What can we help you find? Enter your search above.
What can we help you find? Enter your search above.
Communicating with Sugarman Rogers through this website does not create an attorney-client relationship with the firm or any of our attorneys. Our decision as to whether and on what terms we may agree to represent a client involves consideration of a variety of factors, discussion with the prospective client, and, where appropriate, a written engagement agreement.
Please do not use this form of communication to transmit any private, personally identifying, or other confidential information. We cannot guarantee the confidentiality or security of this means of communication.
July 24, 2024
Two federal appeals courts have recently issued opinions in key social engineering fraud coverage cases, in both instances finding that the policies in question provided coverage for the insureds’ losses. The decisions stand in contrast to certain earlier cases, including one from the Fifth Circuit, in which no coverage was found for similar types of scams.
In American Tooling Center v. Travelers Cas. & Sur. Co. of America, 2018 WL 3404708 (6th Cir., July 13, 2024), the Sixth Circuit reviewed whether there was “computer fraud” coverage for a spoofed e-mail scheme in which thieves impersonated one of the insured’s overseas vendors in order to divert vendor payments. The insured, a tool and die manufacturer, outsourced some of its work to a Chinese company, which periodically invoiced the insured via e-mail. Cybercriminals were able to intercept e-mails between the insured and the vendor and began to e-mail the insured, posing as the vendor. The thieves instructed the insured to change the bank account information for payments that were to be wired to the vendor, and the insured complied, unwittingly wiring payments for legitimate vendor invoices to the fraudsters’ bank accounts. Once the fraud was discovered, the insured again paid a portion of the outstanding invoices, this time to the vendor’s real bank account, and sought coverage for its losses.
The insured’s policy provided coverage for “direct loss of . . . Money . . . directly caused by Computer Fraud,” which was defined in relevant part as “the use of any computer to fraudulently cause a transfer of money[.]” As we reported in a prior update, the lower court refused to find coverage under this provision, adopting the view that the mere sending and receipt of fraudulent e-mails did not constitute “the use of any computer to fraudulently cause a transfer”—rather, the court found, something more akin to a system infiltration or “hacking” was required. But the Sixth Circuit disagreed, finding that there was nothing in the policy’s definition of “computer fraud” that expressly required hacking or unauthorized access. The court observed that the insurer could have incorporated more specific language into the “computer fraud” provision, had it wished to do so, and in the absence of such language, the court refused to find that the “computer fraud” coverage was limited to hacking or similar behaviors.
The court also found that the insured had suffered a “direct” loss within the meaning of the policy, as the insured lost money as soon as the transfer to the thieves’ account was effectuated—in the court’s view, it did not matter that the insured also contractually owed, and later partially paid, those same sums to its vendor. And, the court held, that loss was also “directly caused” by the computer fraud. The court recognized that the fraudulent e-mails precipitated a chain of actions by the insured, including determining which outstanding invoices to pay, entering the fraudulent banking information into an online banking portal, and approving the payments. But the court took the view that this entire chain of events constituted “computer fraud,” and found that the insured suffered its loss “immediately after the transfer, which marked the end of the ‘Computer Fraud’ as defined in the policy.” American Tooling, 2018 WL 3404708 at *5-6. The court thus held that there was coverage for the loss, and reversed the lower court’s ruling. Id. at *6
The American Tooling decision followed closely on the heels of another recent opinion, Medidata Solutions, Inc. v. Federal Ins. Co., 2018 WL 3339245 (2d Cir., July 6, 2024), in which the Second Circuit found “computer fraud” coverage for an e-mail spoofing scam involving an insured research services provider. The insured in that case used Gmail as its e-mail platform, and the fraudsters used a computer code to trick the Gmail system into populating their own e-mails with the company president’s name, e-mail address, and photo in the “sender” field. The thieves used this tactic as part of an elaborate scheme in which, posing as the company president, they e-mailed and telephoned an accounts-payable employee and instructed her to wire money in connection with a company acquisition. Then, still posing as the president, the thieves sent e-mails to two company executives and instructed them to approve the wire transfer. Believing the communications to be genuine, the employee and executives complied, and several million dollars were transferred to the perpetrators before the fraud was detected.
The insured’s policy, which contained somewhat different language from the one at issue in American Tooling, covered the “direct loss” of money “resulting from Computer Fraud,” which was defined to include a transfer resulting from “the fraudulent (a) entry of Data into . . . a Computer System;” or “(b) change to Data elements or program logic of a Computer System[.]” Medidata, 2017 WL 3268529. As we previously reported, the lower court found that this provision covered the insured’s loss, ruling that the policy’s “computer fraud” coverage was not necessarily limited to hacking, but could encompass other “deceitful and dishonest access” to the insured’s computer system as well. 268 F. Supp. 3d 471 (S.D.N.Y., July 21, 2024).
The Second Circuit affirmed, finding that the loss fell within the plain and unambiguous language of the policy. Though no hacking in the traditional sense had occurred, the court found that “the fraudsters nonetheless crafted a computer-based attack that manipulated Medidata’s email system, which the parties do not dispute constitutes a ‘computer system’ within the meaning of the policy.” Medidata, 2018 WL 3339245 at *1. This attack, the court found, represented a “fraudulent entry of data into the computer system,” as the spoofing code was introduced into the e-mail system. The court also found that the attack made a “change” to a data element, as the e-mail system’s appearance was altered by the spoofing code. In addition, the court held that this spoofing attack was a sufficiently proximate cause of the transfer to satisfy the policy’s requirement that there be a “direct” loss. The court found that the chain of events that culminated in the wire transfer was “initiated by the spoofed e-mails, and unfolded rapidly following their receipt.” Id. at *2. And, although employees of the insured had to take action to effectuate the wire transfer, the court did not view those actions as sufficient to sever the causal link between the spoofing attack and the losses that the insured incurred. Id.
The American Tooling and Medidata decisions represent a somewhat different approach from those taken in certain other decisions, such as the Fifth Circuit’s ruling in Apache Corp. v. Great American Ins. Co., 662 Fed. Appx. 252 (5th Cir. 2016), which had appeared to reflect a growing trend toward requiring some form of hacking or unauthorized access in order to trigger “computer fraud” coverage. It remains to be seen whether these new decisions are indicative of a shift or merely a variation in the landscape of this rapidly developing area of the law.
|
|
Sixth and Second Circuits find coverage for social engineering fraud scams |
Date: July 24, 2024 |
Legal Update |
John G. O'Neill, Jessica H. Park |
Related Services: Insurance & Reinsurance |
||
|
Two federal appeals courts have recently issued opinions in key social engineering fraud coverage cases, in both instances finding that the policies in question provided coverage for the insureds’ losses. The decisions stand in contrast to certain earlier cases, including one from the Fifth Circuit, in which no coverage was found for similar types of scams. In American Tooling Center v. Travelers Cas. & Sur. Co. of America, 2018 WL 3404708 (6th Cir., July 13, 2024), the Sixth Circuit reviewed whether there was “computer fraud” coverage for a spoofed e-mail scheme in which thieves impersonated one of the insured’s overseas vendors in order to divert vendor payments. The insured, a tool and die manufacturer, outsourced some of its work to a Chinese company, which periodically invoiced the insured via e-mail. Cybercriminals were able to intercept e-mails between the insured and the vendor and began to e-mail the insured, posing as the vendor. The thieves instructed the insured to change the bank account information for payments that were to be wired to the vendor, and the insured complied, unwittingly wiring payments for legitimate vendor invoices to the fraudsters’ bank accounts. Once the fraud was discovered, the insured again paid a portion of the outstanding invoices, this time to the vendor’s real bank account, and sought coverage for its losses. The insured’s policy provided coverage for “direct loss of . . . Money . . . directly caused by Computer Fraud,” which was defined in relevant part as “the use of any computer to fraudulently cause a transfer of money[.]” As we reported in a prior update, the lower court refused to find coverage under this provision, adopting the view that the mere sending and receipt of fraudulent e-mails did not constitute “the use of any computer to fraudulently cause a transfer”—rather, the court found, something more akin to a system infiltration or “hacking” was required. But the Sixth Circuit disagreed, finding that there was nothing in the policy’s definition of “computer fraud” that expressly required hacking or unauthorized access. The court observed that the insurer could have incorporated more specific language into the “computer fraud” provision, had it wished to do so, and in the absence of such language, the court refused to find that the “computer fraud” coverage was limited to hacking or similar behaviors. The court also found that the insured had suffered a “direct” loss within the meaning of the policy, as the insured lost money as soon as the transfer to the thieves’ account was effectuated—in the court’s view, it did not matter that the insured also contractually owed, and later partially paid, those same sums to its vendor. And, the court held, that loss was also “directly caused” by the computer fraud. The court recognized that the fraudulent e-mails precipitated a chain of actions by the insured, including determining which outstanding invoices to pay, entering the fraudulent banking information into an online banking portal, and approving the payments. But the court took the view that this entire chain of events constituted “computer fraud,” and found that the insured suffered its loss “immediately after the transfer, which marked the end of the ‘Computer Fraud’ as defined in the policy.” American Tooling, 2018 WL 3404708 at *5-6. The court thus held that there was coverage for the loss, and reversed the lower court’s ruling. Id. at *6 The American Tooling decision followed closely on the heels of another recent opinion, Medidata Solutions, Inc. v. Federal Ins. Co., 2018 WL 3339245 (2d Cir., July 6, 2024), in which the Second Circuit found “computer fraud” coverage for an e-mail spoofing scam involving an insured research services provider. The insured in that case used Gmail as its e-mail platform, and the fraudsters used a computer code to trick the Gmail system into populating their own e-mails with the company president’s name, e-mail address, and photo in the “sender” field. The thieves used this tactic as part of an elaborate scheme in which, posing as the company president, they e-mailed and telephoned an accounts-payable employee and instructed her to wire money in connection with a company acquisition. Then, still posing as the president, the thieves sent e-mails to two company executives and instructed them to approve the wire transfer. Believing the communications to be genuine, the employee and executives complied, and several million dollars were transferred to the perpetrators before the fraud was detected. The insured’s policy, which contained somewhat different language from the one at issue in American Tooling, covered the “direct loss” of money “resulting from Computer Fraud,” which was defined to include a transfer resulting from “the fraudulent (a) entry of Data into . . . a Computer System;” or “(b) change to Data elements or program logic of a Computer System[.]” Medidata, 2017 WL 3268529. As we previously reported, the lower court found that this provision covered the insured’s loss, ruling that the policy’s “computer fraud” coverage was not necessarily limited to hacking, but could encompass other “deceitful and dishonest access” to the insured’s computer system as well. 268 F. Supp. 3d 471 (S.D.N.Y., July 21, 2024). The Second Circuit affirmed, finding that the loss fell within the plain and unambiguous language of the policy. Though no hacking in the traditional sense had occurred, the court found that “the fraudsters nonetheless crafted a computer-based attack that manipulated Medidata’s email system, which the parties do not dispute constitutes a ‘computer system’ within the meaning of the policy.” Medidata, 2018 WL 3339245 at *1. This attack, the court found, represented a “fraudulent entry of data into the computer system,” as the spoofing code was introduced into the e-mail system. The court also found that the attack made a “change” to a data element, as the e-mail system’s appearance was altered by the spoofing code. In addition, the court held that this spoofing attack was a sufficiently proximate cause of the transfer to satisfy the policy’s requirement that there be a “direct” loss. The court found that the chain of events that culminated in the wire transfer was “initiated by the spoofed e-mails, and unfolded rapidly following their receipt.” Id. at *2. And, although employees of the insured had to take action to effectuate the wire transfer, the court did not view those actions as sufficient to sever the causal link between the spoofing attack and the losses that the insured incurred. Id. The American Tooling and Medidata decisions represent a somewhat different approach from those taken in certain other decisions, such as the Fifth Circuit’s ruling in Apache Corp. v. Great American Ins. Co., 662 Fed. Appx. 252 (5th Cir. 2016), which had appeared to reflect a growing trend toward requiring some form of hacking or unauthorized access in order to trigger “computer fraud” coverage. It remains to be seen whether these new decisions are indicative of a shift or merely a variation in the landscape of this rapidly developing area of the law. |
Related People |
|||
John G. O'NeillPartner617.227.3030[email protected] |
Jessica H. ParkPartner617.227.3030[email protected] |
||