On the heels of the Second Circuit Court of Appeals’ decision in Medidata Solutions, Inc. v. Federal Insurance Company, -- Fed. Appx. --- (C.A. 2 2018), the Sixth Circuit Court of Appeals continued a string of victories relating to insurance coverage for social engineering schemes utilizing the insured’s computer systems. The decision reached by the Sixth Circuit in Am. Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co. of America, 2018 WL 3404708 (July 13, 2018) reversed a lower court’s decision that found the policyholder’s loss to not have resulted “directly” from the use of a computer, rendering it not within the crime victim’s computer fraud coverage.
In American Tooling, the policyholder’s employee was defrauded into paying a series of vendor invoices to a bank account controlled by a criminal that had intercepted emails between the employee and the vendor, enabling it to impersonate the vendor through emails sent to the employee. Based upon these fraudulent email communications, the policyholder’s employee paid approximately $800,000 worth of invoices believing that he was paying the vendor when, in fact, he was directing the money to the criminal’s account.
Upon realizing the fraud, American Tooling made a claim upon its business insurance policy issued by Travelers, asserting the loss was covered by the Computer Fraud coverage in its policy. Travelers denied the claim in reliance upon its policy’s language which covered loss “directly caused” by computer fraud. Travelers claimed that the loss was not “directly caused” by computer fraud because, among other things, the insured’s employee had to undertake affirmative steps after the fraudulent emails to verify the amount of the invoices and initiate monetary transfers to the criminal’s bank account. The lower court agreed and entered judgment in favor of Travelers.
On appeal, the Sixth Circuit reversed the lower court’s decision. Distinguishing the facts in American Tooling from an earlier Sixth Circuit decision interpreting the meaning of “direct loss” language in fidelity bonds, the Court held that the loss was “directly caused” by the criminal’s fraudulent emails. The Court held that the insured “immediately lost its money when it transferred the approximately $834,000 to the impersonator; there was no intervening event.” Id. at *4.
Importantly, the Sixth Circuit also followed well-established rules of insurance policy construction in rejecting Travelers’ argument that the fraudulent emails did not constitute “computer fraud” because it was not akin to a “hacking” event into the insured’s computer systems. The Court noted: “Travelers’ attempt to limit the definition of “Computer Fraud” to hacking and similar behaviors in which a nefarious party somehow gains access to and/or controls the insured’s computer is not well-founded. If Travelers had wished to limit the definition of computer fraud to such criminal behavior it could have done so.” Id.
Finally, the Sixth Circuit rejected Travelers’ attempted reliance on a series of policy exclusions it asserted precluded coverage under its policies. The Sixth Circuit’s refusal to apply these exceptions, while fact-specific, provides important guidance to courts faced with similar arguments in the future.
With the recent decisions in American Tooling and Medidata, policyholders victimized by social engineering and business email compromise schemes should continue to pursue their insurers for coverage of these losses and would be well-served to consult with their brokers and insurance recovery counsel to determine the optimal way to obtain coverage.