Social Engineering Scam Covered By Cyber Insurance

Farella Braun + Martel LLP

Farella Braun + Martel LLP

The Sixth Circuit recently entered a ruling in American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of America, 2018 WL 3404708 (6th Cir. July 13, 2018), soundly rejecting a cyber carrier’s extremely narrow reading of its policy’s “Computer Fraud” coverage.  The insured American Tooling Center (“ATC”) had fallen for a “social engineering” scam.  ATC received emails from someone impersonating one of its vendors and claiming to have changed its wire instructions.  ATC transferred over $800,000 to the thief before realizing it was a scam. 

Travelers denied coverage claiming, among other things, that ATC did not suffer a “direct loss” and that the scam was not “Computer Fraud” as that term was defined in the policy. On the first point, Travelers made the argument that ATC did not suffer a loss right away as a result of the fraudulent emails because it was simply transferring money that it owed to its vendor under contract.  Travelers claimed that the loss did not occur until ATC realized it was a scam.  The court rejected this argument with a simple analogy wherein A owes B five dollars and A is about to hand over a five-dollar bill when C runs by and snatches the money from A’s fingers.  Under Travelers’ theory, C caused no direct loss to A because A owed the money to B and was preparing to hand over the five-dollar bill.  As the Sixth Circuit found, “this interpretation defies common sense.”

On the second point, Travelers argued that its definition of “Computer Fraud” required a computer to “fraudulently cause the transfer” and that it was not sufficient to simply use a computer and have a transfer that is fraudulent. The term “Computer Fraud” was defined as “the use of any computer to fraudulently cause a transfer of…money…from [the insured’s premises] to a person outside [the insured premises].”  Travelers was essentially attempting to retroactively amend the policy to change the definition of “Computer Fraud” to hacking or similar situations where a nefarious party gains access to and/or controls the insured’s computer.  However, as the court noted, the policy language was not so limited and the acts at issue qualified as “Computer Fraud” because “the impersonator sent ATC fraudulent emails using a computer and those emails fraudulently caused ATC to transfer money to the impersonator.”

The American Tooling decision demonstrates the importance of carefully analyzing policy language as cyber losses continue to evolve.  Here, the policy did not expressly cover “social engineering” scams but the carrier was still on the hook because of the breadth of the policy language.  Undoubtedly carriers and insureds will continue to face these types of disputes in the ever-changing world of cyber insurance.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Farella Braun + Martel LLP | Attorney Advertising

Written by:

Farella Braun + Martel LLP

Farella Braun + Martel LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.