Impact of Sixth Circuit Ruling Against Traveler’s for Losses Resulting from Email Phishing. In an era where cybersecurity is top-of-mind for many businesses, employee education, active monitoring of electronic systems, and early detection of suspicious emails are all key to preventing a cyberattack. However, even the best-prepared company can have a slip-up, allowing a cyberattack or phishing email fraud. The fallout from a successful cyberattack is complex and difficult to manage. A recent decision from the Sixth Circuit provides companies with some guidance on an essential component to manage: ensuring that the company’s insurance policies cover the damage caused by such an attack.
Factual Background. American Tooling Center, Inc. (“ATC”) is a tool and die manufacturer that produces stamping dies for the Michigan automotive industry. ACT outsources some of its manufacturing to Shanghai YiFeng Automotive Die Manufacture Co., Ltd. (“YiFeng”). In the spring of 2015, an ATC employee sent a routine email to YiFeng, asking YiFeng to provide ATC with all outstanding invoices. Unfortunately, the email from ATC to YiFeng was intercepted by an unidentified third party. The third party then began impersonating YiFeng and exchanged a series of emails with ATC regarding the outstanding invoices. In April 2015, ATC wired in excess of $800,000 to what it believed to be a bank account for YiFeng. Later, when YiFeng inquired with ATC about the status of the outstanding payments, ATC realized that it had wired the money to a fraudster.
ATC sought recovery from Travelers Casualty and Surety Company of America (“Travelers”), arguing that the incident was covered under the “Computer Fraud” provision in ATC’s policy. Travelers denied the claim. ATC sued Travelers in the Eastern District of Michigan for breach of contract. Both parties filed for summary judgment and the district court judge granted summary judgment in favor of Travelers. ATC appealed.
On July 13, the Sixth Circuit, in the first published opinion in favor of a policy holder on this topic, reversed and remanded the district court’s decision, finding that the fraud-based loss was covered under the policy. Am. Tooling Center, Inc. v. Travelers Cas. & Surety Co., 895 F.3d 455 (6th Cir. 2018). In reaching its decision, the Sixth Circuit provided a detailed analysis of the relevant policy language and how it was applicable to the damage suffered by ATC.
Key Points from the Court’s Opinion. ATC’s claim was based on a policy provision that provided for coverage in the event of a “Computer Fraud.” The policy stated that Travelers “will pay [ATC] for [ATC’s] direct loss of, or direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud.”
Travelers’ lead argument for denying coverage was that the loss suffered by ATC was not a “direct loss” and, therefore, not covered under the policy. Travelers claimed that because ATC actually owed money to YiFeng for its services, ATC suffered no direct loss when it paid the money to the fraudster in the Spring of 2015. Only after ATC realized it was defrauded—when YiFeng inquired about outstanding payments and was required to pay the real YiFeng—was ATC damaged as a result of the required “double payment.” In support for this argument, Travelers cited to other Sixth Circuit opinions in which the court held that the definition of “direct” meant “immediate.” Here, the Sixth Circuit distinguished its prior cited definition of direct, which related specifically to cases interpreting language in unique employee-fidelity bonds. Moreover, the court held that the losses suffered by ATC were direct losses because ATC “immediately lost its money when it transferred the approximately $834,000 to the impersonator; there was no intervening event.” Am. Tooling Center, Inc., 895 F. 3d at 460-61.
Next, Travelers argued that the fraud was not a “Computer Fraud” as defined under the policy because a computer had to have caused the fraudulent loss, not just have facilitated the loss. The policy defined “Computer Fraud” as “[t]he use of any computer to fraudulently cause a transfer of Money, Securities or Other Property from in the Premises or Financial Institution Premises: (1) to a person (other than a Messenger) outside the Premises or Financial Institution Premises; or (2) to a place outside the Premises or Financial Institution Premises.” The Sixth Circuit rejected this argument, stating: “Travelers’ attempt to limit the definition of ‘Computer Fraud’ to hacking and similar behaviors in which a nefarious party somehow gains access to and/or controls the insured’s computer is not well founded” and that if Travelers wished to limit the policy to such a narrow definition, it easily could have done so. Id. at 462.
Finally, Travelers argued that, regardless of the policy’s coverage, some exclusion provisions applied. Specifically, Travelers said that coverage was excluded because: (i) ATC had transferred money to the fraudster, believing it to be YiFeng, in exchange for goods ATC received from YiFeng; and (ii) ATC’s employees had input “Electronic Data” (i.e., manually inputting the fraudulent bank account wire information) into the system prior to the wire transfer. The policy did contain an exclusion for any loss or damage caused directly or indirectly from the input of Electronic Data into the insured’s computer system and defined Electronic Data as “facts or information converted to a form: (1) usable in a Computer System; (2) that does not provide instructions or directions to a Computer System; or (3) that is stored on electronic processing media for use by a Computer Program.” Id. at 464-65. The Sixth Circuit held these exceptions were not applicable, finding ATC did not surrender the money to the fraudster in exchange for a good or service and the act of inputting the fraudulent bank account wire information did not qualify as inputting Electronic Data as defined in the policy, because the input qualified as an “instruction or direction” to the Computer System.
Conclusion. Given the increasing threat of cyberattacks, ensuring that a company has proper insurance coverage in the event of an attack has become all the more important. The Sixth Circuit’s opinion ruling against Travelers highlights the importance of a Computer Fraud provision and also provides helpful insight regarding both the key language and phrases that are likely broad enough to cover the wide variety of cyberattacks that may occur and the arguments policy holders need to be prepared to address from their insurers.
The modern threat of cyberattacks will also likely continue to be a hot topic in the insurance litigation space for the foreseeable future. In August, pharmaceutical company Merck & Co, Inc. (“Merck”) filed suit in the Superior Court of New Jersey asserting claims for breach of contract and declaratory judgment against a number of insurers and reinsurers who had denied Merck coverage for the damage it suffered as a result of a network interruption caused by a malware infection in June 2017. Merck & Co., Inc. v. Ace American Insurance Co., No. UNN-L-002682-18 (N.J. Sup. Ct.). Although at its earliest stages, the Merck lawsuit is potentially another matter for companies to watch for instructive guidance on key policy language related to cyberattacks.