In SJ Computers LLC v. Travelers Casualty and Surety Company of America, the U.S. District Court for the District of Minnesota recently addressed the scope of insurance available for a phishing scheme under the terms of a crime policy.
The fact pattern leading to the insurance claim in SJ Computers is a familiar one: SJ Computers’ purchasing manager received fraudulent invoices from a bad actor purporting to be a legitimate vendor, ERI Direct. The invoices directed SJ Computers to make payment via wire transfer to a bank account number different from the bank account number used by ERI Direct in the past. Thereafter, the bad actor hacked into the purchasing manager’s email account and, while impersonating the purchasing manager, forwarded the invoices to the CEO for payment. Upon receipt, the CEO called ERI Direct to confirm the bank account change and left a voicemail. ERI Direct did not return the CEO’s call before the payment deadline set forth in the fraudulent invoices, so the CEO paid the invoices without confirming the change with ERI Direct. SJ Computers discovered the fraud a few days later but was unable to recover the transferred funds.
At the time of this incident, SJ Computers had crime insurance coverage under a policy issued by Travelers. The policy provided insurance for “direct loss” that is “directly caused by” social engineering fraud (up to a $100,000 single-loss limit) and computer fraud (up to a $1 million single-loss limit). As defined by the policy, social engineering fraud meant “the intentional misleading of an Employee or Authorized Person by a natural person impersonating … a Vendor” or “an Employee.” The policy defined computer fraud to mean “an intentional, unauthorized, and fraudulent entry or change of data or computer instructions directly into a Computer System.” Computer fraud does not include “entry or change [of data or computer instructions] made by an Employee [or] Authorized Person … made in reliance upon any fraudulent … instruction.” Importantly, these coverages were mutually exclusive under the terms of the policy.
SJ Computers submitted the claim for coverage under the social engineering fraud insuring agreement. SJ Computers, however, revised its tender to seek coverage under the computer fraud insuring agreement, which had a higher single-loss limit. Travelers accepted coverage under the social engineering fraud insuring agreement but declined coverage under the computer fraud insuring agreement. SJ Computers filed suit.
Upon Travelers’ motion to dismiss, the court found that the loss did not fall within the scope of coverage afforded by the computer fraud insuring agreement for several reasons. First, the court found the conduct that caused the loss did not meet the definition of computer fraud. In that regard, the court noted the conduct that caused the loss fell within the exception to the computer fraud definition for “entry or change [of data or computer instructions] made by an Employee [or] Authorized Person … made in reliance upon any fraudulent … instruction.” SJ Computers’ loss was caused by the CEO changing the wiring information in SJ Computers’ computer system in reliance on the fraudulent instruction from the bad actor and thus fell within the exception.
SJ Computers argued that the loss fell within the scope of the computer fraud insuring agreement because one aspect of the fraudulent scheme — namely the bad actor’s hacking into its computer system and impersonating the purchasing manager — would constitute computer fraud within the meaning of the policy. The court held that this argument alone would not alter its conclusion because, even if the bad actor’s hacking could be viewed in isolation, that act did not “directly cause” the loss. On that point, the court reasoned that SJ Computers did not suffer a loss when the hacker forwarded the invoices to the CEO. Instead, the loss occurred after the CEO acted on the fraudulent instruction. The CEO’s acts in reliance on the fraudulent instruction directly caused the loss and constituted “the intentional misleading of an Employee or Authorized Person by a natural person impersonating” a vendor or an employee within the policy’s definition of social engineering fraud.
The court further held that, even if the fraud reported by SJ Computers could be considered computer fraud, an exclusion to the computer fraud insuring agreement for “loss resulting from forged, altered, or fraudulent … instructions used as source documentation to enter Electronic Data or send instructions” would apply to bar coverage. The court reasoned that the exclusion applied because the loss resulted from “fraudulent instructions,” which the CEO “used as source documentation” to “send instructions.”
Because the bad actor “intentionally misled” an “employee” by “impersonating a vendor” and “an employee,” the fraud reported fell within the definition of social engineering fraud. SJ Computers attempted to avoid this conclusion by, among other things, arguing that it had not been established that ERI Direct was a vendor or that the purchasing manager was an employee within the meaning of the policy. The court rejected these arguments based on SJ Computers’ allegations in the complaint and common sense and granted Travelers’ motion to dismiss.
See more »
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Carlton Fields | Attorney Advertising
Refine your interests »
This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.
Back to Top
Explore 2022 Readers’ Choice Awards
Copyright © JD Supra, LLC
