A new Sixth Circuit decision may signal an emerging trend on whether insurers must cover claims made by policyholders who fall victim to phishing scams.
As e-commerce takes on an increasingly prominent role in business transactions, companies are falling victim to phishing, in which fraudsters pose as reputable entities to obtain sensitive information, such as credit card numbers, or to trick people into wiring money to phony accounts. While phishing schemes have become widespread in recent years — targeting companies in a variety of industries, including banking, manufacturing and retail — courts have diverged on whether losses stemming from these scams are covered by computer fraud and cyber crime policies.
The new Sixth Circuit decision in American Tooling Center v. Travelers Casualty & Surety Co. of America may mark a shift to a more policyholder-friendly approach. In Travelers, a three-judge panel reversed a lower court ruling and held that Travelers owed coverage to its insured, a tool and dye manufacturer, after the manufacturer’s employees wired more than $800,000 to a fraudulent account, believing it to be one of the company’s vendors. The manufacturer’s employees were fooled by a series of emails, purportedly from that vendor, which claimed the vendor had changed banks and that payments should accordingly be routed to a new account.
This new Sixth Circuit decision diverges from earlier ones.
Two years ago, the Ninth Circuit decided in its nonprecedential decision Pestmaster Services v. Travelers Casualty & Surety Co. of America that Travelers did not owe coverage after Pestmaster fell victim to a similar scam. There, the appellate panel reasoned that policy language in a computer fraud provision covering losses associated with “[t]he use of any computer to fraudulently cause a transfer” covered only the unauthorized transfer of money. While Pestmaster’s employees were fooled by the scam, they still explicitly authorized the transfers. “Because computers are used in almost every business transaction, reading this provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a ‘General Fraud’ Policy,” the Ninth Circuit reasoned.
A Fifth Circuit panel reached a similar conclusion in another nonprecedential decision, Apache Corp. v. Great American Insurance Co., in October 2016. There, scammers made fraudulent phone calls and sent fraudulent emails that resulted in Apache employees making payments to the scammers’ account. The court considered a policy provision reading, “We will pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer” to an outsider. While the scammers used emails to perpetuate their scheme, the panel reasoned, “the email was merely incidental to the occurrence of the authorized transfer of money.” Accordingly, the Fifth Circuit vacated a lower court ruling in favor of the policyholder, and rendered judgment in favor of the insurer.
The same insurer obtained a similar result before an Eleventh Circuit panel in Interactive Communications International, Inc. v. Great American Insurance Co., another unpublished decision released earlier this year. In that case, the policyholder, known as InComm, sought coverage after fraudsters took advantage of a glitch in InComm’s computer system that allowed the criminals to siphon off more than $11 million. In a per curiam decision, the panel held that this did not implicate the computer fraud provision in InComm’s insurance policy, which was substantively identical to the one in Apache. “Although the fraudsters did ‘use a computer’ within the meaning of the policy, we conclude that InComm’s loss did not ‘result[] directly’ from the computer fraud, as required by the policy.”
Other courts have been more generous with victims of cyber scams. In July, the Second Circuit, in another nonprecedential decision, affirmed that coverage was due under a computer fraud policy. In that case, the insurer tried to argue that its insured, Medidata Solutions Inc., did not suffer a “direct loss” as required by the policy when company employees authorized wire transfers after receiving emails from scammers posing as Medidata executives. The appellate panel rejected that argument, finding that the loss “was initiated by the spoofed emails, and unfolded rapidly following their receipt.”
The new Sixth Circuit decision against Travelers analyzed decisions from other circuits — including Pestmaster and the InComm case — but found that coverage was still due to the policyholder. The Sixth Circuit considered a computer fraud policy provision that reads, “The Company will pay the insured for the Insured’s direct loss of, or direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud.”
The panel rejected Travelers’ argument that the loss was not “direct” as required by the policy, reasoning that American Tooling Center “immediately lost its money when it transferred the approximately $834,000 to the impersonator; there was no intervening event.” The court also disagreed with Travelers’ attempt to limit the definition of “computer fraud” to “hacking and similar behaviors in which a nefarious party somehow gains access to and/or controls the insured’s computer[.]” As the court noted, “If Travelers had wished to limit the definition of computer fraud to such criminal behavior it could have done so.”
The Travelers decision is noteworthy not just because of its outcome, but also because the panel has slated its decision for publication, meaning it has more precedential value than virtually all past decisions in this area. Travelers has petitioned for a en banc rehearing, arguing that the decision conflicts with prior Sixth Circuit precedent.
While Travelers may point to a growing acceptance that coverage is due when policyholders fall victim to phishing attacks and similar schemes, we should not assume that the Travelers analysis will be universally applicable. As with so many insurance-related issues, coverage depends on the specific terms of each policy. Policies that are more precise in their definitions and in specifying what losses they cover are less prone to interpretation by the courts. In addition, some insurers are taking the guesswork out of these policies by addressing phishing incidents as their own category of coverage. With the prevalence of phishing incidents and other computer crimes on the rise, it is essential that both insurers and policyholders understand their rights and obligations under their policies.
