In Apache Corp. v. Great American Ins. Co., 2016 U.S. App. LEXIS 18748 (5th Cir. Oct. 18, 2016), the United States Court of Appeals for the Fifth Circuit held that loss from a phishing scam, which led to misdirected payments in the amount of $7 million, was not covered under a policy’s computer fraud coverage. Although the fraudulent scheme was initiated through emails, the court held that the emails were too incidental to classify the insured’s subsequent loss as one “resulting directly from the use of any computer to fraudulently cause a transfer of that property.”
The facts of the case are straightforward and serve as a good illustration as to why double verification practices should be practiced by every company as a preventive measure against cyber fraud. In the case, the insured, Apache Corporation was an oil-production company. An employee in Scotland received a telephone call from a person identifying herself as a representative of Petrofac, an Apache vendor. The caller instructed Apache to change the bank-account information for payments Apache made to Petrofac. The Apache employee replied that the change-request could not be processed without a formal request on Petrofac letterhead. Id. at *2.
A week later, Apache’s accounts-payable department received an email from a “petrofacltd.com” address. (Petrofac’s real email domain name was “petrofac.com.”) The fraudulent email sent from the “petrofacltd.com” address advised Apache that Petrofac’s “accounts details have now been changed”; and “[t]he new account takes . . . immediate effect and all future payments must now be made into this account.” Attached to the email was a signed letter on Petrofac letterhead providing both Petrofac’s old-bank-account information and the new-bank-account information, along with instructions to use the new account immediately. Id. at *2-3. Apache took the bait. In response to the email and attached letter, an Apache employee called the telephone number provided on the letter to verify the request and concluded that the change-request was authentic. Id. at *3. A different Apache employee approved and implemented the change-request, and a week later, Apache began transferring funds for payment of Petrofac’s invoices to the new bank account. Id. Uh oh.
Within one month, Apache received notification from Petrofac that it had not received over £4.3 million (approximately $7 million) due from outstanding invoices (and which Apache had transferred to the new (fraudulent) account). Apache soon discovered it had fallen victim to a fraudulent scheme and was able to recoup all but $2.4 million of the payments previously made. Id.
Apache submitted a claim under its “Computer Fraud” coverage, which provided that:
We will pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises:
to a person (other than a messenger) outside those premises; or
to a place outside those premises.
Id. at *3-4 (emphasis added). The insurer denied coverage, concluding that Apache’s “loss did not result directly from the use of a computer nor did the use of a computer cause the transfer of funds.” Id.
Coverage litigation ensued. The insurer argued that Apache’s loss “was not a covered occurrence because: the email did not ‘cause a transfer’”; and that coverage under the computer fraud provision was “‘unambiguously limited’ to losses from ‘hacking and other incidents of unauthorized computer use’.” Id. at *6. Apache, on the other hand, argued that the computer fraud provision was ambiguous; because the provision says nothing about “hacking,” Apache need only to show that “any computer was used to fraudulently cause the transfer of funds.” Id. The parties cross moved for summary judgment. The trial court granted judgment in favor of Apache, concluding that “the intervening steps of the [post-email] confirmation phone call and supervisory approval do not rise to the level of negating the email [and computer] as being a ‘substantial factor'” of the loss to implicate coverage. The Fifth Circuit reversed.
On appeal, the insurer argued that the fraudulent transfer of funds resulted from events other than the email, including the initial phone call and steps Apache took (and did not take) to authenticate the request.
GAIC maintains the transfer of funds to the fraudulent bank account resulted from other events: before the email, the telephone call directing Apache to change the account information; and, after the email, the telephone call by Apache to the criminals to confirm the change-request, followed by the Apache supervisor’s review and approval of the emailed request, Petrofac’s submission of invoices, the review and approval of them by Apache employees, and Apache’s authorized and intentional transfer of funds, even though to the fraudulent bank account.
Id. at *8. As a result of all of these actions, the insurer argued that Apache’s loss did not “result directly from the use of any computer to fraudulently cause a transfer of that property.”
The Fifth Circuit agreed, concluding that although the fraudulent email sent to Apache “was part of the scheme” to defraud Apache, it was “merely incidental to the occurrence of the authorized transfer of money.” Id. at *16. The court explained:
Here, the “computer use” was an email with instructions to change a vendor’s payment information and make “all future payments” to it; the email, with the letter on Petrofac letterhead as an attachment, followed the initial telephone call from the criminals and was sent in response to Apache’s directive to send the request on the vendor’s letterhead. Once the email was received, an Apache employee called the telephone number provided on the fraudulent letterhead in the attachment to the email, instead of, for example, calling an independently-provided telephone contact for the vendor, such as the pre-existing contact information Apache would have used in past communications. Doubtless, had the confirmation call been properly directed, or had Apache performed a more thorough investigation, it would never have changed the vendor-payment account information. Moreover, Apache changed the account information, and the transfers of money to the fraudulent account were initiated by Apache to pay legitimate invoices.
Id. at *15-16.
Given the wide use of computers as a means of communication, the court feared that to allow the email to implicate coverage for computer fraud would transform the “computer fraud” coverage into coverage for any fraud:
The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money. To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would, as stated in Pestmaster II, convert the computer-fraud provision to one for general fraud. . . . We take judicial notice that, when the policy was issued in 2012, electronic communications were, as they are now, ubiquitous, and even the line between “computer” and “telephone” was already blurred. In short, few-if any-fraudulent schemes would not involve some form of computer-facilitated communication.
Id. at *16-17 (emphasis added).
In addition, the court observed that Apache’s failure to properly investigate the fraudulent change-request also took Apache’s loss outside of the scope of the computer fraud’s insuring agreement:
No doubt, the better, safer procedure was to require the change-request to be made on letterhead, especially for future payment of Petrofac’s very large invoices. But the request must still be investigated properly to verify it is legitimate. In any event, based on the evidence in the summary-judgment record, Apache followed-up on the request in the email and its attachment. In other words, the authorized transfer was made to the fraudulent account only because, after receiving the email, Apache failed to investigate accurately the new, but fraudulent, information provided to it. [Emphasis added.]
Id. at *18 (emphasis added).
The court further reasoned that the invoices themselves could be viewed as the direct cause of the transfer of funds, not the use of a computer.
Moreover, viewing the multi-step process in its simplest form, the transfers were made not because of fraudulent information, but because Apache elected to pay legitimate invoices. Regrettably, it sent the payments to the wrong bank account. Restated, the invoices, not the email, were the reason for the funds transfers.
Id. In other words, the email was too remote to classify the fraudulent payments as being a direct result of the use of a computer.
What this case means: Here, the Fifth Circuit in essence rejected a syllogistic fallacy akin to “all tigers have stripes; all tigers are mammals; therefore, all mammals must have stripes.” The syllogism presented here was: Apache used a computer. Apache suffered a fraud. Therefore, the fraud was from Apache’s use of a computer. Coverage can’t work that way. Computers are a dominant presence in our lives. They are perhaps the primary means of communication. (Yes, our mobile phones are computers.) Does that mean that any fraud that can be linked to the use of a computer is computer fraud? No. Given the wide use of computers, the Fifth Circuit clearly feared that to allow use of email to implicate coverage for computer fraud would transform “computer fraud” coverage into coverage for any fraud.
This case also provides another illustration as to why companies need to purchase cyber coverage. And why companies need cyber counsel to help train employees and help improve cybersecurity measures. Cyber risk is very broad. Purchasing computer fraud coverage doesn’t come close to covering many of the risks out there.