On August 1, 2017, the U.S. District Court for the Eastern District of Michigan released its decision in American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America. The Court held that a vendor impersonation fraud loss did not fall within the terms of a crime policy’s computer fraud coverage. In coming to this conclusion, the Court found there was no direct causal link between the receipt of fraudulent emails by an insured requesting payment to the fraudster’s bank account, and the insured’s authorized transfer of funds to that bank account.
American Tooling Center (“ATC”) is a tool and die manufacturer that outsources some of its work to third-party vendors. One of its legitimate third-party vendors is Shanghai YiFeng Automotive Die Manufacture Co., Ltd. (“YiFeng”). ATC typically sends payment to YiFeng at the completion of various production milestones.
ATC fell victim to a vendor impersonation fraud, which is one of the most common forms of social engineering fraud. On March 18, 2015, ATC’s Vice-President and Treasurer received an email purportedly sent by YiFeng requesting payment to a new bank account. The email in question was sent from the domain name “@yifeng-rnould.com”, which resembled the legitimate domain name “@yifeng-mould.com”. ATC’s Vice-President and Treasurer verified that the applicable production milestones were satisfied, but did not verify the new banking information before wiring approximately $800,000 to the new bank account. When it came to light that YiFeng had never been paid the amounts it was owed, ATC submitted a claim to Travelers.
The Computer Fraud Coverage
ATC’s policy with Travelers provided coverage for:
… the Insured’s direct loss of, or direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud.
The Travelers policy defined “Computer Fraud” as:
The use of any computer to fraudulently cause a transfer of Money, Securities or Other Property from inside the Premises or Financial Institution Premises:
1. to a person (other than a Messenger) outside the Premises or Financial Institution Premises; or
2. to a place outside the Premises or Financial Institution Premises.
Travelers took the view that, given the intervening events between the receipt of the fraudulent emails and the authorized transfer of funds, ATC had not suffered a direct loss directly caused by the use of any computer.
The Court agreed, observing that:
… the fraudulent emails did not “directly” or immediately cause the transfer of funds from ATC’s bank account. Rather, intervening events between ATC’s receipt of the fraudulent emails and the transfer of funds (ATC verified production milestones, authorized the transfer, and initiated the transfer without verifying bank account information) preclude a finding of “direct” loss “directly caused” by the use of any computer.
The Court relied upon the Fifth Circuit’s recent Apache decision (see our October 24, 2016 post), making specific reference to that court’s observation that:
To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would … convert the computer-fraud provision to one for general fraud.
The Court then considered other recent computer fraud decisions, such as Pestmaster (see our August 4, 2016 post) and InComm (see our March 22, 2017 post). Applying the principles from these decisions to the case at bar, the Court concluded:
Although fraudulent emails were used to impersonate a vendor and dupe ATC into making a transfer of funds, such emails do not constitute the “use of any computer to fraudulently cause a transfer.” There was no infiltration or “hacking” of ATC’s computer system. The emails themselves did not directly cause the transfer of funds; rather, ATC authorized the transfer based upon the information received in the emails. The Ninth Circuit [in Pestmaster] has interpreted the phrase “fraudulently cause a transfer” to “require the unauthorized transfer of funds.”[:] “Because computers are used in almost every business transaction, reading this provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a ‘General Fraud’ Policy.” See also Incomm … (noting that “courts repeatedly have denied coverage under similar computer fraud provisions, except in cases of hacking where a computer is used to cause another computer to make an unauthorized, direct transfer of property or money”). [emphasis added]
The Court granted summary judgment in favour of Travelers.
American Tooling Center represents another decision in a growing line of jurisprudence which holds that there is no coverage for vendor impersonation and other social engineering fraud losses under traditional commercial crime coverages. The insurance industry has responded by introducing social engineering fraud-specific coverage, which allows insureds to obtain coverage for certain types of losses that fall outside the coverage provided under traditional policy wordings.
Given the increasing frequency of vendor impersonation and other social engineering fraud losses, insureds would be well-advised to consult with their brokers and insurers about the risks that social engineering fraud poses to their business, and the availability of social engineering fraud-specific coverage.
American Tooling Center, Inc. v. Travelers Casualty & Surety Company of America, 2017 WL 3263356 (E.D. Mich.)