Business Email Compromise (“BEC”), or social engineering frauds, are scams that induce a party to transfer funds according to criminally altered directions. These scams target organizations that receive payment instructions through computer systems or email. Such criminal activity has become more pervasive, as a fraudster need merely “spoof” an email, purporting to be a vendor or employee, sending an inconspicuous fraudulent wire transfer request or instruction. An organization that falls victim to such a scam will likely find that whether their insurance provides coverage for their loss is determined upon intensive interpretation of the language of the specific policies. Computer fraud policies often provide coverage against a hacking event, where a program or third party person infiltrates the organization’s computer system. However, unlike a hacking attack, spoofed emails or “phishing” attacks deceive an organization into giving away information or transferring funds. While this type of scam is nothing new, some traditional policies may provide coverage. Nevertheless, many others do not.
Computer Fraud Provisions May Not Provide Coverage
Where a third party hacker infiltrates an organization’s computer system and transfers money out, a computer fraud insurance policy will likely trigger. However, where a third party spoofs an email to gather information and to send an email that induces the transfer of funds, such a scam may not trigger coverage under a traditional computer fraud provision. The determination of whether computer fraud provisions protect against these modern scams is an intensive investigation into the language of the individual provision and the insurance policy as a whole.
In a recent decision from the Second Circuit applying New York law, the Circuit court affirmed the district court’s holding that Medidata’s losses fell within the coverage of the computer fraud provision in its insurance policy. Medidata Solutions Inc. v. Federal Ins. Co.¸ No. 17-2492-CV, 2018 WL 3339245 (2d Cir. July 6, 2018). Medidata suffered a computer-based attack that manipulated its email system, allowing fraudsters to spoof emails that purported to be from a high-ranking member of the organization. In this fraud, the third party hackers did not transfer funds directly to themselves. Rather, the action of spoofing an email induced employees of Medidata into unknowingly wire transferring $4.77 million to the fraudsters.
Medidata argued that their insurance policy through Federal Insurance covered their losses. Their policy contained a “Crime Coverage Section” that addressed “Forgery Coverage Insuring,” “Computer Fraud Coverage,” and “Funds Transfer Fraud Coverage.” The court found the relevant part of the policy to be the “Computer Fraud Coverage,” which defined computer fraud as “the unlawful taking or the fraudulently induced transfer of Money, Securities or Property resulting from a Computer Violation.” The policy defined “Computer Violation” to include both “the fraudulent: (a) entry of Data into … a Computer System; [and] (b) change to Data elements or program logic of a Computer System, which is kept in machine readable format … directed against an Organization.”
In its decision, the Second Circuit found that the computer-based attack to access the email system was within the meaning of a “computer system” as defined in the policy. Further, the alternation of emails through a spoofing code represented a fraudulent entry of data into that computer system. This attack also “made a change to a data element, as the email system’s appearance was altered by the spoofing code to misleadingly indicate the sender.” In addition, the court did not accept the insurer’s argument that Medidata did not suffer a direct loss, finding that a direct loss in New York equates to proximate cause. The court found it clear that the proximate cause of Medidata’s losses was the spoofing attack. However, the court made the distinction that New York does not have a strict rule about intervening actors, which the insurance agency argued would be the intervention by the employees of Medidata.
This opinion, from a persuasive appellate court, may not present an interpretation likely to be adopted in other courts, as these opinions are narrowly based upon the facts of the matter. If New York had a differing rule on intervening actors, Medidata may not have had coverage, as the action of entering the transfer data into the computer system by Medidata’s employees would have superseded the actions of the hackers, becoming the proximate cause of their losses.
Special points of interest:
• Social engineering fraud is a scam that induces a party to transfer funds according to criminally altered directions.
• These types of scams target organizations that receive payment instructions through computer systems or email and are on the rise.
• Some traditional insurance policies may not provide coverage for these types of scams.
In addition, the spoofing attack was more complex than many others. Medidata’s hackers utilized a hacking attack to infiltrate the email system of the organization. This is not the case for many third party fraudsters, who merely send an individual spoofed email purporting to be from a high-ranking member of the organization authorizing the transfer of funds.
In contrast to Medidata, the Fifth Circuit, applying Texas law, recently decided a simpler social engineering fraud where the court held that there was no coverage under a “Computer Fraud” provision, as the loss did not directly stem from the spoofed emails. Apache Corp. v. Great American Ins. Co., 662 F.App’x 252 (5th Cir. 2016). In Apache, the organization received a telephone call from a person claiming to be from Petrofac, a vendor for Apache, requesting to change bank-account information. The Apache employee instructed such a change could not occur without a formal request on Petrofac letterhead. Apache then received an email changing the accounts details, to take effect immediately and for all future payments. This email, purporting to be from Petrofac, contained as an attachment a signed letter on Petrofac’s letterhead, providing the old bank information and the new information, as well as instructions. Apache followed the instructions, and verified the change by calling the number listed on the instructions. Apache transferred $7 million to the fraudulent account, but recouped a substantial portion of the funds upon learning of the fraud. However, Apache was unable to recover $2.4 million.
Apache argued their losses fell within their “Computer Fraud” provision, providing for the “loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises.” Apache alleged that the provision was silent as to hacking, and only needed to show the use of any computer fraudulently caused the transfer of funds, as opposed to an Apache owned computer.
The court found that the “Computer Fraud” provision only covered a loss resulting directly from the use of a computer, not from the receipt of a fraudulent email. The fraudulent computer use was limited to email correspondence, and thus did not trigger protection under the “Computer Fraud” provision. The blame for such loss fell at the feet of Apache. In addition, the court harped on the lack of procedural safety followed by Apache during this transaction, finding that “Apache invited the computer-use at issue.” To the court, if Apache used contact information that they had in the past, as opposed to the fraudulent information contained in the phony email, or even made a more thorough investigation, then they “would never have changed the vendor-payment account information.”
The Necessity of Insurance Policy Examination
Medidata and Apache exemplify the risk in insurance policy coverage. Medidata found coverage due to the interpretation of the specific language of policy and a specific type of scam. However, the Apache court found the losses stemming from another, more simplistic, form of scam did not fall under coverage of the insurance policy. It is clear that insurance policies may not provide the coverage that many organizations expect. However, insurance agencies have caught wind of this growingly pervasive problem and have begun offering tailored policies or endorsements. Such policies may alleviate potential insurance coverage disputes, and as such, should be examined closely to determine if the benefits of the coverage are useful to an entity. Beyond tailored provision or endorsements, the language of computer fraud provisions, and all individual provisions, should be scrutinized to determine what coverage is actually provided.
Organizations will need to examine their existing coverage policies to determine if they are at risk of falling on the wrong side of a coverage dispute. The attorneys at Melvin & Melvin continue to monitor developments in this area, and assist organizations in navigating this emerging field.
Melvin & Melvin , PLLC has been a leader in the legal profession in Central New York since its founding in 1921, representing businesses and individuals from its offices in the heart of downtown Syracuse, NY.