July 12, 2018, we reported on the Medidata decision handed down by the Second Circuit in which the court found coverage for a claim resulting from social engineering fraud. We suggested the ruling in Medidata lacks persuasive power due to its unusual factual circumstances and atypical policy language. The Sixth Circuit’s decision in American Tooling Center, Inc. v. Travelers Casualty & Surety Co. of America, No. 17-2014, 2018 WL 3404708 (6th Cir. July 13, 2018), will have more persuasive power, but due to its significant departure from existing precedent, it still should not turn the tide in favor of policyholders in the war between insurers and policyholders with respect to social engineering fraud coverage under traditional commercial crime policies.
Unlike in Medidata, the dispute in American Tooling arises out of a garden-variety social engineering fraud scenario wherein a third party impersonating a vendor sought payment from the insured, American Tooling Center, Inc. (ATC). All told, the fraudster was able to abscond with more than $800,000 before ATC discovered the scheme. When the actual vendor sought payment, ATC agreed to pay 50% of the outstanding debt, and the other 50% of the debt would remain contingent on ATC’s insurance claim with Travelers Casualty and Surety Company of America (Travelers).
ATC filed suit, and a Michigan federal district court granted summary judgment in favor of Travelers with regard to coverage under the Computer Fraud coverage part of ATC’s insurance policy. On appeal, the Sixth Circuit analyzed three separate, albeit interrelated, requirements for Computer Fraud coverage. First, ATC argued it suffered a “direct loss” the moment it paid the impersonator. Although the policy did not define “direct,” the court held there was a “direct loss” irrespective whether a Michigan court would construe the term to mean “immediate” or “proximate.” More specifically, because there was no intervening event between the fraudulent emails and ATC’s transfer of funds to the impersonator, ATC immediately lost the money.
Second, the Sixth Circuit considered whether the impersonator’s conduct constituted “Computer Fraud.” The policy defined “Computer Fraud” as “[t]he use of any computer to fraudulently cause a transfer of Money . . . to a person outside the Premises or Financial Institution Premises.” Travelers pointed to Pestmaster Services v. Travelers Casualty & Surety Co. of America, 656 F. Appx. 332 (9th Cir. 2016), for the proposition that “Computer Fraud” was limited to hacking and other brute force attacks in which the fraudsters gained access to or controlled the insured’s computer. The Sixth Circuit disagreed, relying on the fact that the impersonator sent ATC fraudulent emails using a computer, which allegedly caused the payments to the impersonator. Plus, looking at other policies in the marketplace, the Court chastised Travelers for not more narrowly defining “Computer Fraud” as limited to criminal hacking.
Third, the Sixth Circuit concluded ATC’s direct loss was directly caused by Computer Fraud. To start, the Court distinguished a recent Eleventh Circuit decision finding no coverage for Computer Fraud where the loss involved intervening steps. See Interactive Comm’cns Int’l v. Great Am. Ins. Co., No. 17-11712, 2018 WL 2149769 (11th Cir. May 10, 2018). The Sixth Circuit opined that the spoofed emails received by ATC served as the immediate cause of the loss, overlooking ATC’s inadequate internal protocols that allowed the scheme to escape detection. In other words, the court honed in on what ATC did, instead of what it did not do. The most prominent example of this is the Court’s characterization of the fraudulent email as “the point of no return,” as the ATC employees then had to engage in internal actions proscribed by its protocols, which involved no meaningful verification procedures and facilitated the transfer of money to the impersonator. The Court thus determined the “computer fraud” “directly caused” ATC’s “direct loss.”
As we wrote in our Medidata post, a majority approach has coalesced around social engineering fraud losses resulting from spoofed requests from vendors not being covered under Computer Fraud policies. The Sixth Circuit has deviated from that approach and sided with the Second Circuit. Due to recent events favoring policyholders, there appears to be a growing split in how courts analyze coverage for social engineering fraud. This development suggests insurers may want to evaluate existing policy language to determine if modifications are in order to make it abundantly clear to any court that coverage for social engineering fraud claims is excluded. Moreover, during litigation, insurers should highlight the existence of standalone social engineering fraud coverage offerings in the marketplace as evidence that traditional commercial crime policies are not meant to cover these twenty-first century con artist’s schemes. One thing is for sure – while the policyholders won the battle in American Tooling, the war is hardly over. If this trend continues, insurers should consider a new battlefield if they want to win the war.