08.15.2018 | Articles

Cybersecurity & Data Privacy Insider Vol. 2

Recent Federal Decisions Shaping Coverage and Exclusions in Crime Policies

Approximately five years after the Connecticut Superior Court decided Owens II, the Ninth Circuit Court of Appeals released the 2016 unpublished decision of Pestmaster II, which commenced a line of cases recognizing that computers are now used in almost every business transaction and, as such, reading a Crime Policy to cover all transfers that involve both a computer and fraud at some point in the transaction would impermissibly convert a Crime Policy into a General Fraud Policy. Pestmaster Services, Inc. v. Travelers Casualty and Surety Co. of America (Pestmaster II), No. 14-56294, 656 Fed.Appx. 332, 2016 WL 4056068 (9th Cir. 29 July 2016), aff’g Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., No. CV 13-5039-JFW, 2014 WL 3844627 (C.D. Cal. 17 July 2014). The Pestmaster II Court reasoned, “[w]hile [the insurer] could have drafted this language more narrowly, we believe protection against all fraud is not what was intended by this provision, and not what [the insured] could reasonably have expected this provision to cover.”

Defining “Computer Fraud” in the Digital Age

Pestmaster sought coverage for certain authorized electronic transactions, as well as certain unauthorized transactions under the Funds Transfer Fraud provision and the Computer Fraud provision of the Crime Policy issued by Travelers. The Travelers policy defined Computer Fraud as “[t]he use of any computer to fraudulently cause a transfer…” The Pestmaster II Court held that the phrase “fraudulently cause a transfer” required an unauthorized transfer of funds, which requirement was not satisfied because Priority 1 transferred funds pursuant to express authorization from Pestmaster. Significantly, the Pestmaster II Court affirmed the District Court’s decision with regard to the authorized transfers, but remanded the decision for further consideration of coverage for allegedly unauthorized transfers.

Use of Email Communications Alone Does Not Constitute Computer Fraud

The Fifth Circuit Court of Appeals issued Apache, a decision based upon similar reasoning, less than three months later. Apache Corp. v. Great American Ins. Co. (Apache), No. 15-20499, 662 Fed.Appx. 252 (5th Cir. 18 Oct. 2016). The criminals in Apache first initiated contact with an Apache employee via a telephone call. The caller stated she was a representative of one of Apache’s vendors and instructed the employee to change the bank account information for vendor payments. The employee told the caller that the change needed to be requested in writing on the vendor’s letterhead, which request was received by Apache’s accounts-payable department about one week later. The written request was sent using an email address similar to the vendor’s authentic email domain with minor, innocuous changes made by the perpetrators. The email contained an attachment which was purportedly a letter on the vendor’s letterhead detailing old and new bank information and instructing Apache to use the new account for all future payments. An Apache employee called the number on the letterhead used for the email attachment and concluded the call confirmed the authenticity of the request. A different Apache employee approved and implemented the change. Apache began transfers to the account one week later. Apache received notice within one month of beginning transfers that the vendor had not received approximately $7 million in payments, which payments were made to the new (fraudulent) account. Apache ultimately recouped a substantial portion of the funds, but contended that it suffered a loss of $2.4 million after the applicable $1 million deductible. Apache sought coverage under the Computer Fraud provision of the policy issued by Great American Ins. Co. The United States District Court for the Southern District of Texas granted Apache’s motion for summary judgment and denied Great American Ins. Co.’s motion. The insurer appealed.

Great American Ins. Co. relied upon Pestmaster II and a 2008 Northern District of Texas ruling for the proposition that a hacking incident or other unauthorized computer use must have occurred for the Computer Fraud provision to afford coverage. Apache relied upon Owens I and Owens II. In reaching its conclusion, the Apache Court emphasized that the Owens I and Owens II decisions were vacated by the very Court that issued the rulings and also noted that Owens I and Owens II were the only trial court rulings presented to it in which computer fraud language was interpreted to cover a loss when the computer use at issue was limited to email correspondence. The United States Court of Appeals, Fifth Circuit, rejected the District Court’s reasoning and vacated judgment for Apache. The Court recognized that, although the email was part of a scheme, the email was merely incidental to the occurrence of the authorized transfer of money. It took judicial notice that the policy was issued in 2012 at a time when electronic communications were ubiquitous and the line between telephone and computer was already blurred. Ultimately, the Apache Court held that “few-if any- fraudulent schemes would not involve some form of computer-facilitated communication” and “[t]o interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would, as stated in Pestmaster II, convert the computer-fraud provision to one of general fraud.”

The United States District Court for the Northern District of Georgia, Atlanta Division, took the application of these principles one step further in deciding InComm I when it held that reading into the coverage afforded by a computer fraud policy provision all transfers that involve both a computer and fraud at some point not only converts the crime policy into a general fraud policy, but also “violate[s] the Court’s obligation to read the Policy ‘as a layman would read it and not as it might be analyzed by an insurance expert or an attorney.’” InComm Holdings, Inc. v. Great American Ins. Co. (InComm I), No. 1:15-cv-2671-WSD, 2017 WL 1021749 (N.D. Ga. 16 Mar. 2017). “Lawyerly arguments for expanding coverage to include losses involving a computer engaged at any point in the causal chain-between the perpetrators’ conduct and the loss-unreasonably strain the ordinary understanding of ‘computer fraud’ and ‘use of a[] computer’.”

The holdings and rationale of Apache, Pestmaster II and InComm I seemed to be foregone conclusion by the time American Tooling I was decided by the Untied States District Court for the Eastern District of Michigan, Southern Division, in August 2017. American Tooling Center, Inc. v. Travelers Cas. & Sur. Co. of Am. (American Tooling I), No. 16-12108, 2017 WL 3263356 (E.D. Mich. 01 Aug. 2017). The Court made brief work of rejecting American Tooling’s request that the Court follow the reasoning of Owens I and Owens II and, instead, cited to Apache, Pestmaster II and InComm I for the conclusion that there was no coverage under the Travelers’ policy when the transfer of funds was authorized because it did not constitute computer fraud as defined by the policy.

Definition Not Yet Settled

Decisions released in 2018 resulted in drastic changes to what appeared to have been the status quo in interpreting computer fraud provisions of crime policies. American Tooling I was reversed by the United States Court of Appeals, Sixth Circuit, on July 13, 2018. American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of America (American Tooling II), No. 17-2014, 895 F.3d 455 (6th Cir. 13 July 2018). The Sixth Circuit Court of Appeals found the facts of American Tooling distinguishable from those of Pestmaster II and held that the policy definition of computer fraud did not require that the fraud cause a computer to do something. The Court went on to reason that, if Travelers had wished to limit the definition of computer fraud to “hacking and similar behaviors in which a nefarious party somehow gains access to and/or controls the insured’s computer,” it could have done so, but the Court would not limit the definition so strictly when it was not written in that manner. InComm I was affirmed on other grounds by the United States Court of Appeals, Eleventh Circuit, on May 10, 2018, but the Eleventh Circuit rejected the District Court’s finding that the chit redemption at issue in that case did not result from “the use of a[ ] computer” as defined by the policy. Interactive communications International, Inc., et al. v. Great American Ins. Co. (InComm II), No. 17-11712, 731 Fed.Appx. 929 (2018).

These 2018 decisions and the ever-evolving landscape of litigation involving cybersecurity claims and the resulting coverage issues will be analyzed in future installments of Cybersecurity & Data Privacy Insider.

Share this article
Share this article