In a seemingly illogical decision, the Fifth Circuit Court of Appeals ruled in Apache Corp. v. Great American Ins. Co., No 15-20499 (5th Cir. Oct. 18, 2016), that loss resulting from a fraudulent e-mail did not trigger coverage under a crime policy’s “computer fraud” coverage because the loss was not the “direct result” of computer use.
Apache involved a fraudulent inducement of the policyholder, Apache Corporation, to wire $7 million in invoice payments to a fraudulent bank account under the belief that the account was that of a vendor, Petrofac. The inducement was precipitated by a phone call and confirmed with a fraudulent e-mail that purported to be on Petrofac letterhead. The fake letter also included a phony telephone number, which Apache personnel used to confirm the change request. Shortly after the transfers, Apache was notified that Petrofac had not received its payments that had been made to the new, and fraudulent, bank account. Apache recouped a portion, but not all, of the payments. Apache sought to recover the balance from its insurer.
The district court awarded summary judgment in favor of Apache. On appeal, the Fifth Circuit reversed finding that the loss did not result directly from the use of any computer. Rather, as the court explained, the email was part of the scheme, but, the email was merely incidental to the occurrence of the authorized transfer of money. Thus, the court concluded that to interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would convert the computer-fraud provision to one for general fraud.
Not only is Apache indicative of the ease by which imposters can fraudulently induce payment of millions of dollars by unwary policyholders, but the decision is illustrative of the significant gaps in coverage that still exist for cyber and other technology-related losses. A review of Apache’s so-called computer fraud coverage by experienced coverage counsel would likely have identified that Apache’s narrow coverage applied only where the loss resulted directly from the use of a computer, thus affording Apache an opportunity to negotiate a broadening of its coverage so that it actually protected its accounts payable operations.