The Sixth Circuit is set to review a decision relevant to the issue of whether computer fraud insurance policies cover losses resulting from theft based on fraudulent email schemes. To date, the issue is one that has divided courts across the country.
The District Court Decision
In American Tooling Ctr., Inc. v. Travelers Casualty and Surety Co. of America, No. 16-12108, 2017 U.S. Dist. LEXIS 120473 (E.D. Mich. Aug. 1, 2017) the U.S. District Court for the Eastern District of Michigan held that an $800,000 loss caused by a vendor impersonation email fraud scheme did not fall within the terms of a crime policy's computer fraud coverage. The court granted summary judgment to Travelers.
The Underlying Facts
American Tooling Center, Inc. ("ATC") is a tool and die manufacturer that fell victim to a fraudulent email scheme in which thieves posed as one of its vendors. Id. at *2. ATC asked its vendor in China, Shanghai YiFeng Automotive Die Manufacture Co., Ltd. ("YiFeng"), for outstanding invoices by email. Id. ATC received a response from an account that looked like the YiFeng account, and the responsive email directed ATC to send payment for the invoices to a new bank account. Id. at *3 ATC wired $800,000 to the thieves without verifying the banking instructions. Id.
After learning of the fraud, ATC submitted a claim to Travelers, which provided coverage for loss of money "directly caused by Computer Fraud." Id. The policy defined "Computer Fraud" as "[t]he use of any computer to fraudulently cause a transfer of Money, Securities or Other Property…." Id. Travelers denied ATC's claim on the grounds that ATC did not suffer a "direct loss" that was "directly caused" by "the use of any computer", and therefore there was no covered "loss". Id.
The District Court's Rationale
The district court agreed with Traveler's position, finding that the fraudulent emails did not directly or immediately cause the transfer of funds from ATC's bank account. Id. at *5. Instead, according to the court, several intervening events between ATC's receipt of the fraudulent emails and the transfer of funds (such as ATC verifying production milestones, authorizing the transfer, and initiating the transfer without verifying bank account information), precluded a finding of "direct" loss "directly caused" by the use of any computer. Id. at *5-6.
The district court relied on a case from the Fifth Circuit, Apache Corp. v. Great Am. Ins. Co., 662 Fed. App'x 252 (5th Cir. 2016), where the court found that merely sending and receiving fraudulent emails did not constitute the use of a computer to fraudulently cause a transfer, as the email was "merely incidental to the occurrence of the authorized transfer of money." Id. at 6-7. Further, the court made specific reference to the Apache Corp. court's observation that "to interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would . . . convert the computer-fraud provision to one for general fraud." Id. at *7. Addressing a seemingly conflicting case presented by ATC, the court distinguished the case of Medidata Solutions v. Fed. Ins. Co., No. 15-CV-907, 2017 U.S. Dist. LEXIS 122210 (S.D.N.Y. July 21, 2017) on the basis of the express language in the policy, noting that the policy language did not include the "direct loss" or "directly caused by computer fraud" language. Id. at *6 n.1.
The court concluded that although fraudulent emails were used to impersonate a vendor and dupe ATC into transferring funds, such emails do not constitute the use of a computer to fraudulently cause a transfer, as there was no infiltration or hacking of ATC's computer system. Id. at *7. Thus, the district court agreed with Travelers that there is no coverage under the Travelers policy. Id. at *8.
ATC's appeal of the district court's decision, American Tooling Ctr., Inc. v. Travelers Casualty and Surety, Case No. 17-2014, is currently pending in the U.S. Court of Appeals for the Sixth Circuit.
Many policyholders expect that if they are defrauded through the use of a computer and they have computer fraud insurance, there will be coverage for any resulting loss. The district court's decision, however, highlights the risk that insurance coverage for this type of loss isn't always certain, with the end result being that many companies think they will be covered for such a loss, when in fact, they may not be.
This further highlights the necessity of carefully reviewing insurance policies and negotiating the clearest language possible up front to avoid problems later. In performing a policy review and negotiating policy terms, companies should be aware of how courts in their jurisdiction have interpreted computer fraud coverage provisions, and the Sixth Circuit case is one to watch. Policyholders should consult with their brokers and coverage counsel about the risks that this type of fraud poses, and the coverage for such risks.