As the number and sophistication of social engineering attacks increases, victims are examining their insurance policies to see if they are covered. In The Brick Warehouse LP v. Chubb Insurance Company of Canada, 2017 ABQB 413, and in Taylor & Lieberman v. Federal Insurance Company, 2017 WL 929211 (March 9, 2017 9th Cir.), fraudulent emails, as part of a social engineering attack, were sent to company employees who acted on them transferring money from the insured’s account. In both cases courts held that coverage under the Fund Transfer Fraud policy was denied as the victim knew or consented to the instructions given to its bank rather than by way of third party instructions impersonating the insured which would have been covered by the policy. Of note, the Alberta Court relied on legal developments in the United States in its decision.
The 6th Circuit has now taken a different look in a case of social engineering attack in American Tooling Center, Inc. v. Travelers Casualty & Surety Co., No. 17-2014 (6th Cir. 2018).
ATC, a tool and die manufacturer in the automotive industry, uses a subcontractor in China, Shanghai YiFeng Automotive Die Manufacture Co. Ltd. (YiFeng), to outsource some orders. ATC has an elaborate payment system where 4 payments are made based on the progress of the work. YiFeng emails ATC invoices which go through a review process at ATC. ATC checks the progress that has been made after which an ATC vice president reviews a spreadsheet of payments due. ATC pays YiFeng using a wire transfer. To do so the ATC vice president uses a software portal on his computer to manually enter banking information after which the controller must approve it.
An ATC employee sent an email to a YiFeng employee seeking a list of all outstanding accounts. It seems an unknown person intercepted that message. The third party impersonating the YiFeng employee then began a discussion about the accounts with the ATC vice president. They claimed, due to an audit, that ATC should wire payments to a new account than usual. ATC did so. The imposter ran the scam two more times until YiFeng enquired about payments and ATC realized it had wired payments to an imposter.
ATC sought recovery for its loss under its Computer Fraud insurance policy. The insurer declined the claim and ATC sued. In a summary judgment application, the district court found in favour of the insurer that the loss was not covered.
The 6th circuit court of appeal reviewed the summary judgment on a de novo basis. In such a review the appeal court reviews all facts in the most favourable basis to the non-moving party.
The insurer argued that the loss was not a “direct loss”, this was not a case of computer fraud, and the loss was not caused by computer fraud.
The court found ATC lost the $864,000 directly when it paid the imposter, there was no intervening event.
The 6th circuit court distinguished a prior 9th circuit case, Pestmasters v. Travelers, 656 F. App’x 332,333 (9th Cir. 2016), that had found the phrase “fraudulently cause a transfer” to require fraudulent authorization of the transfer, finding in this case the imposter used a computer to send the fraudulent emails to ATC and those fraudulent emails caused the transfer. The court found these facts constituted the computer fraud.
The court found ATC had proved its direct loss was directly caused by the computer fraud, noting that the insurer could have, but did not, limit the term to cases involving hacking where the criminal causes the computer to do something. The court identified the first step as receipt of the fraudulent email. The internal actions of ATC in reliance on the fraudulent email were the directly next step and so the computer fraud directly caused the loss.
Having found in favour of ATC and that none of the exclusions in the policy were applicable, the court reversed summary judgment for the insurer, granted summary judgment to ATC and remanded for further proceedings.
This is similar to the result in Medidata Solutions, Inc. v. Federal Insurance Co., 15-CV-907 (ALC), (July 21, 2017, U.S. D.C. S.D. New York) where another court found that the more direct involvement and manipulation of a computer in the fraudulent scheme resulted in insurance coverage.
Here we have another data point on how a court will interpret the changing insurance coverage language in cyber coverage policies by looking in different ways at how a computer may be involved. We can expect insurers to carefully review and revise their policy language to address the limitation identified in this case. Insureds, on the other hand, have a different way of looking at what is a “computer fraud” in the facts of this case. It remains ever important to closely review policy language so that an insured understands and gets the coverage that they seek to purchase.
In time, we will see if further Canadian courts may look to the expanding US case law on guidance when dealing with similar fact situations.