On July 6, the Second Circuit Court of Appeals set off some fireworks in the insurance coverage litigation field when it found coverage for a “social engineering”/phishing scheme loss, bucking the trend among its sister courts. The appellate court affirmed a Southern District of New York decision that had been a relative outlier, finding coverage under a crime/fidelity policy for a scheme where fraudsters used spoof emails to trick company employees into changing wiring instructions. The scheme resulted in a $5.8 million loss for the plaintiff policyholder, Medidata Solutions, Inc.
Only a week later, on July 13, the Sixth Circuit Court of Appeals followed suit, reversing a Michigan district court’s decision that was rendered in favor of the insurer last summer. The district court had held that a similar scheme, where employees of the policyholder were tricked into changing wiring instructions to a vendor by “spoof” emails, resulting in an $800,000 loss, was not covered under the company’s crime/fidelity policy. The Sixth Circuit reversed the decision and found that the policy, indeed, covered such losses.
These decisions create a bona fide circuit split on the issue of whether a “phishing” or “spoofing” scheme comes within the computer fraud coverage part of a crime/fidelity policy. As we reported, the Fifth and Ninth Circuit Courts of Appeal have held these schemes are not covered under similar policy language. The Eleventh Circuit also recently reviewed a somewhat similar case, finding no coverage for a scheme where fraudsters used automated phone systems connected to a company’s computer system to alter the balances on pre-paid debit cards, resulting in an $11.4 million loss.
The Second Circuit’s Medidata decision
The insuring clause at issue in the Medidata case is contained in a Federal Executive Protection Portfolio policy, and covers “direct loss… resulting from Computer Fraud committed by a Third Party.” “Computer Fraud” is defined as the “unlawful taking or the fraudulently induced transfer of Money, Securities or Property resulting from a Computer Violation.” Finally, “Computer Violation” is defined as “fraudulent. . . (1) entry of Data into or deletion of Data from a Computer System, (2) change to Data elements or program logic of a Computer System. . . or (3) introduction of instructions, programmatic or otherwise, which propagate themselves through a Computer System.”
Given the circuit courts’ apparent unanimity, many expected the 2017 Medidata decision from the Southern District of New York to be reversed. The district’s court’s decision followed extended deliberation, including an invitation from the court for the parties to submit supplemental briefs and expert analysis of whether or how the fraudsters altered the company’s email system to create the illusion of emails emanating from company officials. That review led the trial court to conclude that the fraudsters had in fact made changes to “data elements or program logic” of Medidata’s email system.
The Second Circuit took a hard look at Universal Am. Corp. v. Nat’l Union Fire Ins. Co. of Pittsburgh, P.A., a 2015 New York Court of Appeals decision. In that case, as we reported, the court held that the placement of the term “fraudulent” modified the words “entry” or “change” only, and the fact that the word was not used to modify “electronic data” or “computer program,” was telling. In other words, the policy covered fraudulent entry or change of electronic data, not the authorized entry of fraudulent electronic data. Word choice and placement are critical in coverage disputes, and to the extent National Union intended to limit coverage to situations involving “hackers” or the like, and not to this type of Medicare fraud, it succeeded with this particular policy wording.
The parties in Medidata agreed that the case did not involve direct hacking of the sort the Universal American decision held to be the intended risk covered by such provisions. But, the Second Circuit went so far as to suggest that “Universal in fact supports Medidata’s claim,” noting that:
Universal dealt with a medical claim fraud, where the perpetrators submitted false claims for services that were never rendered. The Court of Appeals found that such a fraud was not covered by a similar computer fraud provision, because the fraud was not on the “computer system qua computer system,” and did not entail a “violation of the integrity of the computer system through deceitful and dishonest access.” … Rather, the fraud at issue there only incidentally involved the use of computers, because the company processed its claims using computers (as opposed to on paper). Here, by contrast, the fraud clearly implicates the “computer system qua computer system,” since Medidata’s email system itself was compromised.
Id. at 3
The Second Circuit court also rejected Federal’s argument that the loss was not a “direct loss” as a result of the spoofing attack, but rather was down the line of attenuated events that ultimately led to the loss. The court disagreed. Using a proximate cause analysis and citing New York appellate authority on the issue, it found the spoofing attack was a proximate cause of Medidata’s loss.
The Sixth Circuit’s American Tooling decision
The Sixth Circuit reversed a decision in favor of the insurer from a Michigan federal court, captioned, American Tooling Center, Inc. v. Travelers Cas, & Surety Co. of Am., No. 16-12108 (E.D. Mich., Aug. 1, 2017), which found no coverage in a similar scenario. Ironically, the district court’s ruling distinguished the district court’s ruling in Medidata, noting that “Medidata is distinguishable because the insurance policy does not include the language at issue here, which requires the ‘direct loss’ to be ‘directly caused by Computer Fraud.’” Id. The Sixth Circuit disagreed, aligning with the Second Circuit, finding coverage.
The insurer, Travelers Casualty and Surety Co. of America, argued on appeal that (1) American Tooling did not suffer a “direct loss”; (2) this is not a case of “Computer Fraud”; (3) the loss was not “directly caused by Computer Fraud.”
The Sixth Circuit, while not citing the Second Circuit’s very recent Medidata decision, nevertheless employed a similar analysis in finding that American Tooling suffered a “direct loss.” The court looked to Michigan precedent defining a “direct” loss as “one resulting from an ‘immediate’ or ‘proximate’ cause, as distinct from remote or incidental causes.” The court held that this comports with the plain meaning of the word as defined in various dictionaries, and further held that American Tooling’s loss was caused directly by the wiring of the funds to a fraudulent account.
In addressing the second issue raised by Travelers – that the loss was not caused by “Computer Fraud,” the Sixth Circuit specifically distinguished the Ninth Circuit’s opinion in Pestmaster. It noted that, in that case, the insured had hired a vendor to handle its payroll tax services and granted it electronic access to its bank account. The vendor was authorized to transfer funds out of Pestmaster’s bank account into its own account, and from there it was to pay Pestmaster’s payroll taxes. The fraud occurred when the vendor failed to pay the taxes and kept the money instead. Thus, “in Pestmaster, everything that occurred using the computer was legitimate and the fraudulent conduct occurred without the use of a computer. In contrast, here the impersonator sent [American Tooling] fraudulent emails using a computer and these emails fraudulently caused [American Tooling] to transfer the money to the impersonator.”
Finally, the Sixth Circuit dispensed with Travelers’ third argument, that the loss was not “directly caused” by the Computer Fraud. Here, the court relied on the recent Incomm Holdings case from the Eleventh Circuit (discussed here), which ultimately found no coverage for a similar scheme, but nevertheless opined on the issue of when a loss results “directly” from a computer fraud. In InComm, the court held that the insured’s loss “resulted directly” from computer fraud, despite a “multi-step” process to the loss. The Sixth Circuit employed a similar analysis, finding that “[American Tooling] received the fraudulent email at step one. [American Tooling] employees then conducted a series of internal actions, all induced by the fraudulent email, which led to the transfer of the money to the impersonator at step two. This was “the point of no return,” because the loss occurred once [American Tooling] transferred the money in response to the fraudulent emails.”
Last, because the district court had not reached the applicability of the Travelers policy’s exclusions, the Sixth Circuit addressed them. One such exclusion stated that “This Crime Policy will not apply to loss or damages resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System . . . .” The court held the exclusion inapplicable, however, because the policy defined “Electronic Data” as “facts or information converted to a form: (1) usable in a Computer System; (2) that does not provide instructions or directions to a Computer System….” But here, the Sixth Circuit found that the electronic input was arguably in the form of “instructions or directions to a Computer System” and the exclusion was therefore ambiguous at best, and as such, was construed in favor of coverage.
Where do we go from here?
While many insurers have begun addressing the issue by creating exclusions and standalone coverages to fill the gap, the Medidata and American Tooling decisions create unwelcome uncertainty and highlight the need for insurers to hone the policy language to more precisely define the risks covered. There is now a bona fide circuit split on this important coverage question, so parties must consider which states’ laws govern, and in what jurisdictions to file cases. The decision is also particularly cumbersome for New York practitioners because it creates tension within New York law, as the Medidata decision arguably conflicts with the New York Court of Appeals’ Universal American decision.
Eyes now turn to the Eleventh Circuit, which is poised to release a decision on the issue. As noted above, the Eleventh Circuit has already tangentially addressed some of these issues in its InComm Holdings decision (discussed here), but it will directly address a phishing/spoofing scheme in its review of Principle Solutions Group, LLC v. Ironshore Indem., Inc., No. 1:15-CV-4130-RWS (N.D. Ga. Aug. 30, 2016), now pending before it and fully briefed, although no argument date has yet been set.
The single most important takeaways, however, are the changing coverage landscape underscores the importance of precision in policy wording, and it is paramount for both insurers and insureds to understand the boundaries of risks intended to be covered by the policy. According to FBI data published in early 2017, losses from these schemes totaled over $3 billion between 2013, when the FBI started tracking data, and the end of 2016. One recent estimate suggests projected growth to over $9 billion in 2018 alone. The problem will not be abating, it will get much, much worse – both in terms of frequency and severity. We can expect this area to continue to generate litigation, especially given the added uncertainty caused by the Medidata and American Tooling decisions and the explosion of phishing/spoofing attacks for which losses continue to mount at astonishing rates.