Monthly Archives: October 2016

5TH CIRCUIT HOLDS THAT PHISHING SCAM DOES NOT IMPLICATE COMPUTER FRAUD COVERAGE


This entry was posted by on .

In Apache Corp. v. Great American Ins. Co., 2016 U.S. App. LEXIS 18748 (5th Cir. Oct. 18, 2016), the United States Court of Appeals for the Fifth Circuit held that loss from a phishing scam, which led to misdirected payments in the amount of $7 million, was not covered under a policy’s computer fraud coverage.  Although the fraudulent scheme was initiated through emails, the court held that the emails were too incidental to classify the insured’s subsequent loss as one “resulting directly from the use of any computer to fraudulently cause a transfer of that property.”

The facts of the case are straightforward and serve as a good illustration as to why double verification practices should be practiced by every company as a preventive measure against cyber fraud.  In the case, the insured, Apache Corporation was an oil-production company.  An employee in Scotland received a telephone call from a person identifying herself as a representative of Petrofac, an Apache vendor.  The caller instructed Apache to change the bank-account information for payments Apache made to Petrofac.  The Apache employee replied that the change-request could not be processed without a formal request on Petrofac letterhead.  Id. at *2.

A week later, Apache’s accounts-payable department received an email from a “petrofacltd.com” address.   (Petrofac’s real email domain name was “petrofac.com.”)  The fraudulent email sent from the “petrofacltd.com” address advised Apache that Petrofac’s “accounts details have now been changed”; and “[t]he new account takes . . . immediate effect and all future payments must now be made into this account.”  Attached to the email was a signed letter on Petrofac letterhead providing both Petrofac’s old-bank-account information and the new-bank-account information, along with instructions to use the new account immediately.  Id. at *2-3.  Apache took the bait.  In response to the email and attached letter, an Apache employee called the telephone number provided on the letter to verify the request and concluded that the change-request was authentic.  Id. at *3.  A different Apache employee approved and implemented the change-request, and a week later, Apache began transferring funds for payment of Petrofac’s invoices to the new bank account.  Id.  Uh oh.

Within one month, Apache received notification from Petrofac that it had not received over £4.3 million (approximately $7 million) due from outstanding invoices (and which Apache had transferred to the new (fraudulent) account).  Apache soon discovered it had fallen victim to a fraudulent scheme and was able to recoup all but $2.4 million of the payments previously made.  Id.

Apache submitted a claim under its “Computer Fraud” coverage, which provided that:

We will pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises:

  1. to a person (other than a messenger) outside those premises; or

  2. to a place outside those premises.

Id. at *3-4 (emphasis added).  The insurer denied coverage, concluding that Apache’s “loss did not result directly from the use of a computer nor did the use of a computer cause the transfer of funds.”  Id.

Coverage litigation ensued.  The insurer argued that Apache’s loss “was not a covered occurrence because: the email did not ‘cause a transfer’”; and that coverage under the computer fraud provision was “‘unambiguously limited’ to losses from ‘hacking and other incidents of unauthorized computer use’.”  Id. at *6.  Apache, on the other hand, argued that the computer fraud provision was ambiguous; because the provision says nothing about “hacking,” Apache need only to show that “any computer was used to fraudulently cause the transfer of funds.”  Id.  The parties cross moved for summary judgment.  The trial court granted judgment in favor of Apache, concluding that “the intervening steps of the [post-email] confirmation phone call and supervisory approval do not rise to the level of negating the email [and computer] as being a ‘substantial factor'” of the loss to implicate coverage.  The Fifth Circuit reversed.

On appeal, the insurer argued that the fraudulent transfer of funds resulted from events other than the email, including the initial phone call and steps Apache took (and did not take) to authenticate the request.

GAIC maintains the transfer of funds to the fraudulent bank account resulted from other events: before the email, the telephone call directing Apache to change the account information; and, after the email, the telephone call by Apache to the criminals to confirm the change-request, followed by the Apache supervisor’s review and approval of the emailed request, Petrofac’s submission of invoices, the review and approval of them by Apache employees, and Apache’s authorized and intentional transfer of funds, even though to the fraudulent bank account.

Id. at *8.  As a result of all of these actions, the insurer argued that Apache’s loss did not “result[] directly from the use of any computer to fraudulently cause a transfer of that property.”

The Fifth Circuit agreed, concluding that although the fraudulent email sent to Apache “was part of the scheme” to defraud Apache, it was “merely incidental to the occurrence of the authorized transfer of money.”  Id. at *16.  The court explained:

Here, the “computer use” was an email with instructions to change a vendor’s payment information and make “all future payments” to it; the email, with the letter on Petrofac letterhead as an attachment, followed the initial telephone call from the criminals and was sent in response to Apache’s directive to send the request on the vendor’s letterhead. Once the email was received, an Apache employee called the telephone number provided on the fraudulent letterhead in the attachment to the email, instead of, for example, calling an independently-provided telephone contact for the vendor, such as the pre-existing contact information Apache would have used in past communications. Doubtless, had the confirmation call been properly directed, or had Apache performed a more thorough investigation, it would never have changed the vendor-payment account information.  Moreover, Apache changed the account information, and the transfers of money to the fraudulent account were initiated by Apache to pay legitimate invoices.

Id. at *15-16.

Given the wide use of computers as a means of communication, the court feared that to allow the email to implicate coverage for computer fraud would transform the “computer fraud” coverage into coverage for any fraud:

The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money. To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would, as stated in Pestmaster II, convert the computer-fraud provision to one for general fraud. . . . We take judicial notice that, when the policy was issued in 2012, electronic communications were, as they are now, ubiquitous, and even the line between “computer” and “telephone” was already blurred. In short, few-if any-fraudulent schemes would not involve some form of computer-facilitated communication.

Id. at *16-17 (emphasis added).

In addition, the court observed that Apache’s failure to properly investigate the fraudulent change-request also took Apache’s loss outside of the scope of the computer fraud’s insuring agreement:

No doubt, the better, safer procedure was to require the change-request to be made on letterhead, especially for future payment of Petrofac’s very large invoices. But the request must still be investigated properly to verify it is legitimate.  In any event, based on the evidence in the summary-judgment record, Apache followed-up on the request in the email and its attachment.  In other words, the authorized transfer was made to the fraudulent account only because, after receiving the email, Apache failed to investigate accurately the new, but fraudulent, information provided to it.  [Emphasis added.]

Id. at *18 (emphasis added).

The court further reasoned that the invoices themselves could be viewed as the direct cause of the transfer of funds, not the use of a computer.

Moreover, viewing the multi-step process in its simplest form, the transfers were made not because of fraudulent information, but because Apache elected to pay legitimate invoices. Regrettably, it sent the payments to the wrong bank account. Restated, the invoices, not the email, were the reason for the funds transfers.

Id.  In other words, the email was too remote to classify the fraudulent payments as being a direct result of the use of a computer.

What this case means:  Here, the Fifth Circuit in essence rejected a syllogistic fallacy akin to “all tigers have stripes; all tigers are mammals; therefore, all mammals must have stripes.”  The syllogism presented here was: Apache used a computer. Apache suffered a fraud. Therefore, the fraud was from Apache’s use of a computer.  Coverage can’t work that way.  Computers are a dominant presence in our lives. They are perhaps the primary means of communication.  (Yes, our mobile phones are computers.)  Does that mean that any fraud that can be linked to the use of a computer is computer fraud?  No.  Given the wide use of computers, the Fifth Circuit clearly feared that to allow use of email to implicate coverage for computer fraud would transform “computer fraud” coverage into coverage for any fraud.

This case also provides another illustration as to why companies need to purchase cyber coverage. And why companies need cyber counsel to help train employees and help improve cybersecurity measures.  Cyber risk is very broad. Purchasing computer fraud coverage doesn’t come close to covering many of the risks out there.

This entry was posted in Data Breach Insurance Coverage.

OHIO COURT HOLDS THAT REQUESTED SELF-AUDIT CAN BE A “CLAIM”


This entry was posted by on .

In Eighth Promotions v. Cincinnati Ins. Cos., 2016 Ohio App. LEXIS 4119 (Ohio Ct. App. Oct. 11, 2016), the Ohio appellate court held that a letter forwarded to the insured by a copyright holder requesting that the company conduct a self-audit into its alleged copyright violations constituted a demand for non-monetary relief and thus fell within a policy’s definition for “claim.”  The same court also held that the insured could not stretch the scope of the claim or subsequent settlement to circumvent the policy’s copyright infringement exclusion.

The insured, Eighth Promotions, manufactured and sold sports awards and business gifts.  The company’s Operating Agreement provided indemnification protection to its officers and directors, stating that the company would “indemnify and hold harmless” its officers and directors “[i]n any “threatened . . . claim, action or proceeding to which any officer or any [director] . . . is [a] party or is threatened to be made a party by reason of its or his activities on behalf of [Eighth Floor].”  Id. at *1-2.  The company purchased a D&O liability policy, which contained an insuring agreement covering “all ‘loss’ which the ‘company’ is required to pay as indemnification to the ‘individual insureds’ resulting from any ‘claim’ first made during the ‘policy period’ . . . for a ‘wrongful act’.”  Id. at *15-16.  The policy defined a “claim” in part as:

  1. A written demand for monetary damages or non-monetary relief; or

  2. A civil proceeding commenced by filing of a complaint or similar pleading[.]

Id.  “Loss” included “defense costs.”  Id. at *16.

The policy also had an intellectual property exclusion, but the exclusion did not apply to claims brought against “individual insureds,” such as the company’s officers or directors.  The exclusion stated that the insurer was not liable to pay, indemnify or defend any “claim”:

K. Based upon, arising out of, or in consequence of, or in any way involving actual or alleged infringement of copyright, patent, trademark, trade secret, service mark, trade name, or misappropriation of ideas or trade secrets or other intellectual property rights; provided, however, this exclusion shall not apply to any ‘claim’ against any ‘individual insureds’;

Id. at *17.

In May 2011, the insured received a letter from a trade group, the Business Software Alliance (BSA), investigating on behalf of its member companies “possible instances of illegal duplication of certain software.”  The letter contended that Eighth Promotions had installed on its computers more copies of software programs than it was licensed to use.  Id. at *1.  In lieu of litigation, BSA requested that the insured investigate and audit all of the software published by the BSA members on its computers, as well as the software licenses and proofs of purchase for those licenses, and share the results of its self-audit with BSA.  Id. at *3-4.  The insured tendered the letter to its insurer, which denied coverage on the ground that the letter did not constitute a “claim” because it was neither a “written demand for monetary damages or non-monetary relief” nor a “civil proceeding commenced by filing a complaint or similar pleading.”  Id. at *5.

The insured retained counsel and conducted an audit, revealing numerous instances of unauthorized software installations.  Id. at *6.  After sharing the results of the audit with BSA, BSA offered to settle the dispute under certain terms and conditions, including a payment of $179,393.  Id. at *8.  By entering the proposed settlement, BSA promised that its member clubs would “forego the filing any lawsuit against Eighth Floor and will release Eighth Floor from any liability related to past infringement of the copyrights in the software products listed below due to Eighth Floor’s use and/or installation of those products on Eighth Floor’s computers.”  Id. at *9.  The insured tendered the settlement offer to its insurance carrier, which denied coverage under the intellectual property exclusion.  Id. at *10.  The insured settled the dispute, obtaining a release for the company, as well as for its officers and directors.  Coverage litigation ensued.

The trial court in the coverage litigation granted the insurer summary judgment, holding that the initial “audit” letter did not constitute a claim and that the intellectual property exclusion barred coverage.  On appeal, the appellate court reversed in part.  Id. at *11.

The appellate court held that the May 2011 BSA letter, which inquired about instances of copyright infringement and offered to permit the insured to conduct a self-audit in lieu of litigation, constituted a “claim” to implicate coverage under the policy.  The court rejected the insurer’s characterization of the audit letter as giving “Eighth Floor an opportunity to conduct its own company-wide investigation to determine whether any copyright infringement had occurred.”  Id. at *18.  Instead, the court concluded that the letter provided the insured an opportunity to determine “the extent of Eighth Floor’s copyright violations—not whether Eighth Floor had committed copyright violations.”

The court next looked to the dictionary definitions for “demand,” “non-monetary” and “relief,” all used within the phrase “A written demand for monetary damages or non-monetary relief” to determine the meaning of “claim.”  The court attributed broad meanings to these terms, observing:

“Demand” is defined as “the assertion of a legal right or procedural right.”  Black’s Law Dictionary 522 (10th Ed.2014).

“Non” is defined as “not; no.” Id. at 1212. “Monetary” is defined as “of, relating to, or involving money.” Id. at 1158.

“Relief” is defined as “the redress or benefit, esp. equitable in nature (such as injunction or specific performance), that a party asks of a court.  Also termed remedy.” (Emphasis sic.)  Id. at 1482. “Remedy” is defined as “the means of enforcing a right or preventing or redressing a wrong; legal or equitable relief.” Id. at 1485.  [Internal brackets removed.]

Based on these broad meanings, the court held that the audit letter satisfied the definition for “claim.”  The court explained:

. . . [A]lthough the audit request gave Eighth Floor the “opportunity” to conduct a company-wide software audit, it implied that if Eighth Floor did not take up this “opportunity,” then the matter would proceed to litigation, where the BSA could have achieved the same result. The audit request also sought the preservation of evidence and stated that Willis should not attempt to purchase any software from sales representative of these companies until the matter was resolved.

These measures were the BSA’s “means of enforcing a right” and “preventing a wrong” within the plain and ordinary meaning of “remedy.” See Gold Tip, LLC v. Carolina Cas. Ins. Co., D. Utah No. 2:11-CV-00765-BSJ, 2012 WL 3638538, *4 (Aug. 23, 2012) (a written demand for non-monetary relief can encompass a letter that coerces conduct of the policyholder through the threat of using the legal process to compel that conduct.).

Id. at *22.

The court, however, held that the intellectual property exclusion prohibited coverage for the settlement.  Eighth Promotions argued that the exclusion’s exception for claims against “individual insureds” (meaning, the insured’s directors and officers) applied to trump the coverage denial.  Id. at *23.  To support its argument, Eighth Promotions relied upon the broad standard of interpreting pleadings for evaluating the duty to defend.  Under Ohio law (and the law of most jurisdictions), a duty to defend can be implicated where the allegations in a complaint support or allege an unpled claim that potentially is within the policy coverage.  Id. at *26.  Here, Eighth Promotions argued that although BSA’s demands were directed at the company, because the company’s officers and directors could be held vicariously liable for copyright infringement if BSA filed suit against the company, BSA’s demands contained a claim against the directors and officers that fell within the exception of the intellectual property exclusion.  Eighth Promotions argued:

Vicarious ‘liability for copyright infringement may be imposed upon an officer, directors, or shareholder so long as the individual ‘has the right and ability to supervise the infringing activity’ and also [2] has a direct financial interest in such activities. . . . As such, the Eighth Floor officers and directors were jointly and severally liable on [the] BSA’s claim. . . .

Had the matter not settled, the BSA would have named the officers and directors in its complaint because Eighth Floor was not solvent to the full extent of the potential damages. Because copyright infringement allows for joint and several liability, because the BSA was aware that Eighth Floor was closely held, and because the directors and officers constituted a viable source of recovery who necessarily shared equally in the liability, any lawyer drafting the complaint would be obligated to include the directors and officers as defendants.  [Internal brackets omitted.]

Id. at *25.  As further proof of the existence of a claim against Eighth Promotions’ officers and directors, the company also pointed to the release it had obtained for them.

The appellate court rejected the argument, stating that Ohio law did not support the proposition that “an insurer has a duty to defend an otherwise excluded ‘claim’ where the allegations in that ‘claim’ could potentially or arguably lead to another ‘claim’ which may be within the policy’s coverage.”  According to the court, the only “real” claim was made against the company:

The only real “claim” at issue here is the settlement offer which did not demand any monetary relief from Eighth Floor’s officers or directors or contain any language that could potentially or arguably be construed as a written demand for monetary (or non-monetary) relief against Eighth Floor’s officers and directors.

Id. at 27.  Nor could an insured use a release provision in a settlement agreement to bootstrap coverage by characterizing the release as a written demand for monetary or non-monetary relief:

It included a provision offering to release Eighth Floor’s officers and directors from liability if Eighth Floor complied with its demands, but this provision cannot potentially or arguably be construed as a written demand for monetary (or non-monetary) relief against Eighth Floor’s officers and directors

Id.  The case was remanded back to the trial court to determine whether the exclusion barred the insurer’s duty to defend for the audit letter.

What this case means:  This case serves as a reminder that for claims-made policies that define the meaning of “claim,” the definition “written demand for monetary damages or non-monetary relief” can have a very broad meaning.  Here, the court concluded that a self-audit committed by the insured pursuant to a claimant’s notice letter satisfied this definition.  At the same time, the court rejected the insured’s attempt to broaden the scope of a claim, or to bootstrap coverage through a broad release in a settlement (even if obtaining additional releases in such a settlement was customary).  In essence, the court concluded that an insured may not goldmine for unstated claims or causes of action to broaden the scope of a settlement agreement from the uncovered to the covered.

This entry was posted in Uncategorized.