Years ago, we saw a number of large-scale cyber incidents hit large retailers and government agencies. A couple of years later, we saw the resulting litigation related to these large-scale incidents hit courts. As courts struggled with issues related to the large-scale events, we saw hackers target smaller data collectors. Now, we are seeing the resulting litigation related to these smaller attacks.
The latest example of how courts are addressing issues related to smaller targets is seen in American Tooling Center, Inc. v. Travelers Cas. and Surety Co. of America, N0. 17-2014 (6th Circ. July 13, 2018), where a small tool and die manufacturer, American Tooling, fell prey to scam and wired $834,000 to a hacker claiming to be one of American Tooling’s Chinese vendors in 2015. American Tooling tendered its claim for coverage under a computer fraud insurance policy issued by Travelers. When Travelers denied coverage, American Tooling filed suit and the District Court for the Eastern District of Michigan granted summary judgment in favor of Travelers and found no coverage under the computer crime policy.
On July 13, 2018, the Sixth Circuit Court of Appeals reversed the District Court’s decision and held American Tooling’s loss was covered and there were no exclusions that would bar coverage. The insurance claim arose from communications from American Tooling to one of its Chinese vendors on March 18, 2015 asking for all outstanding invoices. An unknown party intercepted American Tooling’s email and, on March 27, 2015, replied to the email as though it was the Chinese vendor and asked that the payments be wired to a different bank account because it was going through an audit. Of course, the new bank account was not owned by American Tool’s vendor. American Tooling wired the money as instructed by the unknown party multiple times in April 2015. American Tooling did not realize it was wiring money to the wrong person until the real vendor reached out seeking payment. American Tooling paid the vendor half the outstanding amount and “agreed that the remaining 50% would be contingent on [American Tooling’s] insurance claim.”
American Tooling claimed its loss fell within the “Computer Fraud” provision of its policy issued by Travelers. This provision, entitled “Computer Claim,” stated that Travelers “will pay the Insured for the Insured’s direct loss of, or direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud.” Travelers denied coverage on the basis that American Tooling did not suffer a “direct loss,” “this is not a case of “Computer Fraud,” and “the loss was not ‘directly caused by Computer Fraud.’”
The Sixth Circuit rejected Travelers’ position on the following basis:
- ATC suffered a “Direct Loss”
The computer crime policy only covered amounts that are a “direct loss” from computer fraud. The primary coverage dispute centered around the question of whether the wire transfers to the unknown party constitute a “direct loss” of American Tooling’s money. Specifically, the Sixth Circuit addressed the meaning of the term “direct” as used in the Policy. American Tooling claimed it suffered a direct loss when it paid $834,107.76 to the unknown party while Travelers argued the loss was sustained when American Tooling agreed to pay half the amount owed to the Chinese vendor.
In order to resolve this dispute, the Sixth Circuit relied on the Michigan Supreme Court’s decision in Acorn Investment Co. v. Michigan Basic Prop. Ins. Ass’n, 284234, 2009 WL 2952677, at 2 (Mich Ct. App. Sept. 15, 2009) for the proposition that a “direct” loss means “immediate” or “proximate” cause, “as distinct from remote or incidental causes.” In applying this standard, the Sixth Circuit held American Tooling’s loss was “direct” when it “immediately lost its money” and “there was no intervening event.” Further, the Sixth Circuit held the fact that the parties later agreed to split the loss had no bearing on whether insurance coverage was triggered. In support of its finding, the Sixth Circuit provided the following analogy of a direct loss:
Imagine Alex owes Blair five dollars. Alex reaches into her purse and pulls out a five-dollar bill. As she is about to hand Blair the money, Casey runs by and snatches the bill from Alex’s fingers. Travelers’ theory would have us say that Casey caused no direct loss to Alex because Alex owed that money to Blair and was preparing to hand him the five-dollar bill. This interpretation defies common sense.
Based on the above, the Sixth Circuit found American Tooling’s loss was “direct” as defined in the policy.
- This was a case of “Computer Fraud”
Travelers also argued that the phrase “Computer Fraud” as used in the policy “requires a computer ‘fraudulently cause the transfer.’” That is, Travelers claim “[i]t is not sufficient to simply use a computer and have a transfer that is fraudulent.” The Sixth Circuit rejected Travelers on this argument as well and found there was coverage under the policy to the extent the unknown party sent “fraudulent emails using a computer and these emails fraudulently caused [American Tooling] to transfer the money” to the unknown party. Specifically, the Sixth Circuit held Travelers attempt to limit this coverage “to hacking and similar behaviors in which a nefarious party somehow gains access to and/or controls the insured’s computer” was “not well-founded.” Consequently, the Sixth Circuit found American Tooling’s loss was caused by Computer Fraud.
- The loss was caused directly by Computer Fraud
Finally, the Sixth Circuit held American Tooling’s “Direct Loss” was “directly caused by Computer Fraud.” Here, the Sixth Circuit found “[t]he chain of events that was precipitated by the fraudulent emails and led to the wire transfers involved multiple internal actions at” at American Tooling. The chain of events—which included determining outstanding invoices to be paid, signing into the banking portal and manually entering the fraudulent banking information to the unknown party—constituted an immediate loss covered under the Policy.
While this decision provides some guidance on coverage under crime policies when money is wired to unknown parties, there are still a number of questions concerning what “Computer Fraud” is exactly and how the policy terms should be applied to various factual scenarios which may use computers to varying degrees. For example, in American Tool, Travelers argued that the unknown party merely using a computer to intercede between American Tool and its Chinese vendor and send emails and, therefore, would not be sufficient to trigger coverage. The District Court, which was overturned by the Sixth Circuit on this point, held this was not computer fraud since “[t]here was no infiltration or ‘hacking'” of American Tool’s computers. The Sixth Circuit did not agree with Travelers position that Computer Fraud should be limited to “hacking and similar activities” and further stated that Travelers should limit its language to hacking if that was the intent. While Travelers could have drafted this provision to directly limit coverage to hacking and other computer crimes, the Sixth Circuit’s reasoning could result in no coverage for the same loss if the unknown party had used a telephone to misdirect American Tooling’s wire transfer rather than sending emails through a computer. Therefore, we should expect to begin to see computer crime policies include language specifying how involved a computer will need to be in the commission of the crime in order to trigger coverage as computer fraud.