Recently, the Ninth Circuit handled a case involving a scenario that is becoming all too common. In Gestion Ernst & Haas Co., Inc. v. Hiscox, Inc.., 23 F.4th 1195 (9th Cir. 2022), an accounts payable clerk at a property management company received several emails from her supervisor asking her to pay certain invoices. Unbeknownst to the employee, these emails were not from her supervisor, but were actually part of a fraudulent scheme to obtain fraudulent bank transfers. The clerk paid hundreds of thousands of dollars in “bills” before he became a suspect, but by then it was too late and the damage was done.
Subsequently, Ernst filed a claim with his insurance company under his commercial crime policy, which provided coverage for “computer fraud” and “funds transfer fraud.” The insurer denied coverage on the grounds that Ernst’s own employee initiated the wire transfer of funds. After Ernst sued his insurer for breach of contract and bad faith, among other claims, the district court sided with the insurer on the basis that the wording of the policy required that the loss or damage” results directly” from the fraudulent activity. Since the clerk was the one who initiated the transfer, the court found that the loss resulted directly from an act authorized by the clerk, not the fraudulent email. By this logic, policyholders would not be covered unless a third party actually hacks into their system and initiates a transfer themselves. An innocent employee used as a conduit to perpetrate fraud would not suffice.
Subsequently, the Ninth Circuit, in reversing and remanding the lower court’s remand, determined that the district court made three different errors:
First, the district court relied on an embezzlement case, which presented a different factual scenario than the third-party email fraud here. This case involved an insured business that authorized a third party payroll tax office to transfer money on its behalf to pay taxes, which then decided to steal it instead. Ernst, on the other hand, never authorized his clerk to wire the funds. Rather, the perpetrator was the one who fraudulently authorized the clerk with his email and stole funds he was never authorized to receive in the first place.
Second, the district court narrowed the wording of the “computer fraud” provision, interpreting direct loss as being limited to “unauthorized use of a computer, such as hacking.” The court found that Ernst’s loss did not “directly result” from computer fraud because his clerk had authorized his bank to initiate the wire transfer. But that couldn’t be the law because it “eliminates the possibility of cover whenever an employee is being defrauded into taking action. Relying on a Sixth Circuit ruling, the Ninth Circuit panel found that Ernst’s loss was indeed a “direct result” of the computer fraud – there was no intervening event, there was simply a loss that resulted directly from the clerk acting in accordance with the fraudulent instructions. Thus, the provision for computer fraud covered Ernst’s loss.
Third, the district court held that the “funds transfer fraud” provision did not cover the loss because it did not “result directly” from fraudulent instructions to a financial institution. The attacker asked the accounts payable clerk to wire the money, not the bank. The Ninth Circuit panel, however, found that the email to the Registrar directing her to transfer funds to the author, providing details of the wire transfer, and providing fraudulent authorization was sent for the sole purpose of initiate the bank transfer. Thus, the e-mail should be interpreted as a direct instruction to the bank. Further, the policy’s definition of “fraudulent instruction” provided for an instruction to the insured before the bank, which would otherwise be redundant if it only covered instructions to the bank without an intermediary.
In this modern digital age, email fraud schemes are commonplace. Although a vigilant internal due diligence program and other measures can prevent fraud, criminals are becoming more sophisticated and technologically advanced, making it increasingly necessary to have an appropriate insurance program that will cover victims of such fraud. Commercial crime policies and cyber insurance policies can accomplish this in a number of scenarios, however, the terms and conditions can be complex and ambiguous without professional help. As such, a policyholder cover attorney, broker or other risk professional should be consulted to ensure that the policy terms obtained are adequate given their specific needs and potential vulnerabilities.
Full review in Gestion Ernst & Haas Co., Inc. v. Hiscox, Inc.23 F.4th 1195 (9th Cir. 2022) can be found here.
Copyright © 2022, Hunter Andrews Kurth LLP. All rights reserved.National Law Review, Volume XII, Number 48