Losses stemming from social engineering scams like the business email compromise are not covered by “computer fraud” provisions of commercial crime insurance policies according to the Fifth Circuit Court of Appeals in Apache Corp. v. Great American Insurance Co.
In this case, scammers pretended to be a vendor of Apache and called one of its employees in the accounts payable department to advise that they were changing bank accounts. The scammer then followed up the call with an email (on the purported vendor’s letterhead) to the employee advising of the new bank wiring instructions. After receiving this confirming email, Apache sent $7 million to the fraudsters. Apache was able to recover all but $2.4 million of the funds.
Apache made an insurance claim under “Computer Fraud” provision of its commercial crime insurance policy premised on the argument that the email was the cause of the transfer of the funds. Computer Fraud provisions in these policies cover losses “resulting directly from the use of any computer to fraudulently cause a transfer” of funds. The Fifth Circuit rejected this argument, finding that the use of the email was incidental to the transfer:
The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money. To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would, as stated in Pestmaster II, convert the computer-fraud provision to one for general fraud.
I am very familiar with the arguments made in this case. Back in 2009, I was counsel in a similar case against some of the attorneys who handled this appeal. In that case, I extensively researched, diagramed, briefed, and argued these issues and we ultimately negotiated a favorable settlement for my client.
What does this mean for business?
When it comes to cyber insurance and insurance coverage for cyber-related events, there are many nuances that business people tend to gloss over and miss. They see the words “computer fraud” and think it covers every bad thing that can happen to them that is related to a computer but this is wrong. It does not and often times that means they believe they are getting coverage for risks when they really are not.
The time to think about this is before you have an incident — when you are procuring your insurance or now when you are reviewing your insurance coverage to see what you have. It is a whole lot more expensive to try and litigate it later and the odds are against you. I am happy to help you with either the review or the litigation but remember, “an ounce of cybersecurity prevention is often cheaper that the first day of litigation.”
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.