Is a commercial policyholder able to get insurance under the terms of its computer fraud coverage (typically offered as part of a crime policy) for a fraud based upon information transmitted by email? Not according to the Fifth Circuit’s recent decision in Apache Corporation v. Great American Insurance Company, which vacated the trial court’s judgment and left the policyholder with a $2.4 million uninsured loss. While the opinion is unpublished and therefore should have limited precedential value, it highlights the importance of reviewing your company’s coverage profile in an effort to close potential gaps in insurance coverage for security breaches and other losses involving computer use.
Apache Corporation (“Apache”) received a phone call from an individual purporting to be a representative of Petrofac, one of Apache’s legitimate vendors. The caller instructed Apache to change the bank account for all future payments to Petrofac but was advised that the change could not be processed without a formal request on Petrofac letterhead. A week later, Apache’s accounts-payable department received an email from an address at “petrofacltd.com” (Petrofac’s authentic email domain was petrofac.com) stating that all Petrofac bank accounts had been changed, and the new account information was effective immediately. The email included as an attachment a signed letter on Petrofac letterhead providing both old bank account information and a new bank account, with instructions to “use the new account with immediate effect.” To verify the requested change, an Apache employee called the telephone number provided on the letterhead and “confirmed” the authenticity of the request. The change was then implemented, and over the next several weeks, Apache transferred approximately $7 million to the “new” account in payment of Petrofac’s legitimate invoices.
Within one month, Apache received notification that Petrofac had not received any of the money that was transferred to the new bank account. Apache conducted an investigation and determined that the bank account change request received by email was fraudulent. Apache was able to recoup a portion of the money it had transferred, but ultimately sustained a loss of $2.4 million.
Apache submitted a claim to its insurer, Great American Insurance Company (“GAIC”), seeking coverage under the “computer fraud” provision of its policy, which provided coverage for “loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises.” GAIC denied coverage, maintaining that the “loss did not result directly from the use of a computer nor did the use of a computer cause the transfer of funds.”
Apache filed suit to obtain coverage in Texas state court and GAIC removed the matter to federal court. Both parties filed motions for summary judgment. The District Court granted Apache’s motion and denied GAIC’s motion, concluding that, “the intervening steps of the [post-email] confirmation phone call and supervisory approval do not rise to the level of negating the email as being a ‘substantial factor.’”
The Fifth Circuit reversed and entered judgment for GAIC, finding that the loss did not result directly from the use of a computer because the “computer use at issue was limited to email correspondence.” The Court concluded that while email was part of the scheme to defraud Apache, it was merely incidental to the authorized transfer of funds. Interestingly, throughout the opinion, the Court repeatedly comments on Apache’s failure to properly verify the change request as legitimate and concludes that the transfer “was made to the fraudulent account only because, after receiving the email, Apache failed to investigate accurately the new, but fraudulent, information provided to it.”
The Fifth Circuit’s decision demonstrates that computer fraud coverage may not protect policyholders in the manner they would (and frankly, should) expect. Depending on the policy’s specific terms and conditions, a scheme that directly involves use of a computer to implement the fraud may not trigger coverage; instead, the computer fraud coverage may be limited only to losses resulting directly from “hacking” events. Because relatively simple – but often painfully effective – social engineering frauds like the one on Apache (i.e., scams used by criminals to trick, deceive and manipulate their victims into giving out confidential information or transferring funds) have become more pervasive in recent years, policyholders are advised to evaluate their coverage profiles – including both legacy and cyber policies – to ensure that the coverage expected will be there when needed.