approve — and, thus, in part cause — the transfers to the fraudster. In response, the insured argued the exclusion was inapplicable because its loss directly resulted from the fraudulent instructions given to its employees and its employees’ unwitting use of those instructions in a third-party bank’s customer interface to transmit the funds. The insured distinguished between the entry of data into its computer system and the use of a bank’s interface to transfer funds. The insured contended that its employees’ actions in inputting the fraudster’s bank account data into the insured’s database were solely for recordkeeping purposes, did not cause the transfer and were merely incidental to its loss.
The district court granted summary judgment to the insurer. Assuming without deciding that the policy’s coverage provisions were triggered, the district court held that the exclusion barred coverage because the insured’s employees used the insured’s database both to prepare and initiate the transfers, and it was undisputed that the employees had updated the merchant’s information in the database to reflect the fraudster’s bank account information. On the specific facts before it, the district court concluded that the insured’s employees had used the insured’s computer system with authority to direct the transfer of funds to the fraudster, triggering the exclusion.
The insured appealed to the Ninth Circuit, contending that the district court had incorrectly interpreted the exclusion. The insured argued that the exclusion should not be interpreted to apply when one of its employees, an authorized user, made a routine and innocent entry of electronic data into its computer system that was an indirect cause of the loss. The insured further argued that the district court’s interpretation potentially would eliminate coverage for many of the most common computer crimes, or in other circumstances that would qualify as routine or innocent uses of the insured’s information systems by its agents.
The Ninth Circuit affirmed the district court’s grant of summary judgment to the insurer, holding that the employees’ unwittingly harmful “conduct fi[t] squarely within the Exclusion.” The Ninth Circuit considered that the insured’s “losses resulted from employees authorized to enter its computer system changing wiring information and sending four payments to” the “fraudster’s account.” The Ninth Circuit explained that the insured’s agents had “the authority to enter” the insured’s systems at the time they “input” the “Electronic Data” necessary “to change the wiring information and authorize the four wires.” Applying a narrow view, and limiting its holding to those specific facts before the court, the Ninth Circuit concluded it “need not go any further” than these facts to interpret the plain text of the exclusion.
Aqua Star highlights the significant impact on coverage that can result from the method used to access data systems and trick employees. The court in Aqua Star, for example, may have reached a different result if the insured’s employees had worked directly with the bank rather than using company systems to update the merchant information and direct the transfer of funds. While the Ninth Circuit’s decision in Aqua Star is nonprecedential, the case should sensitize insureds to the necessity of closely reviewing their crime policies and potentially obtaining additional cyber liability insurance coverage that expressly covers social engineering fraud, or what is sometimes also known as business email compromises. As social engineering crimes like the one in Aqua Star arise with increasing frequency, insureds should consider whether exclusionary language might limit coverage for such incidents. Moreover, insureds should look to more specialized forms of cyber liability insurance coverage to ensure additional protection from social engineering crimes.
This article was first published in Law360.