Court Does Not Beat Around The Bush and Is Rather Direct In Rejecting Insurer’s Causation Argument In Computer Fraud Claim
Tuesday, May 10, 2022
Court Ruling Favors Insured in Computer Fraud Direct Loss Case
Print Mail Download i

As businesses continue to increase their reliance on technology, they are bound to face the inevitable risks associated with online transactions and other cyber exposures. This, in turn, emphasizes the importance of having the proper insurance policies and compliance methods in place to prevent or, at least, mitigate losses that ensue from these risks. In this context, many insurance policies require that there be a “direct” loss for there to be coverage, which has spawned numerous lawsuits about what the word “direct” means. The latest court to weigh in has sided with the insured and interpreted that term broadly to essentially mean proximate causation.

In City of Unalaska v. National Union Fire Insurance Company, an employee received an email from a fraudster, purporting to be a vendor, requesting a change to its payment instructions for invoices. 2022 WL 826501, at *1 (D. Alaska Mar. 18, 2022). The employee assumed that the request was legitimate and updated the bank account information and later initiated ACH payments for several invoices. The payments ultimately went to the fraudster’s bank account. Id. The insured submitted a claim to its insurer, who only accepted partial coverage under an Impersonation Fraud Coverage endorsement subject to a $100,000 sublimit, and refused to pay the remaining amount of the insured’s claim under the computer fraud insuring agreement of the policy. Id. at *2.

The insurer argued that the insured was not entitled to computer fraud coverage under a crime policy because “incidental” use of an email to perpetuate a fraud does not constitute “computer fraud” and the insured’s loss did not “result[ ] directly from the Fraudster’s emails” but was “temporally remote and involved a chain of intervening and independent steps and decisions that did not involve the fraudster.” Id. at *3. The court held that the plain language of the computer fraud insuring agreement makes it clear that there is coverage for a “loss of money resulting directly from a fraudster’s use of a computer – sending an email impersonating the City’s vendor – to fraudulently cause a transfer of funds from the City to the fraudster’s bank account,” and that a reasonable insured would expect coverage under the computer fraud insuring agreement. Id. at *7.

As a result, the court denied the insurer’s “direct means direct” argument, which would suggest that the loss would have to be “without deviation or interruption” and that “the Fraudster’s use of a computer … [would have to] directly bring about the funds transfer.” Id. at *4. Further, the court also found that the computer fraud insuring agreement does not require more than proximate causation because “though the word ‘directly’ may connote immediacy when read in isolation, a reasonable insured would consider the phrase ‘resulting directly from’ to convey the concept of proximate cause.” Id. at *8.

Cited within the Unalaska opinion is the similar case of Ernst and Haas Management Company, Inc. v. Hiscox Inc., 2022 WL 223965 (9th Cir. Mar. 7, 2022). There, the Ninth Circuit reversed the district court’s decision finding that the district court engaged in an “improperly narrow reading of the contractual language” when finding that “a direct loss is limited to unauthorized computer use, like hacking.” Ernst and Haas Mgmt. Co., Inc. v. Hiscox, Inc., 23 F.4th 1195, 1200 (9th Cir. 2022). Therefore, the Ninth Circuit held that the insured’s loss was directly caused by the fraudulent transfer of funds when the employee transferred them (there was no intervening event), and the computer fraud insuring agreement could cover the insured’s alleged loss. Id. at 1202-1203.

The broad application of the “direct” language under these coverages is an important, recurring issue that many insureds confront when they have a computer fraud loss. The City of Unalaska case emphasizes the potential confusion and uncertainty regarding the causation requirement for “directly” language that is found in many policies. The ruling represents a trend by many courts who interpret the computer fraud coverage broadly and have rejected the “direct means direct” approach advocated by many insurers.

Copyright © 2024, Hunton Andrews Kurth LLP. All Rights Reserved.

Current Legal Analysis

More from Hunton Andrews Kurth

IRS Issues New Favorable Pipeline Ruling for REITs
by: George C. Howell, III , Thomas W. Ford, Jr.
Treasury Proposes Stronger CFIUS Monitoring and Enforcement Rules
by: Sevren R. Gourley , Eric R. Markus
SAFETY Act Series, Part 1: The SAFETY Act Is Powerful Protection Against Emerging Liabilities
by: Lorelie S. Masters , Kevin W. Jones
The Hunton Policyholder’s Guide to Artificial Intelligence: Artificial Intelligence-Related Securities Exposures Underscore the Importance of Thorough AI Insurance Audits
by: Michael S. Levine , Geoffrey B. Fehling
The Hunton Policyholder’s Guide to Artificial Intelligence: The Importance of Auditing AI Risk
by: Michael S. Levine , Lorelie S. Masters
Introducing The Hunton Policyholder’s Guide to Artificial Intelligence
by: Michael S. Levine , Lorelie S. Masters
EPA Finalizes Landmark Rule Setting Stringent New Limits for Six PFAS in Drinking Water
by: Javaneh S. Tarter , Matthew Z. Leopold
California Wage Hike Law for Fast Food Workers Generates Uncertainty for Some Employers
by: Kirk A. Hornbeck , Brandon Marvisi
Connecticut Attorney General Issues Report on Privacy Law Enforcement Priorities
by: Hunton Andrews Kurth’s Privacy and Cybersecurity
May 2024 Visa Bulletin – Priority Dates Stuck in the Mud
by: Suzan Kern

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins