Highlighting the continued problems faced by policyholders in obtaining coverage for “computer fraud,” a Michigan district court recently held that a manufacturer could not recover $800,000 in funds lost after an employee mistakenly wired payment for legitimate vendor invoices into a fraudster’s bank account after receiving a spoofed e-mail requesting payment. In American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, No. 16-12108 (E.D. Mich. Aug. 1, 2017), the district court applied state law favoring a narrow interpretation of the crime policy’s computer fraud provision to hold that the policyholder had not suffered a “direct” loss that was “directly caused” by the use of any computer.
The policyholder, American Tooling Center, is a tool and die manufacturer that outsources some of its work to vendors located overseas. In 2015, ATC’s treasurer received a spoofed e-mail from a vendor (modifying the vendor’s e-mail to use a very similar, but incorrect, domain) instructing ATC to send payment for several legitimate outstanding invoices to a new foreign bank account. Without verifying the new bank information, ATC wired an $800,000 payment to the new account, but later learned that the payment was received by the fraudsters, not by ATC’s vendor.
ATC sought coverage from its insurer under a “computer fraud” provision, which stated in relevant part that the insurer “will pay the Insured for the Insured’s direct loss of, or direct loss from damage to, Money . . . directly caused by Computer Fraud.” The insurer denied coverage, arguing that ATC’s loss was not a “direct loss” that was “directly caused by the use of a computer.”
The district court agreed and, in granting summary judgment for the insurer, raised many common insurer defenses related “direct loss,” “intervening causes,” and purported “hacking” requirements that have been rejected or limited by other courts (see prior blog posts on these issues here and here).
Despite ruling for the insurer, the American Tooling decision identifies numerous issues that policyholders should consider when negotiating coverage and pursuing coverage for cybercrimes. The court distinguished pro-policyholder “direct loss” cases cited by ATC—which found that “direct” as used in computer fraud provisions was synonymous with “proximate” or “predominate” cause—on the grounds that Sixth Circuit precedent (applying Michigan law) dictated a stricter definition of “direct,” meaning “immediate” and “without anything intervening.” The Michigan cases relied upon by the court were distinguishable, ATC argued, on the grounds that they interpreted “direct” loss narrowly only where the policyholder attempted to obtain coverage for loss suffered by a third party, which was inapplicable to the ATC dispute where the cybercriminal defrauded ATC of its own money.
The court found that the fraudulent did not “directly” cause the transfer of funds from ATC’s bank account because of intervening events between ATC’s receipt of the fraudulent e-mails and the transfer of funds, namely ATC’s verification of production milestones and authorization and initiation of the transfers without verifying bank account information. Other courts have rejected similar insurer arguments to narrowly interpret “direct” loss in favor of coverage where the chain of events leading to the fraudulent transfer was initiated by the fraudulent e-mail (see, e.g., the Medidata decision discussed below). As shown in American Tooling and other recent social engineering cases, state law can vary significantly on many important coverage issues. It is important, therefore, that policyholders be mindful of the impact that divergent state law may have when considering choice-of-law issues in connection with policy negotiation and when pursuing coverage for a particular loss.
The American Tooling court attempted to distinguish the widely-publicized, pro-policyholder Medidata decision (discussed here) on the grounds that the crime policy at issue in Medidata did not include the additional requirement that the “direct loss” also be “directly caused” by computer fraud. In doing so, the court cited to the Fifth Circuit’s Apache decision frequently relied upon by insurers in denying coverage for social engineering scams, but which policyholders (and the Medidata court) have roundly criticized as unpersuasive where the fraudulent transfer at issue was initiated as a direct result of the criminal sending a spoofed e-mail. Nevertheless, policyholders should be aware of the different language in computer fraud provisions and, if possible, negotiate a more favorable causation trigger.
Despite the unfortunate ruling in American Tooling, policyholders should not despair. Social engineering coverage continues to be a fact-intensive inquiry that depends on the nature of the cyberattack and the specific policy language, which varies significantly among crime policies. The American Tooling case in particular may be distinguished on the unique facts and application of Michigan law. We will continue to monitor this case, and other social engineering cases, as we expect this area of the law to evolve quickly as fraudulent transfers become more prevalent. In the meantime, policyholders should review their crime policies with experienced coverage counsel to determine what revisions may be necessary before, or at, renewal to avoid a similar result.