Computer

9th Circuit Says Computer Fraud Policies Can Cover Up Spoofing | Ervin Cohen & Jessup LLP

9th Circuit Says Computer Fraud Policies Can Cover Up Spoofing |  Ervin Cohen & Jessup LLP

Consider the following two scenarios resulting in identical losses, but potentially two entirely different insurance coverage outcomes:

In the first case, a thief hacks or gains unauthorized entry into an insured’s computer system and forces that computer system to execute a wire transfer to the thief’s offshore account.

In the second case, a thief uses a process called “spoofing”, in which an authentic-looking, but fraudulent email is created to trick the insured into transferring funds to the thief’s offshore account. The “spoofing” process essentially tricks the insured’s mail server into recognizing the fraudulent email as actually coming from the insured’s customer or another trusted source.

Computer fraud policies often provide coverage in the first scenario, because in this case the thief had actually gained access to the insured’s computer and had “used” that computer, in common parlance police, “to fraudulently cause a transfer of [] interior property [the insured’s premises] to (…) a person outside these premises.

In contrast, in the second scenario, some courts have not been receptive to entering into coverage because an insured acting on, or treating as genuine, a fraudulent email ordering the payment of funds has not been considered the equivalent of “using a computer”. in a manner that fraudulently “caused” a transfer of money or other property. As one court stated, “[t]o interpret the computer fraud provision as referring to any fraudulent scheme in which [a computer] communication was part of the process would change the computer fraud provision to a general fraud provision. Apache Corp. vs. Great Am. Ins. Co., 662 Fed. Approx. 252, 258 (5th Cir. 2016); see also Taylor & Lieberman v. Federal Insurance Company, 681 Fed. Approx. 627 (9th Cir. 2017).

However, a recent Ninth Circuit case joins several other decisions in concluding that damages resulting from “identity theft” may be covered by an insured’s computer fraud insurance policy. See also Medidata Solutions, Inc. v. Federal Insurance Company, 268 F. Supp. 3d 471 (SDNY 2017), confirmed, 729 Fed. Approx. 117 (2nd Cir. 2018); A m. Tooling Ctr., Inc. v. Travelers Case. & Sour. From America895 F.3d 455 (6th Cir. 2018).

In Ernst and Haas Management Company v Hiscox, Inc., 23 F.4th 1195 (9th Cir. 2022), an accounts payable clerk employed by Ernst received emails allegedly from her superior, David Hass, directing her to make several payments to Zang Investments, LLC (Zang). In fact, the emails came from a fraudster posing as Hass. Believing the emails to be genuine, the clerk approved and processed payments to Zang by wire transfer.

After the fraud was discovered, Ernst and Hass handed over the loss to the insurance company Hiscox as part of the company’s criminal policy. This policy provided coverage for losses resulting from computer fraud, which included losses “resulting directly from the use of any computer to fraudulently cause a transfer” of funds to a third party. The policy also provided coverage for losses resulting from funds transfer fraud, which included losses resulting from a fraudulent instruction directing a financial institution to disburse funds from an account maintained by the insured.

Hiscox refused to cover the claim, and Ernst and Hass sued. Relying on an earlier Ninth Circuit case (Pestmaster Servs., Inc. c. Travelers Case. & On. Co. of Am., 656 Fed. App’x 332 (9th Cir. 2016)), the District Court granted Hiscox’s motion to dismiss. The Court of Appeal overturned.

Initially, the Ninth Circuit distinguished the facts of the case from those of Pest master, which involved embezzlement by a third-party contractor who had been authorized to deduct from the insured’s accounts to pay taxes. In Ernst and Hassinstead, the court focused on an email fraud scheme in which the company’s accounts payable clerk had been fraudulently authorized to wire the funds.

The Ninth Circuit also rejected the district court’s view that Ernst’s loss did not result “immediately” and “directly” from computer fraud because Ernst, through his accounts payable clerk, had authorized his bank to initiate wire transfers from his account. Citing the Sixth Circuit’s decision in A m. tool center In that case, the Ninth Circuit found that Ernst’s loss arose “directly” from the fraud because Ernst’s accounts payable clerk, acting pursuant to the fraudulent instruction, “directly” caused the loss of funds. .

The Ninth Circuit also rejected the district court’s finding that there was no coverage for Ernst’s loss under the policy’s coverage for funds transfer fraud. The district court had based its decision on the fact that the fraudulent instructions did not direct Ernst’s bank to transfer the funds, but rather directed the account payable keyk to order the company’s bank to transfer these funds. In this regard, the Ninth Circuit pointed to policy language which stated that funds transfer fraud includes only fraudulent instructions directly to a bank, but also fraudulent instructions originally received by an insured’s employee. In this regard, the Court cited Principle Solutions Group, LLC c. Ironshore Indemnity944 F.3d 886 (11th Cir. 2019) which held that an email instructing a recipient employee to initiate a wire transfer through a bank satisfied the requirement that a fraudulent instruction “directs a financial institution to transfer funds.

With the Erst and Hass ruling, the Ninth Circuit appears to join rulings in other jurisdictions that have expanded the concept of “use of any computer” (as that language is used in computer fraud policies) to include not just unauthorized intrusion and manipulation of an insured’s computer by a third-party hacker, as well as cases where an insured’s employee authorizes the transmission of funds based on a fraudulent instruction.