Business Email Scams (BEC) are becoming an increasing source of loss (think billions of dollars since 2013) to U.S. businesses, big and small. In Posco Daewoo Am. Corp. v. Allnex USA, Inc., 2017 U.S. Dist. LEXIS 180069 (D.N.J. Oct. 31, 2017) a payee whose invoices totaling $630,058 mistakenly were paid by a customer to a third party as a result of a phishing scam, sought coverage for the loss under its own computer fraud coverage. A New Jersey federal district court held that no such coverage existed.
Posco Daewoo, which imported and exported chemicals, supplied its customer Allnex with a chemical product for which Allnex owed payment. In early 2016, an impostor posing as an employee of Posco Daewoo’s accounts receivable department, sent emails to an employee of Allnex, instructing Allnex to wire payments to four separate Wells Fargo bank accounts. Id. at *2. Allnex, without confirming the authenticity of the email or the Wells Fargo bank accounts, wired three separate payments to the Wells Fargo accounts, totaling $630,058. Id. After the fraud was discovered, Allnex recovered $262,444 of the stolen $630,058. The remaining $367,613.46 was not recovered. Id. at *3. Posco Daewoo alleged that Allnex still owed it the remaining $367,613.46 to satisfy the original outstanding receivables. Allnex, on the other hand, contended that the unrecovered wire payments satisfied the balance it owed to Posco Daewoo. Id.
Posco Daewoo sought coverage for the lost funds under its “computer fraud” coverage in a crime policy. Id. The insurance policy insured Posco Daewoo for several types of loss resulting from criminal activity, including computer crime. The computer crime coverage read in part as follows:
- Computer Fraud
The Company will pay the Insured for the Insured’s direct loss of, or direct loss from damage to, Money, Securities, and Other Property directly caused by Computer Fraud.
The Policy defined “Computer Fraud” to mean:
The use of any computer to fraudulently cause a transfer of Money, Securities, or Other Property from the inside the Premises or Financial Institution Premises:
- to a person (other than a Messenger) outside the Premises or Financial Institution Premises; or
2. to a place outside the Premises or Financial Institution Premises.
Id. at *4
The policy also limited coverage to certain property, stating as follows:
5. Ownership of Property; Interests Covered
a. The property covered under this Crime Policy except as provided in 5.b. below is limited to a property:
i. that the Insured owns or leases;
ii. that the Insured holds for others:
(a) on the Insured’s Premises or the Insured’s Financial Institution Premises; or
(b) while in transit and in the care and custody of a Messenger; or
iii. for which the Insured is legally liable, except for property located inside the Insured’s Client’s Premises or the Insured’s Client’s Financial Institution Premises :
Id. at *6. If the alleged loss property did not fall within this provision, there would be no coverage.
Posco Daewoo argued that the phishing emails sent to Allnex constituted “The use of any computer to fraudulently cause a transfer of Money” to implicate the computer fraud coverage. The insurer, citing the Fifth Circuit decision in Apache Corp. v. Great American Ins. Co., argued that the use of a computer to send phishing emails was too incidental to satisfy the meaning of “computer fraud” or loss “directly” caused by “computer fraud.” Id. at *12-13.
The court, however, did not address either argument. Instead, it focused on the “Ownership of Property; Interests Covered” coverage limitation under the policy. Id. at *13.
Identifying subparagraph (i) of the provision – “that the Insured owns or leases” – as the only possible provision that could be applicable, the court held that because Posco Daewoo did not lease or own the mis-wired money in question, it had no right under the “Ownership of Property; Interests Covered” provision to recover under the policy. The court looked to Black’s Law Dictionary to determine the “plain and ordinary” meaning of the “own,” which defined the word to mean “[t]o rightfully have or possess as property; to have legal title to.” Id. at *14.
Because Posco Daewoo did not plead that it had owned the money that was mis-wired, and could not plead that it had owned the money, its coverage claims were subject to dismissal. The court explained:
Plaintiff has not plausibly pled sufficient facts for the Court to find that it rightfully had, possessed, or had legal title to the money Allnex transferred into the Wells Fargo accounts. Plaintiff’s strongest claim to owning that money stems from Allnex’s intention. The parties do not dispute that Allnex intended Plaintiff to receive the wired money as payment for a debt. [Citation omitted.] However, a party’s intention of transferring legal title does not equate to an actual transfer of legal title without more.
Id. at *15. Thus, the court concluded that before payment, Posco Daewoo did not own the wired money, but only “a receivable, or a right to payment, as well as a potential cause of action for payment if it was not made.” Id. at *16. “In other words, Daewoo did ‘own’ something of value, but it was not the cash in the Wells Fargo accounts.” Id.
What this case means. The court never addressed the meaning of “use of a computer” in the context of a phishing scam, a topic that is being debated among several courts around the country. (For what it is worth, I think Posco Daewoo would have lost this argument.) Instead, the court addressed a separate, but just as meaningful issue, the limitation of insured interests for computer fraud coverage under a crime policy, as expressly provided for by the policy. Thus, this decision highlights another boundary for computer fraud coverage.
Although the loss caused by the mis-wired funds was felt both by Allnex and Posco Daewoo, the court clearly saw Allnex as the “owner” of the transferred money and thus the crime victim. The court also appeared to point a finger of blame at Allnex, albeit subtly. The court’s opinion noted how the transfer of funds to the Wells Fargo accounts had not gone “smoothly,” stating that:
After Allnex wired the first payment of $140,800 to an account numbered 3xxxxxx378, the impostor emailed Allnex that there was a “mix-up/typo” and asked Allnex to wire the other payments to an account numbered 2xxxxxx238. [Citation omitted.] Less than a month later, the Daewoo impostor emailed Allnex to once again change the receiving bank account to one numbered 2xxxxxx346. [Id.] When this third account rejected two payments from Allnex, the impostor gave Allnex a fourth account numbered 2xxxxxx246. [Id.] Allnex then completed the payment by wiring money to this fourth account.
These sorts of complications are red flags to a potential phishing fraud, and one wonders whether the court, by reciting these facts, was acknowledging the issue. Here, policy did not insure the negligence of third parties, which Posco Daewoo ultimately was asking its own insurer to cover.