Does Cyberinsurance Cover Phishing Scams? Ask Your Local Federal Court
Federal courts are split on whether computer fraud provisions in cyberinsurance policies cover the actions of employees tricked into sending funds to cybercriminals.
April 16, 2018 at 10:00 AM
4 minute read
Imagine a situation that is one of the C-suite's worst nightmares: An employee in the accounting department receives an email from a high-level executive. The executive tells the employee to make a wire transfer to a specific account. The employee asks for further approvals from other executives, but the executive promptly forwards emails confirming the transfer as well, so the money is wired.
But at some point in the future, someone raises a flag. The emails the employee received weren't from company executives. They weren't even from anyone at the company. The employee had been tricked by a malicious actor using a common email phishing scam.
Luckily, the company has cyberinsurance. That should refund the loss of the fraudulently transferred funds, right? Not entirely. It all depends on how courts in the company's jurisdiction interpret cyberinsurance coverage for computer fraud.
While cyberinsurance computer fraud policies vary, most cover the indirect or direct loss of property due to the fraudulent transfer of the property by a third party. But where such policies are left open to interpretation, federal courts have stepped in to define what exactly should be covered under the concept of computer fraud. And not all of them agree.
Courts in the U.S. Court of Appeals for the Fifth, Sixth and Ninth circuits have ruled that computer fraud policies do not cover situations where an employee of the company, who was authorized to access its computer systems, acts to transfer funds to a malicious or criminal actor, even though said employee was tricked.
The U.S. District Court for the Southern District of Texas upheld this argument in Apache v. Great American Insurance in October 2016, while the Ninth Circuit did the same in Taylor & Lieberman v. Federal Ins. in March 2017. And in August 2017, the U.S. District Court for the Eastern District of Michigan came to the same conclusion in American Tooling Center v. Travelers Casualty and Surety Company of America.
Joshua Bevitz, a partner at Newmeyer and Dillion, noted that in many of these cases, “the courts view has been, by interpreting a computer fraud coverage to include someone basically tricking you into using a computer to transfer the funds, you are essentially turning the computer fraud policy into a general fraud policy.”
He added that to count as computer fraud, these courts have determined there has to be fraud committed through the unauthorized use of the computer system. The courts have generally said “it has to be something where [malicious actors] have gotten into your system and made changes” or embedded software into the system that caused fraud.
At the other end of the country in the Second Circuit, however, things are markedly different. In its July 2017 ruling in Medidata Solutions v. Federal Insurance, the U.S. District Court for the Southern District of New York found that the phishing scam in question was an unauthorized intrusion into Medidata's computer systems. Therefore, the incident was covered under Federal Insurance's computer fraud policies.
“The New York court concentrated on the fact that essentially there was a break-in because the person did use a computer code to change data from the true email address to the Medidata president's email address,” Bevitz said.
Whereas the Fifth Circuit in Apache “says essentially that the direct cause of the loss was not someone convincing you to do something, it was you doing something, the Medidata court” disagreed, he added.
To be sure, the New York court's decision is an outlier. Bevitz noted that the Fifth Circuit in Apache was influenced by Texas law that “says if a question hasn't been decided, we want to be the most consistent and essentially side with the majority … interpretation.” While the court did its own analysis of the case, “it did lean on the fact that other courts have come down in the same fashion.” The New York court, though, was untroubled by moving in its own direction.
Many corporations, however, might not have cases within a jurisdiction such as New York's. So what are they to do? Bevitz suggested getting an additional specific insurance policy addressing phishing scams.
He explained that corporations “should obtain what is called fraudulent instruction insurance that would cover someone essentially tricking someone with access and authorization into transferring money to someone it is not supposed to go to.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250