Last week, the Vermont Supreme Court in Rainforest Chocolate, LLC v. Sentinel Insurance Company, 2018 VT LEXIS 240 (Vt. Dec. 28, 2018), held that the “False Pretense” exclusion in a business-owner policy did not exclude loss from a phishing scam.
Rainforest Chocolate involved an underlying business email compromise (BEC), a category of phishing attacks whereby a third-party fraudster impersonates a trusted source to trick the email’s recipient into wiring money to them. The Vermont Supreme Court held that the exclusion was ambiguous given the different use of the terms “physical loss and physical damage” versus “loss and damage” throughout the provisions of the policy. The court then remanded the case for determination of whether the loss qualified under insuring agreements for Forgery, and for Money and Securities. This case illustrates another example of how factual scenarios found in phishing scams can create perceived uncertainties in coverage in older provisions, and courts’ intolerance for such uncertainties.
BECs represent a significant risk to U.S. companies and to the economy as a whole. In a recent report, the Federal Bureau of Investigation estimated that BECs have caused over $5 billion in losses since 2013. The same report concluded that the loss totals for 2017 alone represented the highest estimated out-of-pocket loss from any class of cyber-facilitated crime that year.
In Rainforest Chocolate, an employee of Rainforest received an email purporting to be from his manager requesting the employee to wire $19,875 to a specified bank account. According to the court, “an unknown individual had gained control of the manager’s email account and sent the email.” Id. at *1. [As an aside, there is no indication whether this conclusion is correct, or whether the fraud was perpetrated through the use of scripting and an outside account.] After the employee had wired the funds and the loss was realized, Rainforest sought coverage under its business-owner policy, which had inuring agreements for Forgery, Money and Securities, and Computer Fraud. Id. at *5-6.
Specifically, in the “Additional Coverages” section of the policy, the policy provided coverage for:
(1) We will pay for loss resulting directly from forgery or alteration of any check, draft, promissory note, or similar written promises, orders or directions to pay a sum certain in “money” that you or your agent has issued, or that was issued by someone who impersonates you or your agent.
* * *
i. Money and Securities
(1) We will pay for loss of “money” and “securities” used in your business while at a bank or savings institution, within your living quarters or the living quarters of your partners or any employee having use and custody of the property, at the “scheduled premises,” or in transit between any of these places, resulting directly from …. (a) “Theft”
* * *
Id. at *5-6.
The insurer denied coverage under the “False Pretense” exclusion, which stated as follows:
2. We will not pay for physical loss or physical damage caused by or resulting from:
* * *
f. False Pretense: Voluntarily parting with any property by you or anyone else to whom you have entrusted the property if induced to do so by any fraudulent scheme, trick, device or false pretense.
Id. at *6-7.
While the False Pretense exclusion used the term “physical loss or physical damage,” the Forgery and Money and Securities coverages used the term “loss.” Supra. The insured argued that the False Pretense exclusion did not apply because it only excludes “physical loss or physical damages,” and the loss of money at issue was not a physical one. The insurer, on the other hand, argued that the insured lost “actual, physical control and possession” of money that otherwise could have been withdrawn from its bank account, and that therefore the loss was a “physical loss” to fall within the False Pretense exclusion. Id. at *8, 9-10.
The court rejected the carrier’s argument that the loss of funds via mis-wiring them can only be characterized as a physical loss. The court looked to a decision rendered by the Montana federal court in Ad Advert Design, Inc. v. Sentinel Insurance Company, 2018 U.S. Dist. LEXIS 165467 (D. Mont. Sept. 26, 2018), another BEC coverage case, and the differing use of loss and physical loss in the policy’s coverages for Forgery, Money and Securities, and the Computer Fraud, to conclude that “it cannot be said that all ‘money’ is subject solely to physical loss simply because funds, whether or not in current use, qualify as ‘money’ under the policy.” Id.
The court then concluded that because the policy did not define the difference between “loss” and “physical loss,” the False Pretense exclusion’s restriction to “physical loss” created an ambiguity in the context of the underlying claim:
The policy uses the two distinct phrases—“physical loss and physical damage” and “loss and damage”—within different sections throughout the policy, sometimes switching between the two sentence to sentence, which would lead the average reader to assume there was some difference between them. But, the policy itself does not define or explain the difference between the two phrases. The trial court dismissed this as “sloppy drafting” but sloppiness should not excuse an insurer from covering losses that a reasonable insured party would expect to be covered, based on a reasonable reading and interpretation of the policy language.
Id. at *15. The court concluded that while it would not “deprive the insurer of unambiguous terms placed in the contract for its benefit,” in the case before it, “the False Pretense Exclusion is subject to at least two reasonable interpretations, and thus is ambiguous.” Id. at *17.
What This Case Means
The dollar figures for this lawsuit were not significant, but the issues addressed are. There is a tug-of-war between affirmative cybersecurity coverage (i.e., coverage expressly underwritten) and “silent” cybersecurity coverage (i.e., coverage for risks that were not considered or underwritten, but for which courts nevertheless determine coverage exists). In a September 24, 2018 Law360 article discussing other BEC coverage litigation, I opined that “insurers may wish to reflect on the various interpretations of computer fraud coverage presented by the courts, and consider revising contract language to ensure clarity and mutual understanding of the scope of coverage contemplated within the four corners of the policy.” Rainforest Chocolate provides further support for this observation. Notably, the trial court in Rainforest Chocolate criticized the policy’s drafting somewhat severely, stating:
The complicated nature of this policy, with its layers of coverages and exclusions, is almost impossible to follow without a compass and a guide. It took the court many hours of reading and rereading the policy and the briefs to reach a clear understanding of how the various provisions fit together. How any insured, however sophisticated, is supposed to determine that it is getting what it paid for with a policy like this is a mystery to the court. Nonetheless, the court concludes that the terms of the policy, while confusing, are not ambiguous and must be enforced as written. [Emphasis added.]
Id. at *2-3. While coverage for phishing scams remains in flux and uncertain, given the nature of the insurance policy provisions typically at issue, and the new technology involved in the underlying facts, courts are finding ambiguity with greater frequency.