The Sixth Circuit, in American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of America, No. 17-2014, 2018 WL 3404708 (6th Cir. July 13, 2018), reversed the District Court’s grant of summary judgment in favor of the insurer in a dispute over coverage for a social engineering scheme. The policyholder, American Tooling, lost $800,000 after a fraudster’s email tricked an American Tooling employee into wiring that amount to the fraudster.
The District Court found the coverage under the insurance policy for computer fraud did not apply because the loss was not “directly caused” by computer fraud, as required for coverage under the policy. The Court pointed to “intervening events” like the verification of production milestones and initiating the transfers without verifying the bank account to find the loss was not a direct result of computer fraud. Further, the insurer argued that computer fraud loss under the policy required the fraudster to actually gain access to the insured’s computer.
The Sixth Circuit rejected the lower court’s findings and the insurer’s arguments and reversed the District Court’s ruling, finding that the loss was an immediate and proximate cause of the fraud because American Tooling immediately lost money when it transferred the money as a result of the fraudulent email. And further, if the insurer wanted to limit the coverage to losses caused by hacking of the policyholder’s computer, it should have limited the definition of computer fraud to hacking and similar behaviors. This decision comes after the Second Circuit ruled on July 6, 2018, in Medidata Solutions Inc. v. Federal Insurance Co., No. 17-2492 (2nd Cir. July 6, 2018), that a $4.8 million dollar phishing email loss was covered under the policy’s computer fraud coverage provision under similar reasoning.
The American Tooling decision serves as a reminder to policyholders to review their cyber and crime insurance policies with experienced coverage counsel to determine whether the specific policy provisions meet each policyholder’s particular needs and whether any revisions may be necessary before, or at, renewal to avoid any dispute, as some policies may limit coverage to instances of hacking or require the insured to undertake a verification process in order for coverage to apply. A copy of the Court’s decision can be found here.