Corporate policyholders often assume their computer fraud crime insurance will cover so-called social engineering thefts. Reasonably so. Fraudsters commit these crimes by using computers to trick innocent employees into transferring corporate funds to what they believe are legitimate bank accounts, only to discover later that the accounts are controlled by criminals who have stolen the money. Although most people would consider this to be computer fraud, crime insurers have resisted covering such thefts. And some courts have sided with the insurers. Until recently, insurers could point to the Ninth Circuit Court of Appeals as being one of those courts. On January 26, the Ninth Circuit finally set the record straight in Ernst and Haas Management Company, Inc. v. Hiscox, Inc., 23 F.4th 1195 (9th Cir. 2022), by repudiating a prior unpublished ruling and finding coverage for a social engineering theft under California law. This ruling gives policyholders a boost in their crime coverage claims for social engineering theft losses and removes a cudgel from the insurers’ hands.
Ernst and Haas involved a garden variety social engineering scheme. The policyholder’s accounts payable clerk received an email purportedly from her boss directing her to make a payment. The clerk did not realize the email was a fake and had been sent by a fraudster. She transferred the requested funds to the bank account identified in an invoice attached to the email. The process repeated itself once before she realized on the third attempt that her boss had not sent the prior emails. The policyholder’s computer system was not hacked. The emails were simply spoofed messages sent by the fraudster.
Hiscox, the policyholder’s crime insurer, denied coverage. Several insuring agreements potentially covered the loss, but we focus here on the Hiscox policy’s “Computer Fraud” insuring agreement. The “Computer Fraud” insuring agreement required the loss to “result directly from the use of any computer to fraudulently cause a transfer of that property” to a person other than the policyholder.
As we have written previously by Patrick Loi here, courts have disagreed about the meaning of the phrase “resulting directly”, or other similar wording, in the context of computer fraud. Compare Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., 656 Fed. App’x. 332 (9th Cir. 2016) (no direct loss without hacking) (unpub.), and Apache Corp. v. Great Am. Ins. Co., 662 F. App’x 252 (5th Cir. 2016) (unpub.) (no direct loss where fraudulent emails caused insured to transfer money), and Universal Am. Corp. v. Nat’l Union Fire Ins. Co. of Pittsburgh, Pa., 25 N.Y.3d 675 (NY 2015) (no direct loss without hacking), with Medidata Sols., Inc. v. Fed. Ins. Co., 268 F. Supp. 3d 471 (S.D.N.Y. 2017) (direct loss resulted from spoofed emails).
Hiscox denied coverage, relying on the line of cases narrowly interpreting “resulting directly”. It contended that the theft did not follow “immediately” or “directly” from the use of a computer and that the transfer was “authorized” because an intervening actor – the policyholder’s employee – deliberately executed the transfer after having received the fraudulent emails. Because there had been no “hack” or unauthorized access, the district court agreed, granting Hiscox’s motion to dismiss and relying on the Ninth Circuit’s unpublished Pestmaster decision.
In a published ruling, the Ninth Circuit reversed and held that Pestmaster was both factually distinguishable and legally wrong. The Ninth Circuit concluded that Pestmaster was distinguishable because the theft there was committed by a person who legitimately received the policyholder’s funds and then stole them, rather than the typical social engineering variety. In contrast, the first recipient of the policyholder’s funds in Ernst and Haas was the fraudster.
The Ninth Circuit then went on to reject the Pestmaster court’s reasoning, shredding the arguments that crime insurers have put forth to justify coverage denials repeatedly over the past decade. First, the Ninth Circuit noted that:
By relying on Pestmaster to reach [its] conclusion, the district court endorsed a faulty circular premise—that [the employee] “authorized” a transfer of $200,000, curing any prior fraud, when she initiated a transfer of $200,000 based on fraud. That reasoning—that this fraud became “authorized” precisely when it succeeded—cannot be the correct reading of the contract.
In other words, an employee’s unwitting transfer of funds to a fraudster is not “authorized” just because the employee transferred the funds. No one at the company “authorized” the funds to be stolen, nor could they have done so.
Second, the Ninth Circuit rejected Hiscox’s “resulting directly” argument, finding that the loss resulted directly from the fraudulent email because the policyholder “immediately lost its funds when those funds were transferred to [the fraudster] as directed by the fraudulent email. There was no intervening event[.]”
Ernst and Haas is a significant decision for policyholders because insurers can no longer push Pestmaster in the Ninth Circuit and argue that computer fraud coverage only applies when there is a hack. While policy language may vary, Ernst and Haas removes a significant roadblock to coverage in the Ninth Circuit.