Many companies purchase crime insurance policies to cover risks and potential losses that may arise if they are victims of criminal activity. Often, that coverage protects against “Computer Fraud,” and a company justifiably might think that this insurance covers fraud through use of a computer. A company with a limited online presence may decide such coverage is sufficient.

But virtually every enterprise makes use of email, and using email for business operations exposes a company to losses that may not qualify as “Computer Fraud.”

Surprisingly, many courts have found that “Computer Fraud” coverage does not apply to a common form of Internet fraud—the email scam—and coverage will depend upon the state's law that applies to the policy. Policyholders need to know the scope of the coverage they have purchased in order to determine whether they are exposed to risks that fall within less-than-obvious gaps in that coverage.

By now, most people know not to respond to the email from the foreign prince who will gladly give away half his fortune in exchange for a small advance that facilitates a bank transfer. But email fraudsters have become far more sophisticated, and the real risk to a company lies in communications that are ordinary and believable. Email spoofing allows a fraudster to alter the sender address in an email to mislead the recipient about the true origin of the message. The heavy reliance on email as a medium for business communication exposes companies to this risk—impersonation of business partners and counterparties.

Consider the following: Your client receives an email from a regular supplier changing the supplier's payment instructions. The email appears to be sent by the person at the supplier with the proper authority, but months later the supplier contacts your client asking about a failure to make payments. Your client then realizes that the email was doctored to give the appearance of authenticity, and it has been sending months of payments to a fraudster's account. Your client is further surprised when its “Computer Fraud” insurer denies coverage.

Voluntary Parting

Losses caused by scams are not new, and, historically, the insurance industry has excluded such losses. Property insurance policies and some parts of commercial crime insurance policies typically include an exclusion for loss caused by fraud-by-trick, sometimes referred to as the “voluntary parting” exclusion. Typical language for that exclusion provides that the policy does not cover loss or damage “resulting from voluntary parting with any property … if induced to do so by any fraudulent scheme, trick, device or false pretense.”

In plain English, this means that an insurer will not pay for loss when a con artist uses lies to induce the policyholder to hand over property. Many policyholders are surprised to learn, for example, that a jeweler that delivers valuable property to an individual that appears to be a legitimate armored transport courier may not be covered when it is discovered that the individual was an imposter. PNS Jewelry v. Penn-America Ins., No. BC365430, 2010 WL 685967 (Cal. Ct. App. March 1, 2010). Similarly, a law firm that has sent funds to a client after receiving a cashier's check for those funds may not be covered when it turns out that the cashier's check was a fraud. Martin, Shudt, Wallace, Dilorenzo & Johnson v. Travelers Indem. Co., No. 1:13-cv-0498, 2014 WL 460045 (N.D.N.Y. Feb. 5, 2014).

An email scam parallels the important aspects of the fraud-by-trick scenario. Deception causes the victim to hand over valuable property. But “Computer Fraud” insurance policies seldom include a voluntary parting exclusion. One would expect that if an insurer sought to exclude this type of loss, it would do so using the same language used in other policies. Instead, insurers assert that the email scam is not covered “Computer Fraud” at all.

Computer Fraud

Most courts agree that a fraudulent email scheme falls outside “Computer Fraud” coverage. While each case turns on the specific facts and policy language presented, common “Computer Fraud” language covers losses “resulting directly from the use of any computer to fraudulently cause a transfer of that property … .” This broad language seems tailor-made to fit an email scam, where the fraudster uses a computer to send a false communication and to manipulate the basic data underlying the communication, i.e., the sender address. But, when confronted with the application of this language to emails scams, courts have balked.

Recently, the Eastern District of Michigan found that “Computer Fraud” coverage did not apply to a scheme in which “fraudulent emails were used to impersonate a vendor and dupe [the policyholder] into making a transfer of funds.” American Tooling Center v. Travelers Cas. & Sur. Co., No. 5:16-cv-12108, 2017 WL 3263356 at *3 (E.D. Mich. Aug. 1, 2017), appeal docketed, No. 17-2014 (6th Cir. Aug. 29, 2017). The court held that there was no hacking or infiltration of a computer system at issue. Instead, the fraudster impersonated the vendor's email address by using the domain rnould.com instead of mould.com. (Did you notice the trick?) The court cited Ninth Circuit authority and stated that the phrase “to fraudulently cause a transfer” actually required “the unauthorized transfer of funds.” Id. (citing Pestmaster Servs. v. Travelers Cas. & Sur. Co., 656 Fed. Appx. 332 (9th Cir. 2016)).

This reasoning has two glaring problems. First, grammatically, the adverb “fraudulently” in the split infinitive modifies the word “cause,” not the word “transfer.” If the policy only applied to fraudulent transfers, it certainly could say so. For years, property policies have used “voluntary parting” language to exclude transfers that are not themselves fraudulent because they were authorized by the deceived party. The “Computer Fraud” language focuses on the fraudulent cause, not the transfer. Second, other standard policy language covers fraudulent instructions to transfer funds. If “Computer Fraud” coverage requires an “unauthorized transfer,” then “Computer Fraud” coverage becomes subsumed within coverage for fraudulent instructions to transfer.

The court restricted coverage because the sheer omnipresence of email would make this “Computer Fraud” coverage overbroad. “[R]eading this provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a 'General Fraud' Policy.” Id. Other courts have adopted similar reasoning. See Pestmaster Servs. v. Travelers Cas. & Sur. Co., 656 Fed. Appx. 332 (9th Cir. 2016); Apache v. Great Am. Ins. Co., 662 Fed. Appx. 252 (5th Cir. 2016); Incomm Holdings v. Great Am. Ins. Co., 2017 WL 1021749 (N.D. Ga. March 16, 2017).

Against this tide, a recent federal decision in New York has squarely held that policy language must be interpreted according to its plain and ordinary meaning. In a case where a company was defrauded when its own president's email address had been spoofed by a fraudster, Judge Andrew L. Carter granted the policyholder summary judgment on its claim for “Computer Fraud” coverage. See Metadata Solutions v. Federal Ins. Co., 15-cv-0907 (S.D.N.Y. July 21, 2017). The fraudster's email instructed the company's accounting department to transfer money via wire in advance of an anticipated acquisition. The policy in Metadata covered a “fraudulently induced transfer of Money” through use of computer. In finding coverage for the email spoof, the court focused on the sophisticated use of computer code by the fraudster to change the “From” field on the email so that it appeared to have originated with the company president. It was this fake email that caused the money transfer, triggering the “Computer Fraud” provisions. The plain and unambiguous terms of the policy required coverage when a computer was used to perpetrate a fraud.

Conclusion

Cyber crimes have been making headlines for several years, and the insurance industry continues to create nuanced cyber insurance products for the increasing risk. Sophisticated businesses looking for protection from email spoofing can now purchase the curiously named “Social Engineering” coverage. But not all businesses will purchase complex multi-part cyber liability coverage, particularly when a business neither collects customer data nor relies on the Internet to create revenue. Such businesses may depend on their “Computer Fraud” coverage to protect them against losses from fraud perpetrated via computer.

Unfortunately, courts are not uniform in applying the policy language as written, and any attorney advising his or her client regarding the scope of coverage must address this uncertainty. Hopefully, more courts will follow the Southern District of New York by interpreting the language according to its plain and ordinary meaning, allowing policyholders to analyze and make decisions regarding risk transfer and insurance based upon the policyholder's reasonable expectations as to the plain meaning of “Computer Fraud.” Likewise, a plain language rule encourages an insurer to adopt a conspicuous exclusion for the voluntary parting with funds via email scam if it does not wish to underwrite that risk. It is only through clear and conspicuous language in an insurance policy that policyholders can adequately assess the risks they face, review the coverages available on the market, and make truly informed decisions about the insurance they purchase.

Jeremy M. King is a partner in Olshan Frome Wolosky's insurance law practice.

Many companies purchase crime insurance policies to cover risks and potential losses that may arise if they are victims of criminal activity. Often, that coverage protects against “Computer Fraud,” and a company justifiably might think that this insurance covers fraud through use of a computer. A company with a limited online presence may decide such coverage is sufficient.

But virtually every enterprise makes use of email, and using email for business operations exposes a company to losses that may not qualify as “Computer Fraud.”

Surprisingly, many courts have found that “Computer Fraud” coverage does not apply to a common form of Internet fraud—the email scam—and coverage will depend upon the state's law that applies to the policy. Policyholders need to know the scope of the coverage they have purchased in order to determine whether they are exposed to risks that fall within less-than-obvious gaps in that coverage.

By now, most people know not to respond to the email from the foreign prince who will gladly give away half his fortune in exchange for a small advance that facilitates a bank transfer. But email fraudsters have become far more sophisticated, and the real risk to a company lies in communications that are ordinary and believable. Email spoofing allows a fraudster to alter the sender address in an email to mislead the recipient about the true origin of the message. The heavy reliance on email as a medium for business communication exposes companies to this risk—impersonation of business partners and counterparties.

Consider the following: Your client receives an email from a regular supplier changing the supplier's payment instructions. The email appears to be sent by the person at the supplier with the proper authority, but months later the supplier contacts your client asking about a failure to make payments. Your client then realizes that the email was doctored to give the appearance of authenticity, and it has been sending months of payments to a fraudster's account. Your client is further surprised when its “Computer Fraud” insurer denies coverage.

Voluntary Parting

Losses caused by scams are not new, and, historically, the insurance industry has excluded such losses. Property insurance policies and some parts of commercial crime insurance policies typically include an exclusion for loss caused by fraud-by-trick, sometimes referred to as the “voluntary parting” exclusion. Typical language for that exclusion provides that the policy does not cover loss or damage “resulting from voluntary parting with any property … if induced to do so by any fraudulent scheme, trick, device or false pretense.”

In plain English, this means that an insurer will not pay for loss when a con artist uses lies to induce the policyholder to hand over property. Many policyholders are surprised to learn, for example, that a jeweler that delivers valuable property to an individual that appears to be a legitimate armored transport courier may not be covered when it is discovered that the individual was an imposter. PNS Jewelry v. Penn-America Ins., No. BC365430, 2010 WL 685967 (Cal. Ct. App. March 1, 2010). Similarly, a law firm that has sent funds to a client after receiving a cashier's check for those funds may not be covered when it turns out that the cashier's check was a fraud. Martin, Shudt, Wallace, Dilorenzo & Johnson v. Travelers Indem. Co., No. 1:13-cv-0498, 2014 WL 460045 (N.D.N.Y. Feb. 5, 2014).

An email scam parallels the important aspects of the fraud-by-trick scenario. Deception causes the victim to hand over valuable property. But “Computer Fraud” insurance policies seldom include a voluntary parting exclusion. One would expect that if an insurer sought to exclude this type of loss, it would do so using the same language used in other policies. Instead, insurers assert that the email scam is not covered “Computer Fraud” at all.

Computer Fraud

Most courts agree that a fraudulent email scheme falls outside “Computer Fraud” coverage. While each case turns on the specific facts and policy language presented, common “Computer Fraud” language covers losses “resulting directly from the use of any computer to fraudulently cause a transfer of that property … .” This broad language seems tailor-made to fit an email scam, where the fraudster uses a computer to send a false communication and to manipulate the basic data underlying the communication, i.e., the sender address. But, when confronted with the application of this language to emails scams, courts have balked.

Recently, the Eastern District of Michigan found that “Computer Fraud” coverage did not apply to a scheme in which “fraudulent emails were used to impersonate a vendor and dupe [the policyholder] into making a transfer of funds.” American Tooling Center v. Travelers Cas. & Sur. Co., No. 5:16-cv-12108, 2017 WL 3263356 at *3 (E.D. Mich. Aug. 1, 2017), appeal docketed, No. 17-2014 (6th Cir. Aug. 29, 2017). The court held that there was no hacking or infiltration of a computer system at issue. Instead, the fraudster impersonated the vendor's email address by using the domain rnould.com instead of mould.com. (Did you notice the trick?) The court cited Ninth Circuit authority and stated that the phrase “to fraudulently cause a transfer” actually required “the unauthorized transfer of funds.” Id. (citing Pestmaster Servs. v. Travelers Cas. & Sur. Co. , 656 Fed. Appx. 332 (9th Cir. 2016)).

This reasoning has two glaring problems. First, grammatically, the adverb “fraudulently” in the split infinitive modifies the word “cause,” not the word “transfer.” If the policy only applied to fraudulent transfers, it certainly could say so. For years, property policies have used “voluntary parting” language to exclude transfers that are not themselves fraudulent because they were authorized by the deceived party. The “Computer Fraud” language focuses on the fraudulent cause, not the transfer. Second, other standard policy language covers fraudulent instructions to transfer funds. If “Computer Fraud” coverage requires an “unauthorized transfer,” then “Computer Fraud” coverage becomes subsumed within coverage for fraudulent instructions to transfer.

The court restricted coverage because the sheer omnipresence of email would make this “Computer Fraud” coverage overbroad. “[R]eading this provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a 'General Fraud' Policy.” Id. Other courts have adopted similar reasoning. See Pestmaster Servs. v. Travelers Cas. & Sur. Co. , 656 Fed. Appx. 332 (9th Cir. 2016); Apache v. Great Am. Ins. Co. , 662 Fed. Appx. 252 (5th Cir. 2016); Incomm Holdings v. Great Am. Ins. Co., 2017 WL 1021749 (N.D. Ga. March 16, 2017).

Against this tide, a recent federal decision in New York has squarely held that policy language must be interpreted according to its plain and ordinary meaning. In a case where a company was defrauded when its own president's email address had been spoofed by a fraudster, Judge Andrew L. Carter granted the policyholder summary judgment on its claim for “Computer Fraud” coverage. See Metadata Solutions v. Federal Ins. Co., 15-cv-0907 (S.D.N.Y. July 21, 2017). The fraudster's email instructed the company's accounting department to transfer money via wire in advance of an anticipated acquisition. The policy in Metadata covered a “fraudulently induced transfer of Money” through use of computer. In finding coverage for the email spoof, the court focused on the sophisticated use of computer code by the fraudster to change the “From” field on the email so that it appeared to have originated with the company president. It was this fake email that caused the money transfer, triggering the “Computer Fraud” provisions. The plain and unambiguous terms of the policy required coverage when a computer was used to perpetrate a fraud.

Conclusion

Cyber crimes have been making headlines for several years, and the insurance industry continues to create nuanced cyber insurance products for the increasing risk. Sophisticated businesses looking for protection from email spoofing can now purchase the curiously named “Social Engineering” coverage. But not all businesses will purchase complex multi-part cyber liability coverage, particularly when a business neither collects customer data nor relies on the Internet to create revenue. Such businesses may depend on their “Computer Fraud” coverage to protect them against losses from fraud perpetrated via computer.

Unfortunately, courts are not uniform in applying the policy language as written, and any attorney advising his or her client regarding the scope of coverage must address this uncertainty. Hopefully, more courts will follow the Southern District of New York by interpreting the language according to its plain and ordinary meaning, allowing policyholders to analyze and make decisions regarding risk transfer and insurance based upon the policyholder's reasonable expectations as to the plain meaning of “Computer Fraud.” Likewise, a plain language rule encourages an insurer to adopt a conspicuous exclusion for the voluntary parting with funds via email scam if it does not wish to underwrite that risk. It is only through clear and conspicuous language in an insurance policy that policyholders can adequately assess the risks they face, review the coverages available on the market, and make truly informed decisions about the insurance they purchase.

Jeremy M. King is a partner in Olshan Frome Wolosky's insurance law practice.