Related Practices
Conflicts in Circuits’ Approach to Email Scams Hold Lessons
Insurance Law360February 7, 2020
By Alexander W. Cogbill and Kristian N. Smith
To read this article in PDF format, please click here.
With unprecedented activity online, cybercrime is growing in frequency, sophistication and aggregate effect.[1] Despite the increased visibility of cybercrime, cybersecurity continues to lag behind this curve.[2] Cybercriminals abscond with nearly 1% of global gross domestic product each year.[3] This impact is only projected to increase — by one estimate, its impact will be $6 trillion per year by 2021.[4]
Significantly, many cyber losses are readily avoidable.[5] That does not mean, however, that courts have reached a consensus on whether avoidable and unavoidable losses should be treated differently in the context of civil litigation, including insurance coverage suits. As an example of this uncertainty, courts have begun to diverge on how to treat email “spoofing”, in which scammers adopt false identities to perpetrate fraud.
In this context, courts have grappled with whether, given the prevalence of email scams, ignorance is still an excuse. A divided panel of the U.S. Court of Appeals for the Eleventh Circuit recently weighed in on this question, holding that an employee’s carelessness in dispersing $1.7 million to scammers was immaterial to causation analysis.
In litigation, evaluating the actions of those that fall victim to social engineering scams can be difficult because cybercriminals prey on human fallibility and sow distrust.[6] However, because these scams are here to stay, it is especially important that the courts establish robust standards. To date, that has not occurred, and the Eleventh Circuit’s recent decision only complicates matters.
The No-Fault Approach
In Principle Solutions LLC v. Ironshore Indemnity, the Eleventh Circuit considered a transfer of $1,717,000 to scammers in China.[7] The funds were sent by Principle Solution LLC’s controller who received an email purporting to be from a managing director of the company regarding a “confidential,” “key acquisition.”
The email instructed the controller to await further instructions from an attorney and not to talk to anyone else about the transaction. The controller responded that she would treat the matter with the utmost discretion. The controller received a second email minutes later purporting to be from a London attorney instructing the employee to wire the funds to a bank account in China after confirming the transfer would be possible. The controller obediently followed these instructions and initiated a transfer for the full amount requested.
Wells Fargo, Principle’s bank, flagged the transaction as potential fraud and referred it to its fraud prevention service. A Wells Fargo representative repeatedly called Principle’s controller insisting that the managing director verbally approve the transaction. Rather than calling the managing director directly, the controller emailed the purported lawyer requesting a call. The purported lawyer called and represented that he had spoken directly with the managing director.
The controller then conveyed to Wells Fargo that she had spoken directly with the managing director and received full approval. With this confirmation, Wells Fargo transferred the funds to the scammers’ Chinese bank account.
Following the loss, Principle made a claim under its commercial crime policy. The insurer denied Principle’s claim, in part because it did not believe the loss was directly caused by a fraudulent instruction. Principle then sued its carrier for coverage. In litigation, causation was a central issue because Principle’s policy provided coverage for “loss resulting directly from a fraudulent instruction directing a financial institution to transfer or pay funds.”
While other courts have interpreted similar language to be inapplicable where the insured is not a financial institution,[8] the Eleventh Circuit bypassed this distinction and focused instead on the meaning of “directly.” The term “directly” prompted the court to undertake a proximate cause analysis; specifically, the court examined whether the controller’s failure(s) to recognize the scam and properly verify the transaction constituted an intervening or superseding cause.
Affirming the lower court’s summary judgment ruling in favor of the insured, the majority held that the email scheme circumvented normal verification procedures by design and, therefore, the erroneous transfer was directly caused by the scam.
On its face, this may seem like a reasonable conclusion in that the transfer would not have been made but for the scam. But the majority went a step further in this case, declaring that, “whether various red flags ‘arguably should have triggered a deeper investigation’ is not a relevant question.”
In contrast, the dissent delineated the intermediate steps between the initial scam emails and the fraudulent transfer. These steps, in the dissent’s view, presented an issue of fact as to whether the controller had a duty to investigate further.
Given the suspicious nature of the entire transaction, the intervention of the Wells Fargo Fraud Prevention Department was arguably enough to stop Principle’s loss. The interruption in the process would have led a reasonable employee to question why Wells Fargo thought the transaction may be fraudulent and, in turn, to question the propriety of an unknown attorney providing international wire instructions for an American IT staffing company to pay over a million dollars to acquire a Chinese company. Instead, [the controller] called [the foreign attorney], an unknown non-employee, to confirm the international wire instructions for an unspecified acquisition. It was her response to Wells Fargo’s fraud investigation—not the [initial] e-mail—that directly caused the money to be released and Principle to suffer a loss...
* * *
Concluding that the [initial] e-mail was, as a matter of law a proximate cause of Principle’s loss provides no “limit on legal liability.” The majority’s interpretation would always provide coverage, no matter how much notice the insured had that a scheme could be fraudulent, so long as the insured’s actions could, in some way, be traced to an initial fraudulent instruction. Such an interpretation renders the word “directly” meaningless.
Although the majority does not address it, its decision diverges from an Eleventh Circuit decision rendered by the court a year-and-a-half earlier. In that case, the court addressed whether losses of more than $10 million resulted directly from fraudulent redemptions when the ultimate disbursements of the fraud-tainted funds occurred days or weeks (or even months or years) after the fraudulent redemptions, and there were multiple steps, acts and actors between the redemptions and fund disbursements.[9]
The court held that the lapse in time between the fraudulent activity and the losses (as well as the intervening acts and actors between the redemptions and fund disbursements) nullified the causal effect of the initial fraudulent action for the purposes of insurance coverage. To the extent these decisions can be harmonized, they suggest the relevant inquiry into whether a cause can be intervening is not qualitative but temporal. In other words, the duty to uncover a scam may only arise when the scam involves a series of prolonged steps, not where it is obvious.
At least for now, the Eleventh Circuit joins the U.S. Court of Appeals for the Sixth Circuit[10] in finding that employees’ actions following receipt of a fraudulent email (i.e., approving transfers, etc.), whether reasonable or not, do not negate a finding that a loss resulted directly from a fraudulent email.
The Fault-May-Be-Considered Approach
In July 2018, the U.S. Court of Appeals for the Second Circuit found coverage for a $4.8 million dollar “spoofing” loss but chose to consider whether the employee’s actions represented an intervening cause. In Medidata Solutions Inc. v. Federal Insurance Company,[11] the insured’s employees were tricked into wiring money to a scammer posing as Medidata Solution Inc.’s president in an email.
Similar to the Principle case, a Medidata employee received an email about a “strictly confidential” business opportunity purporting to be from the company’s president and instructing the employee to coordinate with an attorney. After the employee confirmed that he would cooperate and “make this a priority,” the purported attorney called the employee and requested wire of $4,770,220 million.
The spammers also sent a follow-up approval, purporting to have spoken to other managers of the company. Satisfied, the employee initiated a transfer. Only when the scammers requested additional payment did the employee verify the emails were inauthentic.
Ultimately, the court awarded Medidata coverage. However, in contrast to Principle, the Second Circuit considered whether the employee’s (in)actions severed the causal chain. The court held:
The chain of events was initiated by the spoofed e-mails and unfolded rapidly following their receipt. While it is true that the Medidata employees themselves had to take action to effectuate the transfer, we do not see their actions as sufficient to sever the causal relationship between the spoofing attack and the losses incurred.
This analysis suggests that had there been additional links in the chain, such as the bank interrupting the transaction to verify it was not fraud, the decision could have turned out differently. At the very least, this decision also leaves room for courts to weigh the sophistication of a scam against the inattention or susceptibility of its target.
This possibility was anticipated by the U.S. District Court for the Southern District of Indiana in a 2006 opinion addressing whether a fraudulent facsimile was the proximate cause of a subsequent fraudulent transaction.[12] The court concluded that the direct cause of the $1.5 million fraud was the forged checks and not the facsimile which arranged the deal.
Holdings that intervening causes (including employee error or inattention) can break the causal chain between fraud and financial losses are a growing trend in other circuits under more specialized computer fraud policies.
The U.S. Court of Appeals for the Fifth Circuit (loss of $2.4 million),[13] U.S. Court of Appeals for the Ninth Circuit (loss of around $200,000),[14] and New York Court of Appeals (loss of $18 million) have all held that multiple steps between fraud and the resultant loss break the causal chain.[15] The Fifth Circuit specifically held in Apache Corp. v. Great American Insurance Co. that the fraudulent transfer was a result of Apache’s failure to accurately investigate the fraudulent information provided to it.
Lessons
Despite apparent inconsistencies in civil decisions addressing cybercrime, there are several important lessons that emerge from these cases:
For Individuals
Cybercrime, specifically complex email schemes, is rampant, and vigilance could save large amounts of money for you and your organizations. Always verify emailed wire transfer instructions with the sender through another means of communication (telephone, in person, etc.).
For Insurers
Reexamine wordings in light of recent cases to ensure they reflect intent clearly. As noted, the term “directly” was central to each of these cases. In that vein, insurers should consider whether the intent is to cover only traditional computer fraud or computer fraud that includes social engineering and business email compromise scams — like the situations in Principle and Medidata.
Also, carriers should consider whether exclusions for employee negligence would be appropriate for this type of coverage. A handful of recent cases have suggested a false pretense exclusion could bar coverage for these social engineering schemes; although in those cases, the exclusions were found to be ambiguous based on the definitions of “money” and “physical property.”[16]
Insurers should also focus on careful underwriting in order to reduce loss ratios. This can be accomplished through basic verification of a risk’s security protocols and compliance therewith.
For Organizations
There is a place for inefficiency when it comes to cybercrime: redundancy and multistep procedures can slow employees down, giving them time to identify and thwart fraudulent emails and instructions. Even if your business is in a no-fault circuit, the specific language of specific policies is the cornerstone of coverage.
When purchasing insurance, request social engineering coverage, which provides additional coverage beyond that typically offered in commercial crime and cyber policies, and may alleviate coverage uncertainties when email scams cause losses.
Conclusion
With each passing year, everyone should expect more courts to weigh in on coverage for losses caused by fraudulent cyberschemes. We are all well served to pay close attention to the development of the law in this area. As scams become ever more sophisticated, the courts’ doctrine will evolve.
The scams which were novel more than a decade ago — think a poorly written email from a supposed Nigerian prince — are laughably rudimentary now. Accordingly, the distinction between obvious ploy and novel scam may continue to affect coverage decisions. As this occurs, falling for the rudimentary scams will appear more and more blameworthy.
Even if this threshold was not reached in Principle or Medidata, whether a scam is obvious should make some difference. Gullibility should translate to liability, to some degree. As the breadth of cybercrimes expands, it is imperative that our legal systems continue to evolve as well.
Alexander Cogbill and Kristian Smith are associates at Zelle LLP.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
[1] https://www.cio.com/article/3386417/cybercrime-is-increasing-and-more-costly-for-organizations.html.
[2] https://pdf.ic3.gov/2018_IC3Report.pdf.
[3] https://www.csis.org/analysis/economic-impact-cybercrime.
[4] https://www.herjavecgroup.com/wp-content/uploads/2018/12/CV-HG-2019-Official-Annual-Cybercrime-Report.pdf.
[5] https://www.airmic.com/news/guest-stories/interview-80-cent-cyber-attacks-are-preventable-according-cybercrime-expert.
[6] Kevin LaCroix, The Growing Risk of Payment Instruction Fraud and Related Insurance Coverage Problems; https://www.dandodiary.com/2016/04/articles/cyber-liability/the-growing-risk-of-payment-instruction-fraud-and-related-insurance-coverage-problems/.
[7] 17-11703, 2019 WL 6691509 (11th Cir. December 9, 2019).
[8] Taylor & Lieberman v. Federal Ins. Co., 681 Fed.Appx. 627 (9th Cir. 2017).
[9] Interactive Communications International, Inc. v. Great American Insurance Co., 731 Fed Appx. 929 (11th Cir. 2018).
[10] American Tooling Center, Inc. v. Travelers Casualty & Surety Co. of America, 895 F.3d 455 (6th Cir. 2018).
[11] 729 Fed. Appx. 117 (2d Cir. 2018).
[12] Brightpoint, Inc. v. Zurich American Ins. Co., 2006 WL 693377 (S.D. Ind. 2006).
[13] Apache Corp. v. Great American Ins. Co., 662 F. App’x. 252 (5th Cir. 2012).
[14] Taylor & Liberman v. Fed. Ins. Co., 681 Fed. App’x. 627 (9th Cir. 2017).
[15] Universal American Corp. v. National Union Fire Ins. Co. of Pittsburgh, Pa., 25 N.Y.3d 675 (N.Y. 2015).
[16] See Rainforest Chocolate, LLC v. Sentinel Ins. Co., Ltd., 2018 VT 140, 204 A.3d 1109, 1112 (Vt. 2018); Ad Advert. Design, Inc. v. Sentinel Ins. Co., 344 F.Supp.3d 1175 (D. Mont. 2018).