Among the fastest growing risks to any business are social engineering attacks, also known as business email compromises, in which a company’s employees are tricked into misrouting funds by an email from a criminal imposter. Most frequently the imposter’s email impersonates either a vendor or an executive of the company itself. Businesses in any sector can fall victim to these schemes. When businesses suffer this type of loss and then are denied insurance coverage, the denial frequently comes as a surprise, leaving the business owners feeling as if they have been victimized a second time.
Within a two month period in Summer 2018, two significant appellate decisions affirmed lower court rulings finding coverage for business email compromises. Medidata Solutions Inc. v. Federal Insurance Co., 729 Fed. Appx. 117 (2d Cir. 2018); American Tooling Center, Inc. v. Travelers Casualty & Surety Co., 895 F.3d 455 (6th Cir. 2018). These two decisions signaled a trend in favor of coverage.
Three more recent court decisions, however, illustrate how differences in policy language can produce varied outcomes. These three decisions underscore the importance to businesses of undertaking a proactive review of their insurance programs, with an eye toward this sort of loss, before the policy is purchased.
In Tidewater Holdings, Inc. v. Westchester Fire Insurance Company, 2019 WL 2326818 (W. D. Wash. May 31, 2019), the court held that a corporate indemnity policy covers losses that were incurred when a fake email convinced an employee to change the routing coordinates for payments to a vendor. The policy contained a broad exclusion entitled “Fraudulent Transfer Request,” which barred coverage under most coverage parts for “the intentional misleading of an employee, through misrepresentation of a material fact…”. However, this exclusion was inapplicable to one coverage part, “Supplemental Funds Transfer Coverage,” which expressly provided coverage for “Fraudulent Transfer Requests.” The Court therefore held that coverage applied under that one section of the policy.
In The Childrens Place, Inc. v. Great American Insurance Company, 2019 WL 1857118 (D.N.J. April 25, 2019), the policy lacked the Fraudulent Transfer request exclusion, and therefore the court denied an insurer’s motion to dismiss with respect to a loss based on intercepted and fraudulent emails under the Computer Fraud section in a Crime Protection Policy. However, the New Jersey court granted the insurer’s motion to dismiss with respect to a different section of the policy, its “Forgery or Alteration” coverage, finding that the emails were not sufficiently similar to “checks, drafts, or promissory notes” to fall within the wording of that section. Also, the court found no coverage under the “Fraudulently Induced Transfers” section of the policy, on the grounds that the insured did not take certain precautionary measures that might have prevented the loss, and such measures were conditions precedent to coverage under this section.
