Recently, the Ninth Circuit dealt with a case involving a scenario that is becoming all too common. In Ernst & Haas Mgmt. Co., Inc. v. Hiscox, Inc., 23 F.4th 1195 (9th Cir. 2022), a property management company’s accounts payable clerk received several e-mails from her supervisor instructing her to pay some invoices. Unbeknownst to the clerk, these e-mails did not originate with her supervisor, but were actually part of a fraudulent scheme to elicit fraudulent bank transfers. The clerk paid off hundreds of thousands of dollars in “invoices” before becoming suspicious but, by then, it was too late and the damage was done.
Afterwards, Ernst submitted a claim to its insurance company under its commercial crime policy, which provided coverage for “computer fraud” and “funds transfer fraud.” The insurer denied coverage on the basis that Ernst’s own employee had initiated the wire transfer of funds. After Ernst sued its insurer for breach of contract and bad faith, among other claims, the district court sided with the insurer on the basis that the policy’s language required that the loss or damage “result directly” from the fraudulent activity. Because the clerk was the one who initiated the wire transfer, the court reasoned that the loss resulted directly from an authorized act by the clerk, and not the fraudulent e-mail. On that logic, policyholders would not be covered unless a third party actually hacked their system and initiated a transfer themselves. An innocent employee used as a conduit to perpetrate fraud would not suffice.
Subsequently, the Ninth Circuit, in reversing and remanding the lower court’s dismissal, determined that the district court erred in three different ways:
- First, the district court relied on a case involving embezzlement, which presented a different factual scenario than the third-party email fraud here. That case involved an insured company which authorized a third-party payroll tax servicer to transfer money on its behalf to pay taxes, who then decided to steal it instead. Ernst, on the other hand, never authorized its clerk to wire the funds. Rather, the perpetrator was the one who fraudulently authorized the clerk with its email and stole funds that it was never authorized to receive in the first place.
- Second, the district court narrowed the “computer fraud” provision’s language, interpreting a direct loss to be limited to “unauthorized computer use, like hacking.” The court reasoned that Ernst’s loss did not “result directly” from computer fraud because its clerk authorized its bank to initiate the wire transfer. But that could not be the law because it “eliminates the possibility of coverage whenever an employee is defrauded into taking action.” In relying on a decision from the Sixth Circuit, the Ninth Circuit panel felt Ernst’s loss was indeed a “result directly” from the computer fraud – there was no intervening event, there was simply a loss that resulted directly from the clerk acting pursuant to the fraudulent instructions. Thus, the computer fraud provision covered Ernst’s loss.
- Third, the district court held that the “funds transfer fraud” provision did not cover the loss because it did not “result directly” from fraudulent instructions to a financial institution. The perpetrator instructed the accounts payable clerk to transfer the money, not the bank. The Ninth Circuit panel, however, felt that the e-mail to the clerk directing her to transfer funds to the perpetrator, providing wire details, and providing fraudulent authorization was done with the sole purpose of initiating the wire transfer. Thus, the e-mail should be construed as a direct instruction to the bank. Further, the policy’s “fraudulent instruction” definition contemplated an instruction to the insured before the bank, which would otherwise be redundant if it only covered instructions to the bank without a conduit.
In this modern digital era, e-mail fraud schemes are commonplace. While a vigilant internal due diligence program as well as other measures may prevent fraud, criminals are becoming more sophisticated and technologically advanced, ever increasing the need for a proper insurance program that will cover victims of such fraud. Both commercial crime policies and cyber insurance policies can accomplish this in a number of scenarios, however, the terms and conditions can be intricate and ambiguous without the help of a professional. As such, a policyholders’ coverage counsel, broker, or other risk professional should be consulted to make sure the policy terms obtained are adequate given one’s specific needs and potential vulnerabilities.
The full opinion in Ernst & Haas Mgmt. Co., Inc. v. Hiscox, Inc., 23 F.4th 1195 (9th Cir. 2022) can be found here.