Cyberinsurance Covers Claim, But Probably Not for Long
Posted on 07/16/2018 at 11:36 AM by John Lande
A recent decision from the Sixth Circuit Court of Appeals is another victory for an insured whose insurance company denied coverage after a social engineering cyberattack. This victory, however, will likely be short lived for insureds as insurance carriers learn lessons and apply them when drafting new policy language.
This blog has been following litigation all over the country between insureds and their cyberinsurance providers. Recently, in Medidata Solutions, Inc. v. Federal Insurance Co. the Second Circuit Court of Appeals affirmed a district court’s decision holding that cyberinsurance covered a loss resulting from an email spoofing campaign. Another case this blog previously covered—American Tooling Center, Inc. v. Travelers Casualty and Surety Company—initially had a different outcome. The district court ruled that a cyberinsurance policy did not cover an email spoofing loss. However, the Sixth Circuit recently reversed the district court’s decision, and concluded the computer fraud clause in the cyberinsurance policy did cover the loss.
To recap, American Tooling Center (“ATC”) is a tool and die manufacturing company based in Michigan that outsources part of its production to a company in China, Shanghai YiFeng Automotive Die Manufacturing Co. (“YiFeng”). ATC sends orders to YiFeng, and then electronically transfers payments periodically during the course of work. ATC communicates with YiFeng via email.
In early 2015, fraudsters began intercepting email between ATC and YiFeng. An ATC executive emailed YiFeng requesting all outstanding invoices. Fraudsters intercepted the email and began communicating with ATC on behalf of YiFeng. Fraudsters informed ATC that YiFeng changed its bank account due to an audit, and provided new wiring instructions for ATC’s payments. ATC was not suspicious because YiFeng previously, and legitimately, changed bank accounts.
ATC wired funds to the new account. However, the money did not transfer, so fraudsters emailed ATC again with new wire instructions. ATC followed the new wire instructions, and sent fraudsters approximately $834,000 through several transfers. After YiFeng sent a legitimate request for payment, ATC figured out the fraud.
ATC made a claim under the computer fraud provision of its cyberinsurance policy. Travelers denied the claim, however, because (1) the loss was not a “direct” result of computer fraud, and (2) no computer fraud was actually involved in the loss. The district court agreed with Travelers, and denied ATC’s claim.
The Sixth Circuit disagreed. First, the court addressed whether the funds transfer was a “direct” result of the fraudsters’ actions. After reviewing various definitions of “direct,” the court concluded that no matter the definition there is no doubt ATC’s loss was a “direct” result of the fraudster’s scheme.
Next, the court decided Traveler’s was reading the computer fraud provision too narrowly when Travelers argued it only covered hacking cyberattacks. Rather, the court ruled fraudsters “sent ATC fraudulent emails using a computer and these emails fraudulently caused ATC to transfer the money to the impersonator.” In a significant footnote, the court noted Travelers could have written its policy to apply only to hacking, but did not clearly do so.
The Sixth Circuit also addressed three separate exclusions Travelers argued applied to this case. The court rejected all three exclusions. The common thread in the court’s analysis was that Travelers drafted the exclusion clauses so they would be strictly construed against Travelers. If Travelers wants to avoid covering this kind of loss in the future, according to the court, it will have to revise its policy language.
This should be a cautionary tale for organizations of all kinds. While ATC prevailed, it took over three years of litigation, and ATC lost in district court and had to appeal. More importantly, the Sixth Circuit repeatedly pointed out that Travelers lost this case because of the way it drafted this particular policy.
Recent cases demonstrate that insurance providers are keen to separate coverage for hacking from cases like ATC and Medidata, which involved losses from social engineering schemes like email spoofing. Insurance companies will continue to try to draw a clear distinction between the two kinds of coverage. It will only be more important in the future for insureds to work with knowledgeable counsel or insurance brokers to obtain coverage for their cyber-risk.
ATC also benefited from an agreement with YiFeng to pay YiFeng half of the amount owed, and make the other half contingent on the outcome of this litigation. YiFeng could have demanded that ATC pay for the work YiFeng performed. YiFeng would have had a strong claim for breach of contract since ATC committed to pay YiFeng for work, and ATC inadvertently paid fraudsters instead. ATC could have been fighting both YiFeng and Travelers at the same time. Other organizations may not be as fortunate as ATC in this regard. Those organizations will have to choose whether to pay twice and hope to recover from insurance, or open up a second litigation front in the wake of a damaging data breach. In this case, if ATC had better controls for verifying that it was sending payments to the correct location then it might have avoided this loss entirely. Other organizations should learn from ATC that it is better to prevent this kind of loss.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
- John Lande
Categories: Commercial Litigation, Cybersecurity Law, John Lande, Banking Law
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Law is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Law blog postings does NOT create an attorney-client relationship between you and Dickinson, Mackaman, Tyler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.