Imagine a situation that is one of the C-suite’s worst nightmares: An employee in the accounting department receives an email from a high-level executive. The executive tells the employee to make a wire transfer to a specific account. The employee asks for further approvals from other executives, but the executive promptly forwards emails confirming the transfer as well, so the money is wired.
But at some point in the future, someone raises a flag. The emails the employee received weren’t from company executives. They weren’t even from anyone at the company. The employee had been tricked by a malicious actor using a common email phishing scam.
Luckily, the company has cyberinsurance. That should refund the loss of the fraudulently transferred funds, right? Not entirely. It all depends on how courts in the company’s jurisdiction interpret cyberinsurance coverage for computer fraud.
While cyberinsurance computer fraud policies vary, most cover the indirect or direct loss of property due to the fraudulent transfer of the property by a third party. But where such policies are left open to interpretation, federal courts have stepped in to define what exactly should be covered under the concept of computer fraud. And not all of them agree.
Courts in the U.S. Court of Appeals for the Fifth, Sixth and Ninth circuits have ruled that computer fraud policies do not cover situations where an employee of the company, who was authorized to access its computer systems, acts to transfer funds to a malicious or criminal actor, even though said employee was tricked.
The U.S. District Court for the Southern District of Texas upheld this argument in Apache v. Great American Insurance in October 2016, while the Ninth Circuit did the same in Taylor & Lieberman v. Federal Ins. in March 2017. And in August 2017, the U.S. District Court for the Eastern District of Michigan came to the same conclusion in American Tooling Center v. Travelers Casualty and Surety Company of America.
Joshua Bevitz, a partner at Newmeyer and Dillion, noted that in many of these cases, “the courts view has been, by interpreting a computer fraud coverage to include someone basically tricking you into using a computer to transfer the funds, you are essentially turning the computer fraud policy into a general fraud policy.”
He added that to count as computer fraud, these courts have determined there has to be fraud committed through the unauthorized use of the computer system. The courts have generally said “it has to be something where [malicious actors] have gotten into your system and made changes” or embedded software into the system that caused fraud.
At the other end of the country in the Second Circuit, however, things are markedly different. In its July 2017 ruling in Medidata Solutions v. Federal Insurance, the U.S. District Court for the Southern District of New York found that the phishing scam in question was an unauthorized intrusion into Medidata’s computer systems. Therefore, the incident was covered under Federal Insurance’s computer fraud policies.
“The New York court concentrated on the fact that essentially there was a break-in because the person did use a computer code to change data from the true email address to the Medidata president’s email address,” Bevitz said.
Whereas the Fifth Circuit in Apache “says essentially that the direct cause of the loss was not someone convincing you to do something, it was you doing something, the Medidata court” disagreed, he added.
To be sure, the New York court’s decision is an outlier. Bevitz noted that the Fifth Circuit in Apache was influenced by Texas law that “says if a question hasn’t been decided, we want to be the most consistent and essentially side with the majority … interpretation.” While the court did its own analysis of the case, “it did lean on the fact that other courts have come down in the same fashion.” The New York court, though, was untroubled by moving in its own direction.
Many corporations, however, might not have cases within a jurisdiction such as New York’s. So what are they to do? Bevitz suggested getting an additional specific insurance policy addressing phishing scams.
He explained that corporations “should obtain what is called fraudulent instruction insurance that would cover someone essentially tricking someone with access and authorization into transferring money to someone it is not supposed to go to.”