It is an all-too-common dilemma. As phishing schemes have become more prevalent and more sophisticated, businesses of all sizes have fallen victim to these attacks where a fraudster will use a spoofed email or other deceptive communication to trick an employee into transferring money into the fraudster’s control. While this is a difficult scenario for anyone to face, two decisions from federal circuit courts have offered policyholders some relief by finding coverage for these losses under policies insuring against Computer Fraud. In doing so, these opinions rejected insurers’ arguments that the theft accomplished through these fraudulent emails did not qualify as Computer Fraud or were not losses that were directly caused by Computer Fraud.

Medidata Sols., Inc. v. Fed. Ins. Co.

In Medidata Sols., Inc. v. Fed. Ins. Co., 268 F. Supp.3d 471, 473 (S.D.N.Y. 2017), a company, Medidata, suffered a loss when a fraudster used spoofed emails to impersonate Medidata’s president and convince company employees to transfer money into the fraudster’s account. With their initial email, the fraudster approached a member of Medidata’s accounts payable department, telling her that the company was working on an acquisition and requesting that she help a purported attorney finalize the transaction.  Id.  A man holding himself out to be that attorney then called the employee and demanded that she process a wire transfer for him.  Id.  After the employee indicated that she would need an email from the president requesting the wire and would also need approval from two other employees, the fraudster sent another email—again appearing to be from the president—to the three employees and requested the wire transfer.  Id.  Each of these spoofed emails contained the president’s name, email address, and picture in the “From” field.  Id.  Based on these emails, the employees processed two wire transfers to the impersonator before realizing that they had been defrauded.  Id.

Medidata’s insurance policy with Federal provided Computer Fraud Coverage which insured against “direct loss of Money, Securities or Property sustained by an Organization resulting from Computer Fraud committed by a Third Party.”  Id. at 474. Computer Fraud was defined as the “unlawful taking or the fraudulently induced transfer of Money, Securities, or Property resulting from a Computer Violation.”  Id.  A Computer Violation was defined, in turn, to include both “the fraudulent:  (a) entry of Data into . . . a Computer System; [and] (b) change to Data elements or program logic of a Computer System, which is kept in machine readable format . . . directed against an Organization.”  Id.

In analyzing coverage under this provision, the court explained the mechanics used to send the deceptive emails. Id. at 477. The thief was found to have created a message in Internet Message Format, akin to a letter, and that message was transmitted through a Simple Mail Transfer Protocol which the court analogized to an envelope.  Id.  The court explained that the thief embedded computer code in the emails which masked their true origin by displaying the thief’s true email address on the “SMTP Envelope” while displaying the president’s email address in the “IMF Letter” that was actually seen by the recipients.  Id.

Federal argued that the loss was not covered Computer Fraud because the thief constructed the fraudulent emails and computer code before sending them, and there was therefore no entry or change of data to Medidata’s computer system.  Id.  The Southern District of New York rejected that argument and found that the acts at issue did constitute Computer Fraud because (1) the fraud was achieved “by entry into Medidata’s email system with spoofed emails armed with computer code that masked the thief’s true identity” and (2) “the thief’s computer code also changed data from the true email address to Medidata’s president’s address to achieve the email spoof.”  Id. at 478.  Federal also separately argued that the emails at issue did not cause the loss because they did not “create, authorize or release a wire transfer,” but the court similarly rejected that argument and found that the “Medidata employees only initiated the transfer as a direct cause of the thief sending spoof emails posing as Medidata’s president.”  Id. at 479.

On appeal, the Second Circuit affirmed on both points. First, it held that the scheme did constitute Computer Fraud because (1) “the attack constituted a fraudulent entry of electronic data into the computer system” insofar as “the spoofing code was introduced into the email system” and (2) the “attack also made a change to a data element” in that “the email system’s appearance was altered by the spoofing code to misleadingly indicate the sender.” Medidata Sols., Inc. v. Fed. Ins. Co., 729 Fed.Appx. 117, 118. (2d Cir. 2018). Second, it held that causation was sufficiently established where, although “the Medidata employees themselves had to take action to effectuate the transfer,” those actions did not “sever the causal relationship between the spoofing attack and losses incurred” because those employees were “acting, they believed, at the behest of a high ranking member of Medidata.”  Id.at 119.

Am. Tooling Center, Inc. v. Travelers Cas. and Sur. Co. of Am.

In Am. Tooling Center, Inc. v. Travelers Cas. and Sur. Co. of Am., 895 F.3d 455, 457-58 (6th Cir. 2018), the insured, American Tooling Center, lost $834,000 after a fraudster impersonating the insured’s Chinese subcontractor contacted one of the insured’s employees and requested that payments for their outstanding invoices be made to new accounts which, in reality, were controlled by the fraudster. The employee processed several wire transfers before realizing that the money was going to an imposter.  Id. at 458.

American Tooling Center was insured under a policy with Travelers that provided that the insurer would pay for “the Insured’s direct loss of, or direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud.”  Id. at 459 (emphasis in original). Computer Fraud was defined to mean “The use of any computer to fraudulently cause a transfer of Money, Securities or Other Property from inside the Premises or Financial Institution Premises:  1. to a person (other than a Messenger) outside the Premises or Financial Institution Premises; or 2. to a place outside the Premises or Financial Institution Premises.”  Id. at 461(emphasis in original).

Travelers argued that the loss resulting from this phishing scheme was not covered by the policy because (1) it did not constitute Computer Fraud, and (2) it did not constitute a direct loss that was directly caused by Computer Fraud.  Id. at 459-63.

With respect to whether the conduct constituted Computer Fraud, Travelers took the position that Computer Fraud required hacking or another method of gaining access to or control over the insured’s computer, and the phishing scheme could not qualify as Computer Fraud because no computer was used to fraudulently cause the transfer. Id. at 461-62. The Sixth Circuit rejected that argument and found that the scheme constituted Computer Fraud because “the impersonator sent [American Tooling Center] fraudulent emails using a computer and these emails fraudulently caused [American Tooling Center] to transfer the money to the impersonator.”  Id. at 461-62.

With respect to causation, Travelers asserted both that the loss was not direct and that it was not directly caused by Computer Fraud.  Id. at 459-63. As to whether there was a “direct loss,” Travelers argued that, because American Tooling Center had already contracted to pay the money at issue to its actual Chinese subcontractor, American Tooling Center did not suffer a loss at the time of the transfer but only at a later point when American Tooling Center agreed to pay the actual subcontractor a portion of the money that it still owed.  Id. at 459. While the Sixth Circuit noted some conflicting authority as to whether “direct” should be interpreted to mean “immediate or proximate” or “immediate only,” the court found that this qualified as a direct loss under either definition because American Tooling Center lost its money at the time of the transfer regardless of how it agreed to subsequently spread that loss with its actual subcontractor. Id. at 460-61. Travelers also argued that the loss was not “directly caused by Computer Fraud,” but the Sixth Circuit found that this requirement was met as well.  Id. at 462-63. The court reasoned that, even though American Tooling Center employees took several actions upon receiving the fraudulent emails such as verifying that the invoices were payable and setting up and approving the wire transfer, those internal actions were all directly induced by the fraudulent email.  Id.  As the court explained, the receipt of the fraudulent email was “step one,” and “step two” was the “series of internal actions, all induced by the fraudulent email, which led to the transfer of the money to the impersonator . . .”  Id. at 463.

Conclusion

As phishing schemes continue to threaten businesses everywhere, insurance is one tool that companies can use to protect themselves from these potentially devastating losses. Insurers now offer social engineering coverage that explicitly covers phishing-related losses. However, given the rulings made by the Second and Sixth circuits in these decisions, companies faced with a phishing loss should consider whether it may be covered under their Computer Fraud insurance.