September 18, 2019

September 17, 2019

Subscribe to Latest Legal News and Analysis

September 16, 2019

Subscribe to Latest Legal News and Analysis

Sixth and Second Circuits Rule In Favor of Insurance Policy Holders in Computer Fraud Provisions Cases

Policy holders alleging that computer fraud provisions of their insurance policies extended to fraud that stemmed from an intercepted email and a spoofing attack notched wins before two separate appellate courts recently. The first involves Travelers Casualty and Surety of America and American Tooling Center Inc., and the second involves Chubb Ltd. and Medidata Solutions Inc.

American Tooling Center, Sixth Circuit Decision

American Tooling Center Inc. (ATC) is a tool and die manufacturer that produces stamping dies for the automotive industry and outsources some of its manufacturing orders. Shanghai YiFeng Automotive Die Co. Ltd (YiFeng) is one of ATC’s vendors. YiFeng emails ATC invoices after which ATC goes through a multi-step process that includes verification that the work is completed, review of a spreadsheet of outstanding accounts payable, and a wire transfer that takes place via a banking portal. ATC had a policy with Travelers that covered any “direct loss” that was “directly caused by” the use of a computer.

In 2015, ATC sent an email to YiFeng requesting a list of outstanding invoices. That email was intercepted through unknown means and a third party impersonating a YiFeng employee instructed ATC to wire its payment to a different bank account number. When the real YiFeng demanded payment, ATC realized it had wired the money to an imposter and sought to recover the loss from Travelers claiming that the loss fell within the “Computer Fraud” provision of the policy. Travelers denied the claim.

The Travelers policy provided:  “The Company will pay the Insured for the Insured’s direct loss of, or direct loss from damage to, Money, Securities,” and “other Property directly caused by Computer Fraud.”  Travelers argued that ATC did not suffer a “direct” loss,” there was no computer fraud, and the loss was not directly caused by computer fraud.

The U.S. Court of Appeals for the Sixth Circuit overturned the district court decision and found that the Travelers policy covered the loss. The Sixth Circuit concluded that the fraudulent email received by ATC was the “point of no return” because the loss occurred once ATC transferred the money in response to the fraudulent email and therefore, the computer fraud “directly caused” ATC’s “direct loss.” In late August, a motion for en banc rehearing was denied.

Medidata Solutions, Second Circuit Decision

Earlier this summer, the U.S. Court of Appeals for the Second Circuit held that a computer fraud provision covered an email spoofing attack.

Medidata claimed that it was the victim of an email “spoofing” attack that resulted in a $5.8 million loss. The Chubb, Ltd. computer fraud provision covered any “entry of data into” or “change to data elements or program logic of” a computer system.  Chubb asserted that the spoofing attack was not covered because the policy applied only to hacking-type intrusions. In a summary order, the Second Circuit concluded that the plain and unambiguous language of the policy covers the losses incurred by Medidata.

The court found that the fraudsters crafted a computer-based attack that manipulated Medidata’s email system which the parties do not dispute constitutes a “computer system” within the meaning of the policy. The spoofing code enabled the fraudsters to send messages that inaccurately appeared to come from a high level Medidata employee. The court found that this attack represented a fraudulent entry of data into the computer system and were covered by the computer fraud provision of the policy. The court found that the chain of events was initiated by the spoofed emails.

These two rulings represent a shift from earlier court decisions that have more strictly construed policies and prompted carriers to offer more specific cyber policies. It is uncertain how future courts will rule when faced with similar facts. Nevertheless these rulings are a good reminder to carefully review any cyber insurance policies in order to determine what is best for your needs.

©2019 Drinker Biddle & Reath LLP. All Rights Reserved

TRENDING LEGAL ANALYSIS


About this Author

Katherine Armstrong, Drinker Biddle Law Firm, Washington DC, Data Privacy Attorney
Counsel

Katherine E. Armstrong is counsel in the firm’s Government & Regulatory Affairs Practice Group where she focuses her practice on data privacy issues, including law enforcement investigations, and research and analysis of big data information practices including data broker issues.

Katherine has more than 30 years of consumer protection experience at the Federal Trade Commission (FTC), where she served in a variety of roles, including most recently as a Senior Attorney in the Division of Privacy and Identity Protection.  In the Division of...

202-230-5674