Decisions by two federal district courts, issued less than two weeks apart, underscore the continued unpredictability faced by policyholders victimized by social engineering fraud. These decisions also demonstrate the effect minor differences in underlying state law may have on the availability of coverage for social engineering losses.
In both Medidata Solutions, Inc. v. Federal Insurance Co., 2017 WL 3268529 (S.D. N.Y. Jul. 21, 2017) and American Tooling Center, Inc. v. Travelers Cas. and Sur.Co. of Am., 2017 WL 3263356 (E.D. Mich. Aug, 1, 2017), the policyholder was victimized by criminals using spoofed emails to cause the policyholder’s employees to wire funds to the criminals’ bank accounts. In Medidata, the criminals utilized a series of spoofed emails and other communications to cause Medidata’s employee to wire over $4 million to an overseas bank account believing that she was wiring the money pursuant to instructions from the company’s management to fund a confidential acquisition. Similarly, in American Tooling, the policyholder’s employee received an email purporting to be from a vendor directing payments on outstanding invoices, totaling approximately $800,000, to the criminal’s bank account.
Despite evaluating strikingly similar underlying facts, and applying similar policy language, the district courts reached opposite conclusions on the availability of coverage for the policyholders’ losses. In Medidata, the district court found that there was a sufficiently direct nexus between the fraudulent use of a computer and the policyholder’s loss to provide coverage under Medidata’s crime policy, and specifically, its computer fraud and funds transfer fraud coverages. Distinguishing cases such as Apache Corp. v. Great American Ins. Co., 662 Fed.Appx. 252 (5th Cir. 2016) and Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., 2014 WL 3844627 (C.D. Cal. July 17, 2014), the court found that even though events occurred after the original fraudulent email to aid in the scam, the computer fraud was the direct cause of the loss because the “Medidata employees only initiated the transfer as a direct cause of the thief sending spoof emails posing as Medidata's president.”
In American Tooling, the district court held that a vendor’s spoofed emails, directing payment to the criminal’s bank account, were not the “direct” cause of the policyholder’s loss. Rather, intervening acts, such as the verification of production milestones, authorization of the transfers, and initiation of the transfers without verifying bank account information, “preclude[d] a finding of ‘direct’ loss ‘directly caused’ by the use of any computer.”
Both cases demonstrate how small differences in fact patterns underlying social engineering crimes can have dramatic impacts on a policyholder’s ability to recover its losses. Coverage cases for these losses also frequently turn on the application of a particular state’s law, as state law interpreting the definition of “direct” in crime policies can range from very broad to very strict, impacting the policyholder’s burden in demonstrating a causal nexus between the use of a computer and the policyholder’s ultimate loss. As the law continues to develop on these claims, policyholders victimized by social engineering crimes are encouraged to review the availability of insurance coverage for their losses. The decisions in Medidata and American Tooling are on appeal to the Second Circuit and Sixth Circuit Court of Appeals. The ultimate outcome of these appeals will be important in clarifying the state of the law relating to coverage for cybercrime policies.