Following a bench trial, the United States District Court for the Eastern District of Virginia found in The Cincinnati Insurance Co. v. The Norfolk Truck Center that a commercial truck dealer’s social engineering loss arose directly from a computer, thereby triggering the dealer’s computer fraud coverage, notwithstanding that the scheme involved numerous non-computer acts in the causal chain of events. A copy of the decision may be found here.
The case arose out of an all-too-familiar cyber scheme. The City of Norfolk placed an order for two trucks with The Norfolk Truck Center (“NTC”). In order to fill the order, NTC ordered parts from Kimble Mixer Company (“KMC”). On the same day the order was placed, a fraudster posing as a KMC employee and using a slightly modified email sent NTC’s CEO, David Harlow, two legitimate invoices for the order and provided wire instructions for payment. Mr. Harlow approved the invoices and directed his bank to issue payment pursuant to the instructions provided. After preparing the appropriate paperwork, which was executed by Mr. Harlow, NTC’s bank issued the payment. It took over a month before KMC followed up for payment, at which point NTC realized it had been the victim of fraud.
NTC submitted a claim to its insurer, Cincinnati Insurance Co. (“CIC”), under a policy providing coverage for, among other things, “Computer Fraud.” The policy provided that the insurer “will pay for loss of … ‘money’ … resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside [NTC’s offices] ….” (Emphasis added.) CIC denied coverage claiming that the loss did not result directly from the use of a computer because: 1) it was the legitimate invoice, not the email, that caused the wire transfer; 2) the loss did not result directly from the use of a computer given the length of time and number of people involved in issuing the wire transfer; and 3) NTC’s failure to investigate the wire instructions provided to it was an intervening cause precluding coverage.
The court began its analysis with the construction and application of the term “directly” and found the term unambiguously to mean “something that is done in a ‘straightforward’ or ‘proximate’ manner and ‘without deviation’ or ‘without intervening agency’ from its cause.” Applying the definition to the facts, the court concluded that “Computers were used in every step of the [way] including receipt of the fraudulent instructions and the insured’s compliance with such instructions by directing its bank to wire the funds to the fake payee.”
The court rejected all of the insurer’s argument that the damages were not “directly” from a computer. First, the court rejected the argument that the loss did not result directly from a computer because NTC issued the payment pursuant to a legitimate invoice. The court held that the provision only required the “cause” of the transfer to be fraudulent use of a computer; the email, originating directly from the use of a computer, satisfied that requirement. The court specified that it is the cause of the transfer that must be fraudulent, not the payment itself. Second, the court was unpersuaded by the insurer’s argument that the number of actors involved both inside and outside of NTC over the course of six days demonstrated that the loss was not “directly” from a computer. The court found that each of the actors “were necessary links in the chain that led to the loss” and that the length of time or the number of actors did not sever the direct chain of events, all of which originated from the use of a computer. Finally, the court rejected the insurer’s argument that NTC’s failure to uncover the fraud was an intervening cause. The court stated that such an interpretation would improperly read an exclusion into the insurance policy that simply did not exist. Accordingly, the court found that the loss of money resulted directly from the use of a computer despite multiple non-computer acts in the casual chain of events.
The court’s decision is a helpful guide concerning the appropriate standard and analysis to apply when considering whether a loss arises directly from a computer under a typical computer fraud policy provision. As the court makes clear, simply because non-computer acts are intertwined in the causal chain of events does not break the chain of causation by computer and, thus, does not mean that the fraud did not result directly from a computer.