The article, 9th Circuit says Computer-Fraud Policies May Cover ‘Spoofing’ by LCA Senior Fellow Peter Selvin of Ervin Cohen & Jessup LLP, was originally published in the Daily Journal, on February 16, 2022.
Consider the following two scenarios resulting in identical losses, but potentially two entirely different insurance coverage outcomes:
Scenario 1: A thief hacks, or gains unauthorized entry, into an insured’s computer system and causes that computer system to execute a bank transfer to the thief’s offshore account.
Scenario 2: A thief utilizes a process called “spoofing,” in which an authentic-looking, but fraudulent, email is created to trick the insured into wiring funds to the thief’s offshore account. The “spoofing” process in essence tricks the insured’s email server into recognizing the fraudulent email as one that actually originated from the insured’s client or other trusted source.
Computer fraud policies often provide coverage in the first scenario because in that instance the thief had actually obtained access to the insured’s computer and had “used” that computer, in the words of typical policy language, “to fraudulently cause a transfer of property from inside [the insured’s premises] to ... a person outside those premises.”
By contrast, in the second scenario, some courts have been unreceptive to finding coverage because an insureds acting on, or treating as genuine, a fraudulent email directing the payment of funds has not been thought to be the equivalent of the “use of a computer” in a manner that fraudulently “caused” a transfer of money or other property. As stated by one court, “[t]o interpret the computer-fraud provision as reaching any fraudulent scheme in which [a computer] communication was part of the process would ... convert the computer-fraud provision to one for general fraud.” Apache Corp. v. Great Am. Ins. Co., 662 Fed. Appx. 252, 258 (5th Cir. 2016); see also Taylor & Lieberman v. Federal Insurance Company, 681 Fed. Appx. 627 (9th Cir. 2017).
However, a recent Ninth Circuit case joins several other decisions in finding that damages arising from “spoofing” may be covered under an insured’s computer fraud policy. See also Medidata Solutions, Inc. v. Federal Insurance Company, 268 F. Supp. 3d 471 (S.D.N.Y. 2017), aff’d, 729 Fed. Appx. 117 (2nd Cir. 2018); Am. Tooling Ctr., Inc. v. Travelers Cas. & Sur. Of America, 895 F.3d 455 (6th Cir. 2018).
In Ernst and Haas Management Company v. Hiscox, Inc., 23 F.4th 1195 (9th Cir. 2022), an account payable clerk employed by Ernst received emails purportedly from her superior, David Hass, directing her to make several payments to Zang Investments, LLC (Zang). In fact, the emails were from a fraudster who was impersonating Hass. Believing the emails were genuine, the clerk approved and processed the payments to Zang by wire transfer.
After the fraud was discovered, Ernst and Hass tendered the loss to insurance company Hiscox under the company’s crime policy. That policy provided coverage for losses arising from computer fraud, which included losses “resulting directly from the use of any computer to fraudulently cause a transfer” of funds to a third party. The policy also provided coverage for losses arising from funds transfer fraud, which included losses resulting from a fraudulent instruction directing a financial institution to pay funds from an account maintained by the insured.
Hiscox denied coverage for the claim and Ernst and Hass brought suit. Relying on an earlier Ninth Circuit case (Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., 656 Fed. App’x 332 (9th Cir. 2016)), the District Court granted Hiscox’s motion to dismiss. The Court of Appeals reversed.
At the outset, the Ninth Circuit distinguished the facts of the case from those in Pestmaster, which involved embezzlement of funds by a third party contractor who had been authorized to disburse from the insured’s accounts to pay taxes. In Ernst and Hass, by contrast, the court was focused on an email fraud scheme in which the company’s account payable clerk had been fraudulently authorized to wire the funds.
The Ninth Circuit also rejected the District Court’s view that Ernst’s loss did not result “immediately” and “directly” from computer fraud because Ernst, through its account payable clerk, authorized its bank to initiate the wire transfers from its account. Citing the Sixth Circuit’s decision in Am. Tooling Center case, the Ninth Circuit held that Ernst’s loss arose “directly” from the fraud because Ernst’s account payable clerk acting pursuant to the fraudulent instruction “directly” caused the loss of funds.
The Ninth Circuit also rejected the District Court’s conclusion that there was no coverage for Ernst’s loss under the policy’s coverage for funds transfer fraud. The District Court had based its ruling on the fact that the fraudulent instructions did not direct Ernst’s bank to transfer the funds but instead directed the account payable clerk to direct the company’s bank to transfer those funds. In this regard, the Ninth Circuit pointed to language in the policy which stated that funds transfer fraud includes only fraudulent instructions directly to a bank but also fraudulent instructions initially received by an insured’s employee. In this regard, the Court cited Principle Solutions Group, LLC v. Ironshore Indemnity, 944 F.3d 886 (11th Cir. 2019) which held that an email directing an employee recipient to initiate a wire transfer through a bank satisfied the requirement that a fraudulent instruction “direct a financial institution” to transfer funds.
With the Erst and Hass decision, the Ninth Circuit appears to be joining with the decisions of other jurisdictions which have expanded the concept of “use of any computer” (as that language is used in computer fraud policies) to include not only the unauthorized intrusion into and manipulation of, an insured’s computer by a third party hacker, but also instances where an insured’s employee authorizes the transmission of funds based on a fraudulent instruction.
LCA Senior Fellow Peter S. Selvin is a Partner and Chair of Ervin Cohen & Jessup’s Insurance Coverage and Recovery Department. He represents policyholders in insurance coverage and recovery matters - both trying cases and counseling clients on how to avoid litigation. Since 2007, he has been listed in Best Lawyers of America™ for both Insurance Law and Commercial Litigation. Peter has published numerous articles concerning insurance coverage and recovery in such publications, and with such organizations, as The D&O Diary, Risk & Insurance, the International Bar Association, the Association of Business Trial Lawyers, Executive Counsel, the Los Angeles Daily Journal and the American Bar Association. He regularly contributes industry updates for ECJ’s California Insurance Law Commentary blog, which may be found at https://www.ecjlaw.com/ecj-blog/category/california-insurance-law-commentary.