The Hunton Andrews Kurth insurance recovery team secured a victory for firm client, The Children’s Place (“TCP”), obtaining a ruling from a New Jersey federal court in The Children’s Place, Inc. v. Great Am. Ins. Co., 2019 WL 1857118 (D.N.J. Apr. 25, 2019), in which the court allowed TCP to seek insurance coverage for a “social engineering scheme” that defrauded the company of $967,714.29.
TCP fell victim to a hacker who modified electronic documents to trick TCP into believing it was paying its vendor on proper invoices. Unbeknownst to TCP, however, the hacker, through fraudulent emails, a forged letter, and an altered “Vendor Setup Form,” had actually provided TCP with the hacker’s account for payment. The hacker succeeded in its scheme by infiltrating the parties’ email services and intercepting emails between TCP and the vendor.
After learning of the fraud, TCP sought insurance coverage under its Crime Protection Policy with Great American Insurance Company (“GAIC”). TCP presented claims under three separate coverages—“Fraudulently Induced Transfer,” “Forgery or Alteration,” and/or “Computer Fraud.” GAIC denied coverage in full. TCP filed suit.
After GAIC moved to dismiss, the court determined that TCP could seek coverage under the policy’s Computer Fraud coverage, which covers “loss resulting directly from the use of any computer to impersonate you … employee, to gain direct access to your computer system … and thereby fraudulently cause the transfer of money… from your premises or banking premises to a person, entity, place or account outside your control.”
The court rejected both of GAIC’s arguments as to why the Computer Fraud coverage should not apply. First, the court rejected GAIC’s assertion that the hacker “did not gain direct access” to a computer system. Relying on Medidata , the court held that the hacker’s access to TCP’s email system and insertion into TCP’s email conversation constitutes direct access to TCP’s computer system. Second, the court rejected GAIC’s assertion that the hacker did not fraudulently cause the transfer of money.
TCP serves as a reminder that, with cybercrime on the rise, individuals and companies must ensure that they have appropriate comprehensive crime and cyber policies that are carefully tailored to the policyholder’s particular cyber risks. Policyholders also need to ensure that they zealously pursue coverage for claims implicating those coverages and be prepared to question insurers’ denials or limitations on coverage, especially where the insurer contends that a technical nuance has not been satisfied.