The Sixth Circuit recently entered a ruling in American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of America, data security image of digital locks2018 WL 3404708 (6th Cir. July 13, 2018), soundly rejecting a cyber carrier’s extremely narrow reading of its policy’s “Computer Fraud” coverage.  The insured American Tooling Center (“ATC”) had fallen for a “social engineering” scam.  ATC received emails from someone impersonating one of its vendors and claiming to have changed its wire instructions.  ATC transferred over $800,000 to the thief before realizing it was a scam. 

Travelers denied coverage claiming, among other things, that ATC did not suffer a “direct loss” and that the scam was not “Computer Fraud” as that term was defined in the policy. On the first point, Travelers made the argument that ATC did not suffer a loss right away as a result of the fraudulent emails because it was simply transferring money that it owed to its vendor under contract.  Travelers claimed that the loss did not occur until ATC realized it was a scam.  The court rejected this argument with a simple analogy wherein A owes B five dollars and A is about to hand over a five-dollar bill when C runs by and snatches the money from A’s fingers.  Under Travelers’ theory, C caused no direct loss to A because A owed the money to B and was preparing to hand over the five-dollar bill.  As the Sixth Circuit found, “this interpretation defies common sense.”

On the second point, Travelers argued that its definition of “Computer Fraud” required a computer to “fraudulently cause the transfer” and that it was not sufficient to simply use a computer and have a transfer that is fraudulent. The term “Computer Fraud” was defined as “the use of any computer to fraudulently cause a transfer of…money…from [the insured’s premises] to a person outside [the insured premises].”  Travelers was essentially attempting to retroactively amend the policy to change the definition of “Computer Fraud” to hacking or similar situations where a nefarious party gains access to and/or controls the insured’s computer.  However, as the court noted, the policy language was not so limited and the acts at issue qualified as “Computer Fraud” because “the impersonator sent ATC fraudulent emails using a computer and those emails fraudulently caused ATC to transfer money to the impersonator.”

The American Tooling decision demonstrates the importance of carefully analyzing policy language as cyber losses continue to evolve.  Here, the policy did not expressly cover “social engineering” scams but the carrier was still on the hook because of the breadth of the policy language.  Undoubtedly carriers and insureds will continue to face these types of disputes in the ever-changing world of cyber insurance.