Court Holds Social Engineering Fraud Does Not Trigger Computer Fraud Coverage

Ashley Criss
Wiley Rein LLP
Contact
LinkedIn
Facebook
X
Send
Embed

The United States District Court for the District of Minnesota, applying Minnesota law, has held that an insured’s loss resulting from the insured’s payment of fraudulent invoices received from a bad actor who hacked into the insured’s email system constituted social engineering fraud and did not trigger the policy’s computer fraud insuring agreement. See SJ Computers, LLC v. Travelers Cas. & Surety Co. of Am., 2022 WL 3348330 (D. Minn. Aug. 12, 2022).

The insured, a computer company, was defrauded when a bad actor compromised the email account of the insured’s purchasing manager and sent fraudulent vendor invoices to the insured’s CEO for payment. After a failed attempt to contact the vendor to confirm the new payment instructions provided with the fraudulent invoices, the CEO made the wire transfers, which went to the bad actor.

The insured sought coverage for the loss under a crime insurance policy, which contained a social engineering fraud insuring agreement and a computer fraud insuring agreement. The insured originally sought coverage under the social engineering fraud agreement, but later sought coverage under the computer fraud agreement, which contained a significantly higher limit of liability. The insurer denied coverage under the computer fraud agreement. Coverage litigation ensued.

The court held on a motion to dismiss that the insured’s loss fell “squarely” within the social engineering fraud agreement, noting that the insured’s arguments to establish coverage under the computer fraud agreement ranged from “creative to desperate[.]” First, the court held that the insured’s loss did not fall within the definition of “computer fraud,” which defined computer fraud as “an intentional, unauthorized, and fraudulent entry or change of data or computer instructions directly into a [c]omputer [s]ystem” but excluded any “entry or change . . . made in reliance upon any fraudulent . . . instruction[.]” The court held that the CEO’s conduct fell precisely in the carve-out to the definition. Second, the court held that, even if the bad actor’s hacking could be distinguished from the CEO’s acts, which the court “seriously doubt[ed],” the hacking did not “directly cause” a “direct loss.” That is because the insured “did not suffer a penny of financial loss when the bad actor hit ‘send’ on his email messages” and “would never have suffered a penny of financial loss if the CEO had not opened those email messages.” Thus, the court held that no coverage existed under the computer fraud insuring agreement. The court also noted that while other Minnesota case law interpreted “direct,” those cases were distinguishable as they were not decided in the context of computer fraud or social engineering fraud.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Wiley Rein LLP | Attorney Advertising

Written by:

Wiley Rein LLP
Wiley Rein LLP
Contact
more
less

Wiley Rein LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide