In the latest decision to consider the issue, the Ninth Circuit Court of Appeals has upheld a finding that a Crime Policy issued by Travelers did not cover a policyholder’s loss resulting from a fraudulent e-mail scam.

Aqua Star (USA) Corp. v. Travelers Cas. & Sur. Co. of America, 2018 WL 1804338 (9th Cir., April 17, 2018), involved a scam in which Aqua Star, a seafood importer, was tricked into making wire transfers to a cybercriminal’s bank account after receiving spoofed e-mails made to appear as if they had come from one of the company’s seafood vendors. The fraudulent e-mails asked Aqua Star to change the bank account information for future payments to the vendor. An Aqua Star employee complied with the request, entered the fraudulent account number into a computer spreadsheet on which Aqua Star saved its vendors’ bank account information, then used the fraudulent account number for wire transfers intended for the vendor. Over $700,000 was wired to the impostor’s bank account before the fraud was detected.

Aqua Star made a claim for the loss under its Crime Policy with Travelers, which covered certain losses directly caused by “Computer Fraud,” defined as the use of a computer to fraudulently cause a transfer of money.  Travelers denied coverage, citing, among other things, an exclusion that barred coverage for loss resulting “directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System[.]”

Aqua Star sought a declaration that the Crime Policy provided coverage, but the District Court agreed with Travelers, ruling that the exclusion unambiguously applied. The Aqua Star employee’s entry of the fraudulent account information into Aqua Star’s spreadsheet and subsequent use of that information to initiate the wire transfers, the court reasoned, was “entry of electronic data” by an authorized user of the insured’s computer system. Because this entry of data was a necessary step in the chain of events that led to the wire transfer, it was an “indirect” cause of the loss and came within the clear language of the exclusion.

On appeal, Aqua Star argued, among other things, that the District Court had erroneously failed to apply Washington’s “efficient proximate cause” rule, under which there may be coverage if two or more perils combine to cause a loss, and a covered peril is the predominant or efficient cause of the loss. The cybercriminal’s fraudulent use of a computer was the predominant cause of this loss, Aqua Star asserted, and coverage should not be destroyed because an innocent employee used a computer for an act that happened to be an intermediate step in the causal chain.

The Ninth Circuit disagreed, upholding the District Court’s finding that the exclusion unambiguously applied, and rejecting the “efficient proximate cause” argument. Noting that the efficient proximate cause rule applied only where two or more perils combined to cause a loss, the Court found that Aqua Star’s loss was caused by only one peril, Computer Fraud, and that the company “[could] not avoid a contractual exclusion merely by affixing an additional label or separate characterization to the act or event causing the loss.” Aqua Star, 2018 WL 1804338, at *1 (citation omitted).

The Aqua Star decision did not reach some of the threshold issues with which other courts have grappled in wire-fraud cases, such as whether Computer Fraud provisions are meant to be restricted to unauthorized intrusion or hacking into an insured’s computer system, as opposed to authorized entry of data prompted by fraud. Nevertheless, this decision joins a growing body of case law in which courts have declined to extend “Computer Fraud” coverage to situations involving fraudulent e-mail scams, and illustrates some of the many hurdles that can lie in the path of claims for coverage of such scams.

Related People

John G. O'Neill

Partner

617.227.3030 Email John

Jessica H. Park

Partner

617.227.3030 Email Jessica