You May Not Have the Insurance Coverage for Computer Fraud that You Think You Do
If you think you have adequately protected your company by purchasing a computer fraud insurance policy, you may be wrong. Exclusions in the policy may result in your insurance carrier being able to deny coverage for some acts of computer fraud. Recent litigation shows the issue remains important. Here is what you should know.
Aqua Star (USA) Corp. v. Travelers Casualty and Surety Co. of America
In 2013, Aqua Star, a seafood company based in Seattle, was fooled into mistakenly wiring hundreds of thousands of dollars to bank accounts overseas that it thought belonged to one of its vendors. The scam involved the manipulation of e-mails that Aqua Star believed were legitimate communication from its vendor. When Aqua Star’s insurance carrier, Travelers, denied coverage, Aqua Star initiated litigation: Aqua Star (USA) Corp. v. Travelers Casualty and Surety Co. of America.
In 2016, a U.S. District Judge in Washington State ruled against Aqua Star, holding that “Exclusion G” in the insurance policy barred coverage because it excludes coverage for losses “resulting directly or indirectly from the input of electronic data” if related to authorized access of the insured’s computer system. Aqua Star appealed.
Oral argument concerning the appeal recently took place before a three-judge panel of the 9th Circuit Court of Appeals in San Francisco. Counsel for Aqua Star argued that there is coverage for the loss because the policy provides coverage for losses “directly caused” by “use of any computer to fraudulently cause a transfer of money.” A scammer using fake e-mails to trick someone into transferring money seems to fall within the policy’s computer fraud coverage.
However, one of the Court of Appeal judges openly disagreed because Aqua Star itself entered the fake vendor payment information into its computer system and transferred the money and the wire transfers involved “authorized access” of its computer system. That is, the loss did not result from “unauthorized access” to the computer system, i.e., the scammer directly hacking into the system and transferring the money. As such, the judge believes that Exclusion G is applicable and excludes the loss.
Counsel for Aqua Star responded that such an interpretation of Exclusion G eviscerates coverage under the policy for computer fraud. Travelers’ counsel countered that the policy provides the intended coverage, i.e. losses resulting directly from computer fraud, such as hacking, and that Exclusion G merely represents a fair spreading of the risks. The court has not yet issued a decision.
In 2017, Travelers made a similar argument in U.S. District Court for the Eastern District of Michigan in a case entitled, American Tooling Center v. Travelers Casualty and Surety Co. of America. Travelers won that case, and American Tooling Center appealed to the 6th Circuit Court of Appeals. That appeal is still pending.
Medidata Solutions Inc. v. Federal Insurance Co.
However, also in 2017, a U.S. District Judge in New York ruled that a company’s computer fraud policy did cover a loss resulting from a scammer tricking the company into wiring money overseas: Medidata Solutions Inc. v. Federal Insurance Co. Similar to what took place in Aqua Star, the scammer manipulated an e-mail so that it appeared to come from the president of the company, and asked that funds be transferred for an acquisition. After some of the company’s high-level officers approved the transfer, it took place. Federal Insurance Co. argued there was no coverage for the loss because the scammer never accessed Medidata’s computer system.
The judge in the Medidata Solutions case believed that from the perspective of a policyholder, computer fraud can embrace many types of scams given how cybercriminals are employing ever changing tactics. The judge simply did not see a material difference between being tricked into sending funds and having the funds stolen directly. In fact, the judge refused to apply the reasoning of a 5th Circuit Court of Appeals case, entitled Apache Corp. v. Great American Insurance Co., which has often been used as a shield by the insurance industry in these types of computer fraud cases, including in American Tooling Center. Instead, the judge ruled that, because Medidata’s transfer of the funds was directly caused by the scammer sending a manipulated e-mail, it was a covered loss.
Key Factors To Consider When Purchasing Coverage for Computer Fraud
Different courts can interpret similar policy language very differently, resulting in different outcomes. Nevertheless, concerning the coverage disputes discussed above, if the insureds had purchased fraudulent instruction coverage, litigation regarding whether the losses were covered would not have been necessary.
As such, before you purchase a computer fraud insurance policy, you should absolutely:
- Read the terms of the proposed policy, especially the exclusions, very carefully;
- Know how court(s) that could end up being the venue for a policy dispute have interpreted similar policy terms;
- Evaluate which uncovered losses you are willing to live with; and
- Determine whether any insurance company is willing to provide additional coverage, including fraudulent instruction insurance.
Only if you follow those steps then can you make an informed decision regarding what insurance policy to purchase.