One Phish, Two Phish: Recent Developments in the World of Computer Fraud Coverage

"I meant what I said, and I said what I meant," Dr. Seuss once quipped. Courts, nationwide, are stating likewise when it comes to insureds seeking coverage for phishing scams under their crime policies, specifically the Computer Fraud Coverage Form found in many commercial property policies. More often than not, no such coverage will exist for unsuspecting companies that fall victim to phishing scams. 

This is important news, because a recent report reveals that 85% of organizations suffered phishing attacks in 2016.¹ Not only are more organizations falling victim to phishing attacks, the number of attacks, and their sophistication level, are increasing steadily. Two-thirds of organizations polled reported experiencing attacks that were targeted and personalized ("spear-phishing attacks"), up 22% from the year before. 

Phishing Defined

What exactly is "phishing"? It is a fraudulent attempt—often for malicious reasons—to obtain sensitive information such as usernames, passwords, credit card details, and, indirectly, money, by disguising as a trustworthy entity in an electronic communication. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter personal information at a fake website, the look and feel of which is almost identical to the legitimate one. Communications purporting to be from social web sites, auction sites, banks, online payment processors or IT administrators are often used to lure victims. Phishing emails may even contain links to websites infected with malware.

Notably, "hacking" is distinct from "phishing." In a hack, information is extracted involuntarily, forcing the perpetrator to first invade and then take over your computer system, through brute force or more sophisticated methods, to access the sensitive data.²

The Purpose of the Computer Fraud Coverage Form

The typical Computer Fraud Coverage Form states, "We will pay for loss . . . resulting directly from . . . ‘Computer Fraud.’"  "Computer Fraud" is defined as "’theft’ of property following and directly related to the use of any computer to fraudulently cause a transfer of that property from inside the ‘premises’ or ‘banking premises’ to a person . . . outside those ‘premises’ or to a place outside those ‘premises.’" 

A review of secondary sources and treatises implies that the purpose of developing the Computer Fraud Coverage Form was to cover instances where a perpetrator directly hacks into an insured’s computer system and fraudulently causes—himself—a transfer of money. As one commentator noted, "’Computer Fraud’ requires the culprit to use a computer to transfer money . . . from within the insured’s premises . . . ."³ Another commentator stated, "’Computer Fraud’ mean[s] theft through the use of a computer to transfer covered property from inside the insured’s premises. . . ."⁴

The Computer Fraud Coverage Form, however, does not include any explicit reference to hacking, let alone phishing. Though companies victimized by phishing schemes have sought coverage under the form, they have had little success in the courts.⁵

A Year in Review:  Three Developments

In the last year, there have been at least three notable cases addressing this issue.  First, on July 29, 2016, the Ninth Circuit affirmed Pestmaster v. Travelers.⁶  Pestmaster sustained significant losses as a result of its payroll company’s breach of its contractual obligation to pay Pestmaster’s payroll taxes.  Pestmaster had executed an ACH authorization which authorized the payroll company to review and pay invoices, transferring funds from Pestmaster’s bank account for this purpose.  Instead of paying invoices, however, the payroll company transferred the funds, as it was authorized to do, but kept the monies for its own purposes.  The Ninth Circuit affirmed the lower court’s grant of summary judgment to Travelers.  The lower court explained, in part:

"Computer Fraud" occurs when someone "hacks" or obtains unauthorized access or entry to a computer in order to make an unauthorized transfer or otherwise uses a computer to fraudulently cause a transfer of funds. . . .  [T]here is an important distinction between "fraudulently causing a transfer," . . . and Pestmaster’s interpretation of "Computer Fraud" as "causing a fraudulent transfer. . . ."  [N]othing in this clause indicates that coverage was intended where an authorized user utilized the system as intended, i.e., to submit claims, . . . but where the claims themselves were fraudulent.⁷

The lower court also found that the use of a computer was merely incidental to, and not "directly related" to Pestmaster’s losses.⁸

Second, on March 16, 2017, the Northern District of Georgia found that a policyholder’s loss involving prepaid debit card system fraud was not "directly" caused by a computer.  In InComm Holdings v. Great American Insurance Company, the court granted summary judgment for Great American.⁹  In so holding, the court explained: 

That a computer was somehow involved in [a] loss does not establish that the wrongdoer ‘used’ a computer to cause the loss.  To hold so would unreasonably expand the scope of the Computer Fraud Provision. . . .  Lawyerly arguments for expanding coverage to include losses involving a computer engaged at any point in the causal chain—between the perpetrators’ conduct and the loss—unreasonably strain the ordinary understanding of ‘computer fraud’ and ‘use of a[] computer.’¹⁰   

Third, on October 18, 2016, the Fifth Circuit decided Apache v. Great American Insurance Company, vacating judgment for the insured and rendering judgment for the insurer.¹¹  In Apache, an employee received a telephone call from a person identifying herself as a representative of a vendor.  The caller instructed the Apache employee to change the bank account information for its payments to the vendor.  The employee replied that the change request could not be processed without a formal request on vendor letterhead.  A week later, Apache received the requested letter via email.  The employee even called the phone number listed on the letterhead to verify the request and confirm its authenticity.  A different Apache employee implemented the change.  A week later, unbeknownst to it, Apache was transferring funds for payment of the vendor’s invoices to the perpetrator’s account.  Within a month, the legitimate vendor asked why it hadn’t been paid by Apache, and the scam was discovered.  Apache made a claim for the loss under its computer fraud coverage.

The trial court found that the policy covered Apache for the loss.  It rejected Great American’s argument that the loss was not direct because of intervening factors, explaining that "the intervening steps of the [post-email] confirmation phone call and supervisory approval do not rise to the level of negating the emails as being a ‘substantial factor.’"¹²  The Fifth Circuit reversed, finding that the only computer use was the use of the email as part of the overall scheme.  The Fifth Circuit found that the email was "merely incidental" to the occurrence of the authorized transfer of money.  The court stated,  "To interpret the computer fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would . . . convert the computer fraud provision to one for general fraud."¹³

Cross-Jurisdictional Uniformity Emerges

As Dr. Seuss warned,  "Out there things can happen, and frequently do, to people as brainy and footsy as you."  According to the FBI, phishing attacks continue to increase exponentially and have resulted in losses of more than $5.3 billion over the last three years.¹⁴  Given these jarring statistics, it is likely that insureds seeking to recover funds lost in phishing schemes will continue to assert coverage under the Computer Fraud Coverage Form, despite an increasing number of cases, nationwide, clarifying what the form will and will not cover.  As emphasized in Apache, there now appears to be "cross-jurisdictional uniformity in declining to extend coverage when the fraudulent transfer was the result of other events and not directly by the computer use."¹⁵