The Fidelity Law Journal · that target large numbers of people, i.e. phone frauds (“vishing”),...

The Fidelity

Law Journal

published by

The Fidelity Law Association

Volume XXIII, November 2017

Editor-in-Chief Michael Keeley

Associate Editors Carla C. Crapster Robert J. Duke

Adam P. Friedman Ann I. Gardiner Jeffrey S. Price John R. Riddle Daniel J. Ryan

Robyn L. Sondak Joel Wiegert

Cite as XXIII FID. L.J. ___ (2017)

THE FIDELITY LAW ASSOCIATION

Executive Committee

President Robert Olausen, ISO

Vice President Dolores Parr, Zurich, NA

Secretary Michael V. Branley, The Hartford

Treasurer Timothy Markey, Great American Insurance Co.

Past President Michael Retelle, CUMIS

Members Lisa A. Block, AXIS Insurance

Robert Flowers, Travelers Ann Gardiner, ABA Insurance Services, Inc.

Mark Struthers, CUMIS

Advisors Emeritus Samuel J. Arena, Jr., Stradley, Ronon, Stevens & Young, LLP

Robert Briganti, Belle Mead Claims Service, Inc. CharCretia V. Di Bartolo, Hinshaw & Culbertson LLP

Michael Keeley, Strasburger & Price, LLP Harvey C. Koch, Montgomery Barnett, LLP

Armen Shahinian, Chiesa Shahinian & Giantomasi PC

Advisors Susan Sullivan, Sedgwick LLP

Gary J. Valeriano, Anderson McPharlin & Connors LLP

The Fidelity Law Journal is published annually. Additional copies may be purchased by writing to: The Fidelity Law Association, c/o Chiesa Shahinian & Giantomasi PC, One Boland Drive, West Orange, New Jersey 07052. The opinions and views expressed in the articles in this Journal are solely of the authors and do not necessarily reflect the views of the Fidelity Law Association or its members, nor of the authors’ firms or companies. Publication should not be deemed an endorsement by the Fidelity Law Association or its members, or the authors’ firms or companies, of any views or positions contained herein. The articles herein are for general informational purposes only. None of the information in the articles constitutes legal advice, nor is it intended to create any attorney-client relationship between the reader and any of the authors. The reader should not act or rely upon the information in this Journal concerning the meaning, interpretation, or effect of any particular contractual language or the resolution of any particular demand, claim, or suit without seeking the advice of your own attorney.

The information in this Journal does not amend, or otherwise affect, the terms, conditions or coverages of any insurance policy or bond issued by any of the authors’ companies or any other insurance company. The information in this Journal is not a representation that coverage does or does not exist for any particular claim or loss under any such policy or bond. Coverage depends upon the facts and circumstances involved in the claim or loss, all applicable policy or bond provisions, and any applicable law.

Copyright © 2017 Fidelity Law Association. All rights reserved. Printed in the USA. For additional information concerning the Fidelity Law Association or the Journal, please visit our website at http://www.fidelitylaw.org.

Information which is copyrighted by and proprietary to Insurance Services Office, Inc. (“ISO Material”) is included in this publication. Use of the ISO Material is limited to ISO Participating Insurers and their Authorized Representatives. Use by ISO Participating Insurers is limited to use in those jurisdictions for which the insurer has an appropriate participation with ISO. Use of the ISO Material by Authorized Representatives is limited to use solely on behalf of one or more ISO Participating Insurers.

Michael Davisson is a member and Patricia Michelena Parisi is of counsel with Cozen O’Connor in Los Angeles, California. Lawrence S. DeVos is Claims Counsel with Zurich American Insurance Company in Atlanta, Georgia. 31

SOCIAL ENGINEERING CLAIMS

Michael Davisson Patricia Michelena Parisi

Lawrence S. DeVos

I. INTRODUCTION

Social engineering fraud refers to all of the various schemes designed to manipulate people into performing actions (usually involving the transfer of money or property) or divulging confidential information (which allows a fraudster to transfer money or property). Mass frauds that target large numbers of people, i.e. phone frauds (“vishing”), email and texting frauds (“phishing” and “smishing”), and frauds involving computer hacking into private or public databases, have received widespread attention. However, frauds directed at specific companies (so-called targeted frauds) are sometimes more sophisticated because the fraudsters may need to gather publicly available information about the company to learn details about the individuals within that company who are authorized to transfer money. Once this information is obtained, fraudsters use this data to trick or coerce employees into making an urgent and high value cash transfer to a designated bank account that is closed soon after the transfer.

Targeted social engineering frauds can take many different forms, but, of late, such scams have frequently involved: 1) fraudsters posing as senior company executives who convince employees (often residents in international or far-flung offices) to transfer funds to support phony acquisitions or purchases; 2) scammers posing as authorized vendors of the company seeking to reroute legitimate payments owed to the real vendor; or 3) fraudsters posing as bank security officials seeking confidential bank information based upon a false security threat. Often using a combination of phone calls and emails, fraudsters employ tactics

32 Fidelity Law Journal, Vol. XXIII, November 2017

that create substantial pressure on the employee, conveying both a sense of urgency and implicit or explicit threats regarding job security if the employee fails to perform as demanded. Similarly, the fraudsters frequently counsel the employees that the transaction is highly confidential to prevent the employees from conferring with others (who may be more likely to identify the communications as a scam).

Unfortunately, such schemes have been all too successful in persuading unsuspecting employees to transfer sensitive information or funds, and are increasing in frequency and complexity. The Federal Bureau of Investigations, which identifies such scams as an emerging global threat, reports that companies and individuals in all fifty states and in 131 countries have fallen victim to such scams.1 Between October, 2013 and December 2016, the FBI reports 40,203 domestic and international incidents and $5.3 billion in exposed loss.2 This includes 22,292 domestic U.S. victims and $1.6 billion in total U.S. exposed dollar loss.3 Moreover, between January 2015 and December 2016, there was a 2,370% increase in identified exposed losses.4 Similarly, one fifth of those losses came in the last seven months of 2016, confirming the huge surge in the number of these schemes.5

In response to the increased frequency and size of these frauds, employers are increasingly relying upon regular internal training on anti-fraud procedures, more robust and well-defined policies and procedures (such as call-back procedures and multiple layers of authentication before transferring funds), more frequent risk assessments, retention of experienced security professionals (both external and internal), and security incident management to thwart these social engineering scams. However, the efficacy of such risk management protocols is undercut by human nature (i.e., fear, the desire to help, and the desire to trust) and the ever-evolving nature of social engineering schemes. Thus, many companies continue to look to insurance to defray all or part of the costs

1 See May 04, 2017 Public Service Announcement, Alert No. I-050417-

PSA. Available at https://www.ic3.gov/media/2017/170504.aspx. 2 Id. Exposed dollar loss includes actual and attempted loss in United

States Dollars. 3 Id. 4 Id. 5 Id.

Social Engineering Claims 33

associated with these events, and commercial crime policies have been the focus of much of those efforts.

However, as will be explored below, many social engineering claims are not covered under traditional commercial crime policy insuring agreements, such as the computer fraud and funds transfer fraud insuring agreements, as they do not involve the unauthorized withdrawal of funds from the insured’s account or the use of a computer to directly cause a transfer. Rather, social engineering scams typically involve an authorized withdrawal induced by fraud directly brought about by a human being (not a computer), and so may not be covered under either of the traditional crime policy coverages. This article will review recent case law regarding these claims, and will analyze potential coverage for such claims under the various insuring agreements of the commercial crime policy. Potentially applicable exclusions that may bar coverage even if facially covered by one or more insuring agreements will also be examined. Finally, this article will analyze the response of the insurance marketplace to the need for this coverage, including the new insuring agreements for social engineering claims that have been available since at least 2014.

II. THE COMPUTER FRAUD INSURING AGREEMENT

One of the first insuring agreements cited by insureds seeking coverage for social engineering losses is the computer fraud insuring agreement. The computer fraud insuring agreement typically provides coverage for:

Loss of or damage to Money, Securities or Property resulting directly from the use of any computer to fraudulently cause a transfer of Money, Securities or Property from inside the Premises or Banking Premises to either a person (other than a Messenger) or a place outside those Premises.6

6 The exemplar language is taken from a proprietary Zurich crime

policy form and is reprinted with Zurich’s permission.


Thus, generally speaking, computer fraud insuring agreements limit coverage to direct loss from “theft” through the use of a computer system. Accordingly, hacking is the type of activity that might be covered by this insuring agreement.

Disputes regarding the scope of coverage afforded by the computer fraud insuring agreement have mostly centered on the meaning of the phrases “resulting from” and “use of any computer to fraudulently cause a transfer” and the degree to which the use of a computer caused the loss.7 As seen from the cases discussed below, the vast majority of courts that have considered the issue have held that this language requires some sort of computer hacking or manipulation in order to trigger coverage.8

The Ninth Circuit Court of Appeals’ decision in Pestmaster Services, Inc. v. Travelers Casualty & Surety Co.9 is illustrative of the views of most courts. In Pestmaster, a payroll contractor hired to pay the insured’s employment taxes misappropriated the insured funds after the

7 See Vonage Holdings Corp. v. Hartford Fire Ins. Co., No. 11-6187, 2012 WL 1067694 at *3 (D.N.J. Mar. 29, 2012) (discussing whether charges from telecommunications carrier flowing from re-routing of telephone calls falls within computer fraud insuring coverage).

8 See Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co. of Pittsburgh, Pa., 691 F.3d 821, 826-27 (6th Cir. 2012) (hacking into insured’s network to obtain customer data fell within computer fraud insuring agreement, but loss excluded by confidential information exclusion); InComm Holdings, Inc. v. Great Am. Ins. Co., No. 1:15-CV-2671-WSD, 2017 WL 1021749, at *8 (N.D. Ga. Mar. 16, 2017) (“Lawyerly arguments for expanding coverage to include losses involving a computer engaged at any point in the causal chain— between the perpetrators’' conduct and the loss—unreasonably strain the ordinary understanding of “computer fraud” and “use of a[ ] computer.”); Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., No. CV 13-5039, 2014 WL 3844627 (C.D. Cal. July 17, 2014); Great Am. Ins. Co. v. AFS/IBEX Fin. Serv.’s, Inc., No. 307-CV-924, 2008 WL 2795205, at *1 (N.D. Tex. July 21, 2008), aff’d, 612 F.3d 800 (5th Cir. 2010) (rejecting coverage where computer used to submit false loan applications to induce the insured to issue checks, as use of computer was authorized); Brightpoint, Inc. v. Zurich Am. Ins. Co., No. 1:04-CV-2085-SEB-JPG, 2006 WL 693377 (S.D. Ind. Mar. 10, 2006); Northside Bank v. Am. Cas. Co., 60 Pa. D. & C.4th 95 (Pa. Ct. Com. Pl. 2001).

9 Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., 656 F. App’x 332, 333 (9th Cir. 2016).


funds had been transferred from the insured’s bank to the payroll company. The insured sought coverage under the computer fraud insuring agreement (among others), alleging that the contractor’s use of the computer to transfer funds triggered coverage. The court disagreed, finding “the phrase ‘fraudulently cause a transfer’ to require an unauthorized transfer of funds.”10 As the contractor was authorized to transfer the funds in order to pay payroll taxes, the theft of the funds after the authorized transfer had taken place did not trigger coverage under the computer fraud coverage of the policy.

Three months after Pestmaster was decided, the Fifth Circuit in Apache Corp. v. Great American Ins. Co. determined that there was no coverage under the computer crime insuring agreement as the use of a computer was merely incidental to the scheme.11 There, a fraudster posing as an established vendor of the insured corporation contacted the insured’s employee by telephone, informed the employee that the vendor’s bank account information had changed, and requested that future payments be processed into the new account.12 The employee directed the vendor to submit a formal request on a letter with the vendor’s letterhead. The fraudster then sent an email to the insured’s accounts payable department, requesting the change, and included as an attachment a copy of the requested letter. Upon receiving the email, another employee contacted the telephone number listed on the bogus letter, and confirmed the authorization to make the account change. A third employee approved the request and implemented the change. Thereafter, the insured transferred funds for payment of vendor invoices into the fraudulent bank account.

The insured sought coverage for its loss under the computer fraud insuring agreement of its crime policy, arguing that it need only prove that a computer was used in the chain of events which caused the loss in order to invoke coverage.13 However, the Fifth Circuit rejected this argument, finding that the computer use (i.e., the email) “was merely incidental to” the scheme and that, “[t]o interpret the computer-fraud

10 Id. 11 Apache Corp. v. Great Am. Ins. Co., 662 F. App’x 252 (5th Cir.

2016). 12 Id. at 253. 13 Id. at 258.


provision as reaching any fraudulent scheme in which an email communication was part of the process would . . . convert the computer-fraud provision to one for general fraud.”14 The court also observed that the proliferation of email as a means of communication supported its finding. The court stated: “when the policy was issued in 2012, electronic communications were, as they are now, ubiquitous, and even the line between ‘computer’ and ‘telephone’ was already blurred. In short, few—if any—fraudulent schemes would not involve some form of computer-facilitated communication.”15

The Apache decision is also noteworthy because it rejected a proximate cause analysis in interpreting the phrase, “resulting directly from” in fidelity policies.16 In finding that the loss in Apache did not result directly from computer fraud, the court declined to adopt the insured’s argument that the use of the computer in the string of events supported coverage under a more liberal causation analysis.17 Instead, the court stated:

Viewing the multi-step process in its simplest form, the transfers were made not because of fraudulent information, but because Apache elected to pay legitimate invoices. Regrettably, it sent the payments to the wrong bank account. Restated, the invoices, not the email, were the reason for the funds transfers.18

Following Apache, the district court in American Tooling Center, Inc. v Travelers Casualty and Surety Co. of America, similarly rejected coverage under the computer fraud insuring agreement for loss caused by the insured’s transfer of funds to an account of a fraudster posing as the

14 Id. (citing Pestmaster, 656 F. App’x at 332. 15 Id. 16 Cf. First Nat’l Bank of Louisville v. Lustig, 961 F.2d 1162, 1167 (5th

Cir. 1992) (“[L]oss is directly caused by the dishonest or fraudulent act within the meaning of the Bond where the bank can demonstrate that it would not have made the loan in the absence of the fraud.”).

17 Apache, 662 F. App’x at 258. 18 Id. at 259.


insured’s vendor.19 There, the insured sent an email to the vendor requesting copies of all outstanding invoices. In response, the insured received an email from a fraudster, posing as the vendor, requesting that payment on several outstanding (and legitimate) invoices be directed to a new bank account. The email address used by the fraudster was similar to that of the true vendor, further confusing the insured. After transferring the funds to the new account and then learning of the deceit, the insured turned to its insurer for coverage for the loss. However, the court held that the computer fraud insuring agreement provided no coverage, as the insured “did not suffer a ‘direct loss’ that was ‘directly caused by computer fraud.’”20 The court noted that the emails did not directly cause the transfer; rather, intervening events including the fact that the insured had verified the invoices and transferred funds without verifying account information, precluded a finding of direct loss from the use of the computer.21 The court also noted that the loss was not caused by any infiltration or hacking of the insured’s computer system.22

The American Tooling Center court also distinguished Medidata Solutions, Inc. v. Federal Insurance Co.,23 a recent decision from the district court in the southern district of New York, where the court found coverage under a computer fraud insuring agreement which did not include language limiting coverage to loss “directly caused by” the use of a computer. In Medidata, the insured transferred insured funds based on an email from a fraudster posing as the company president directing the transfer. The email appeared authentic as the fraudster embedded a computer code in the spoof email which caused the server to alter the email to make it appear that it was sent by the true president. The email included the president’s actual email address and picture, and had the appearance of a company email. The computer fraud insuring agreement broadly covered “the unlawful taking or the fraudulently

19 American Tooling Center, Inc. v. Travelers Cas. & Sur. Co. of Am.,

No. 11-6187, 2017 WL 3263356 (E.D. Mich. Aug. 1, 2017). 20 Id. at *2. 21 Id. 22 Id. at *3. 23 No. 15-CV-907, 2017 WL 3268592 (S.D.N.Y. July 21, 2017).


induced transfer of Money . . . resulting from a Computer Violation.”24 Given the broad language of the insuring agreement, and the use of a hidden computer code which caused an alteration in the email, the Medidata court found coverage for the loss.

Nonetheless, while the majority of courts considering coverage for loss “resulting directly from” the use of a computer have found that coverage only applies in cases where hacking, computer or data manipulation, or otherwise unauthorized use of a computer directly causes the loss, one decision from a trial court in Connecticut, Owens, Schine & Nicola v. Travelers Casualty & Surety Co., broadly applied the computer fraud coverage and rejected the argument that the loss must result from computer manipulation or hacking.25 While the Owens decision was subsequently vacated, it has been cited and distinguished by several courts examining computer fraud coverage. In Owens, the insured attorney received emails from a purported new client who requested legal assistance in collecting a debt.26 Later, the client informed the attorney, again by email, that the matter had been settled and the debtor was sending the settlement check to the attorney. When the attorney received the check, he immediately wired the settlement funds from the firm’s client trust account to an entity in China, pursuant to the client’s email instructions. The attorney then discovered that the legal matter—and the check—were bogus, and he made a claim for his loss under the firm’s crime policy.

After rejecting the insurer’s argument that the computer fraud insuring agreement required the loss to result from computer hacking, the Owens court found that the policy was ambiguous as to the amount of computer usage that was necessary to constitute computer fraud. The court also found “[t]he emails were the proximate cause . . . of [the insured’s] loss because the e-mails set the chain of events in motion that

24 Id. at 8. Additionally, “Computer Violation” was defined by the

policy to include “the fraudulent . . . change to Data elements or program logic of a Computer System.”

25 See Owens, Schine & Nicola v. Travelers Cas. & Surety Co., No. CV095024601, 2010 WL 4226958, at *7 (Conn. Super. Ct. Sept. 17, 2010), vacated, No. FBT-CV-09-5024601-S, 2012 WL 12246940 (Conn. Super. Ct. Apr. 18, 2012).

26 Id. at *1.


led to the entire loss.”27 The court interpreted the ambiguity against the insurer, and found that the use of emails and a fraudulent, electronically manufactured check were sufficient to trigger coverage. Accordingly, the court denied the insurer’s motion for summary judgment. As noted above, the Owens decision was later vacated by the Connecticut trial court and appears to be an outlier given that subsequent decisions from multiple jurisdictions have limited the coverage afforded by the computer fraud insuring agreement to loss resulting directly from computer hacking, manipulation, or unauthorized computer use.

III. THE FUNDS TRANSFER FRAUD INSURING AGREEMENT

In addition to coverage for computer fraud, insureds also look to the crime policy’s funds transfer fraud insuring agreement for coverage in the event of loss from a social engineering scam. The funds transfer fraud insuring agreement generally provides coverage for “loss of Money or Securities resulting directly from a Funds Transfer Fraud directing a Financial Institution to transfer, pay or deliver such Money or Securities from the Insured’s Transfer Account.”28 “Funds Transfer Fraud” is typically defined by the Crime Policy as follows:29

1. A fraudulent electronic, telegraphic, cable, teletype, telefacsimile or telephone instruction which purports to have been transmitted by the Insured, but which was in fact fraudulently transmitted by someone else without the Insured’s knowledge or consent;

2. A written instruction . . . issued by the Insured, which was forged or altered by someone other than the Insured which purports to have been issued by the Insured, but was in fact fraudulently issued without the Insured’s knowledge or consent; or

27 Id. at *8. 28 The exemplar language is taken from a proprietary Zurich crime

policy form and is reprinted with Zurich’s permission. 29 Id. (emphasis omitted).


3. A fraudulent electronic, telegraphic, cable, teletype, telefacsimile, telephone or written instruction initially received by the Insured which purports to have been transmitted by an Employee but which was in fact fraudulently transmitted by someone else without the Insured’s or the Employee’s knowledge or consent.

“Coverage exists under [this provision] for loss of funds resulting directly from a fraudulent instruction directing financial institutions to transfer, pay or deliver funds from [the insured’s] account.”30 While the funds transfer insuring agreement is designed to cover the unauthorized transfer of funds caused by fraudulent instructions relayed to a financial institution, very few courts have interpreted the language of this insuring agreement. In Pestmaster, the district court said that the purpose of such coverage is to protect the insured “from someone breaking into the electronic fund transfer system and pretending to be an authorized representative or altering the electronic instruction to divert monies” from the insured’s account.31 Accordingly, the Pestmaster court held that the insuring agreement did not cover “valid electronic instructions unless modified or altered by someone not a party to the relationship,” and ruled that the misappropriation of funds, after the funds had been transferred with the insured’s authorization to its payroll contractor for payment of taxes, was not covered by the funds transfer insuring agreement.32

Likewise, where an employee of the insured wired money based upon instructions sent via email by a fraudster, the court in Taylor & Lieberman v. Federal Insurance Co. found the funds transfer coverage

30 Great Am., 2008 WL 2795205, at *15. 31 Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., No. CV

13-5039, 2014 WL 3844627, at *5 (C.D. Cal. July 17, 2014), aff’d in part, rev’d in part, 656 F. App’x 332 (9th Cir. 2016); see also Northside Bank, 60 Pa. D. & C.4th 95.

32 Pestmaster, 2014 WL 3844627, at *5 (citing Cumberland Packing Corp. v. Chubb Ins. Corp., 958 N.Y.S.2d 306 (N.Y. Sup. Ct. 2010).


did not provide coverage.33 The court noted that, while the insured did not know the instructions were fraudulent, the insured requested and knew about the wire transfers.34 Thus, where the insured authorizes or effects the transfer of its funds, the funds transfer fraud insuring agreement will not provide an answer to those who fall victim to social engineering scams.35

While the weight of authority clearly supports a finding that the transfer of funds by the insured, even if tricked into initiating the transfer, is not covered under the funds transfer fraud insuring agreement, the district court in Medidata, took a contrary view. In Medidata, the funds transfer fraud insuring agreement provided coverage for “direct loss of Money or Securities sustained by an Organization resulting from Funds Transfer Fraud committed by a Third Party.”36 “Funds Transfer Fraud” was defined as: “fraudulent electronic . . . instructions . . . purportedly issued by an Organization, and issued to a financial institution directing such institution to transfer, pay or deliver Money . . . from [the insured’s] account . . . without such Organization’s knowledge or consent.”37 In finding coverage under the funds transfer fraud insuring agreement, the court focused less on the language of that insuring grant and more on the fact that, since the transfer of funds occurred by trick (the manipulation of emails), it was a fraudulent transfer.38 Of course, the insuring agreement in Medidata did not limit

33 Taylor & Lieberman v. Fed. Ins. Co., No. 15-56102, 2017 WL

929211, at *2 (9th Cir. Mar. 9, 2017). 34 Id. at *2; see also Morgan Stanley Dean Witter v. Chubb Grp. of Ins.,

No. L-2928-01, 2005 WL 3242234, at *4 (N.J. Super. Ct. App. Div. Dec. 2, 2005) (insuring agreement covering loss from “fraudulent fax transfer instructions [that] fraudulently purport to have been made by a customer…” requires instructions to be made by an imposter).

35 See also HR Knowledge, Inc v. Prof’l Ins. & Risk Brokerage, LLC, Nos. 04-5220-BLS2, 00-2223A, 2006 WL 6306299, at *1 (Mass. Super. Ct. Apr. 24, 2006) (“This provision, by its plain language, covers fraudulent transfers of funds via a computer . . . it does not cover the fraudulent misuse of funds by HR’s independent contractor after the authorized transfer of those funds to that contractor . . . for the purpose of paying employees’ wages and payroll taxes.”).

36 Medidata, 2017 WL 3268529, at *2. 37 Id. 38 Id. at *7.


coverage to loss resulting “directly from” “Funds Transfer Fraud,” which makes this decision distinguishable. Accordingly, whether any other court will follow the lead of this very recent decision, which failed to analyze coverage in the context of the policy language at issue, is questionable.

In addition to issues surrounding authorization, some funds transfer fraud insuring agreements contain requirements that the insured follow certain security procedures prior to transferring the funds as a condition of coverage. Courts have strictly enforced those requirements in adjudicating coverage disputes under this insuring agreement. For instance, in Universal City Studios Credit Union v. CUMIS Insurance Society, Inc., the insured sought coverage for loss from the transfer of funds from a member’s account based on the fraudulent instructions of a fraudster posing as the member.39 The fraudster first contacted the credit union by telephone, identified himself as the member, and requested the wire transfer. During the telephone call, the fraudster was able to correctly answer various security questions and his signature on the wire transfer form matched the signature in the credit union’s files. The credit union’s search of a database maintained by the Department of Treasury also verified that neither the member, the entity to which the funds were to be transferred, nor the foreign bank accepting the funds had a criminal history. The credit union also performed a “callback verification” prior to transferring the funds—calling the purported member and again asking certain security questions which were correctly answered.40

Nonetheless, the court held there was no coverage for the loss as the “callback verification” requirement in the fund transfer coverage at issue specifically required that the callback be made to a “secure telephone number,” which, under the policy, was a number the insured had on file for at least thirty days.41 Here, the fraudster had changed the member’s telephone number on file with the credit union five days before the first transfer was made. Thus, there was no coverage.

39 Universal City Studios Credit Union v. CUMIS Ins. Soc’y, Inc., 145

Cal. Rptr. 3d 650 (Ct. App. 2012). 40 Id. at 654. 41 Id. at 656-57.


Similarly, in Sb1 Federal Credit Union v. FinSecure LLC, the district court in Pennsylvania found the security requirements in the funds transfer coverage a condition precedent to coverage.42 There, the fidelity bond required the insured to either perform a callback verification or another “commercially reasonable security procedure set forth in a written funds transfer agreement” signed by the member.43 When the credit union suffered a loss from fraudulent instructions transmitted via email, the insurer denied coverage. The court thereafter dismissed the insured’s complaint as failing to plead sufficient facts describing the “commercially reasonable security procedure” that was executed and followed as required to trigger coverage under the policy.44

IV. POTENTIALLY APPLICABLE EXCLUSIONS TO SOCIAL

ENGINEERING CLAIMS

Social engineering claims under the computer fraud or funds transfer insuring agreements may also be subject to several standard exclusions often found in commercial crime policies: the Confidential Information Exclusion, the Authorized Representative Exclusion, and the Voluntary Parting Exclusion.

A. The “Confidential Information” Exclusion

The Confidential Information Exclusion generally bars coverage for the loss of the insured’s confidential information, including, patents, trade secrets, processing methods, or customer lists.45 Thus, to the extent that a fraudster succeeds in causing an insured to allow him or her access to confidential information, this exclusion may potentially bar some or all of the claimed loss.

42 Sb1 Fed. Credit Union v. FinSecure LLC, 14 F. Supp. 3d 651 (E.D.

Pa. Apr. 9, 2014). 43 Id. at 654. 44 Id. at 657. 45 See Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co. of Pittsburgh,

Pa., 691 F.3d 821, 833-35 (6th Cir. 2012); see also Drexel Burnham Lambert Grp., Inc. v. Vigilant Ins. Co., 595 N.Y.S.2d 999, 1007 (N.Y. Sup. Ct. 1993) (excluding coverage for abuse of confidential information).


The Sixth Circuit Court of Appeals analyzed the meaning of the confidential information exclusion in Retail Ventures, albeit in the context of a computer hack rather than loss caused by a social engineering scam. In Retail Ventures, the plaintiff suffered a loss when its computer system was breached and a fraudster stole customer credit card and bank information and used that information to conduct fraudulent transactions.46 The insurer denied coverage based upon the confidential information exclusion which barred coverage for loss of “proprietary information, trade secrets, Confidential Processing Methods, or other confidential information of any kind.”47 The insurer argued that the phrase “or other confidential information of any kind” included the stolen credit card information.48 The Sixth Circuit Court of Appeals held the exclusion was inapplicable as “customer credit card and checking account information would not come within the plain and ordinary meaning of ‘proprietary information.’”49 Specifically, the Court agreed with the lower court’s finding that “stolen customer information was not ‘proprietary information’ at all, since the information is owned or held by many, including the customer, the financial institution, and the merchants to whom the information is provided in the ordinary stream of commerce.”50 The Court also noted that to interpret the phrase, “other confidential information,” to include all information of the type that is generally protected from public disclosure—such as the confidential credit card and checking account information at issue—would cause the exclusion to swallow “not only the other terms in the exclusion but also the coverage for computer fraud.”51

The Court further agreed with the district court in limiting the term “trade secrets” to mean “[p]laintiffs’ information which is used in [p]laintiffs’ business, which gives [p]laintiff an opportunity to obtain advantage over competitors who do not know or use the information.”52 With regard to the term, “Confidential Processing Methods,” the Court interpreted the phrase to mean, “[p]laintiffs’ secret process or technique

46 Retail Ventures, 691 F.3d at 824-25. 47 Id. 48 Id. 49 Id. at 833. 50 Id. 51 Id. 52 Id. at 834 (emphasis in original).


for doing something, ‘which in the context of the Exclusion, relates to [p]laintiff[s’] business operation.’”53

The confidential information exclusion was also held inapplicable to a case decided by the Eighth Circuit Court of Appeals in State Bank of Bellingham v. BancInsure, Inc.54 There, the fraudster used a virus to hack into the insured’s computer system and access the insured’s online bank account and password.55 While a funds transfer could not be made without a token code device inserted into the USB drive, an employee of the insured had accidentally left her device in her computer after making a legitimate transaction.56 The fraudster was able to obtain the necessary token code and complete the transfer.57

The insurer argued that the loss was not covered as the passwords and token codes were “confidential information” needed for the fraudulent transfer, and the confidential information excluded barred coverage for loss resulting from such information. While the court agreed that the theft of confidential information contributed to causing the loss, the court employed a concurrent causation analysis to find that the computer hacking was the efficient proximate cause of the loss, and thus, under Minnesota law, neither the confidential information exclusion nor any other pertinent exclusion barred coverage.58

B. The Authorized Representative Exclusion

The authorized representative exclusion may also operate to bar coverage for certain social engineering claims. Generally speaking, an authorized representative exclusion bars coverage for loss due to the “theft or any other fraudulent, dishonest or criminal act by any employee, director, trustee or authorized representative of the Insured whether acting alone or in collusion with others.”

53 Id. (emphasis in original). 54 State Bank of Bellingham v. BancInsure, Inc., 823 F.3d 456, 460-461

(8th Cir. 2016). 55 Id. at 457-58. 56 Id. 57 Id. at 458-59. 58 Id. at 461.


The decisions in Stanford University Hospital v. Federal Insurance Co.59 and Stop & Shop Co.’s, Inc. v. Federal Insurance Co.60 are instructive in defining the broad scope of this exclusion and providing guidance on how it may be applied in social engineering claims, although neither case involved such scams. Both of these cases addressed the misappropriation of funds by Hamilton Taft, a company hired by two separate insureds—Stanford University Hospital and Stop & Shop—to perform payroll tax payment services. The exclusion in the Federal policy at issue in both of these cases excluded losses from the theft or dishonest acts of the insured’s “authorized representative.”61

Both appellate courts found that Hamilton Taft qualified as an “authorized representative” and that the exclusion applied. In so holding, the court in Stanford University Hospital explained that the unambiguous exclusion bars “coverage for misappropriation of funds by those individual or entities authorized by the insured to have access to the funds; in essence, those whom the insured empowers to act on its behalf.”62 The Stop & Shop court relied on the dictionary definition of “authorized” in reaching its decision that the phrase was unambiguous and applied to bar coverage.63 Specifically, the court noted that “Black’s Law Dictionary,64 defines ‘authorized’ as ‘possessed of control or power delegated by a principal to his agent’ . . .” whereas “Webster’s Third New International Dictionary ((Unabridged)65 defines ‘authorized,’ inter alia, as ‘endorse[d], empower[ed],’. . .”66 As the insured had delegated the task of paying corporate employment taxes to the payroll company, the Court found the ensuing theft of monies by that company fell within the terms of the exclusion.67

59 Stanford Univ. Hosp. v. Fed. Ins. Co., 174 F.3d 1077 (9th Cir. 1999). 60 Stop & Shop Cos., Inc. v. Fed. Ins. Co., 136 F.3d 71 (1st Cir. 1998). 61 Stanford Univ., 174 F.3d at 1082; Stop & Shop Cos., Inc., 136 F.3d at

72. 62 Stanford Univ., 174 F.3d at 1085. 63 Stop & Shop, 136 F.3d at 74. 64 BLACK’S LAW DICTIONARY 133, 134 (6th ed. 1990). 65 WEBSTER’S THIRD NEW INT’L DICTIONARY 146 (1966). 66 Id. 67 See also Kubota Credit Corp., U.S.A., v. Fed. Ins. Co., No. CV-10-

2521-GHK (FMOx), 2012 WL 12033876, at *4 (C.D. Cal. 2012) (defining “authorized” within authorized representative exclusion to mean “to give legal


More recently, the Ninth Circuit Court of Appeal explained that the use of the term “authorized representative” within the exclusion was meant as “a straightforward effort to embrace all statuses that are ‘authorized,’ and thus are the insured’s responsibility to supervise.”68

Elsewhere, the court in Colson Services Corp. v. Insurance Co. of North America concluded that, under the same type of exclusion applying to an “authorized representative,” a company given authority by another company to act as its agent in choosing investments fell within the meaning of that term.69 Similarly, in Milwaukee Area Technical College v. Frontier Adjusters, the court found that theft from an adjuster hired to process workers compensation claims was excluded under a similar exclusion for dishonest acts of an “authorized representative.”70

In general, the authorized representative exclusion significantly limits coverage for funds transfers by authorized representatives, regardless of the reason for the transfer. Thus, to the extent an authorized representative transfers or parts with monies as the victim of a social engineering scam, the presence of such an exclusion in the insured’s fidelity policy may very well mean there is no coverage for the loss.

C. The Voluntary Parting Exclusion

Insureds seeking coverage for social engineering losses may also be barred from recovery to the extent the policy contains an exclusion for the “voluntary parting” of money or property. In Schmidt v. Travelers Indemnity Co. of America, a purported new client emailed an attorney seeking representation with regards to the collection of a debt.71 The attorney accepted the case and sent a letter demanding payment to the

authority,” “to empower, justify, or permit by or as if by some recognized or proper authority”).

68 S. Cal. Counseling Ctr. v. Great Am. Ins. Co., 667 F. App’x 623, 624 (9th Cir. 2016) (citing Stop & Shop, 136 F.3d at 76).

69 Colson Serv. Corp. v. Ins. Co. of N. Am., 874 F. Supp. 65 (S.D.N.Y. 1994).

70 Milwaukee Area Tech. Coll. v. Frontier Adjusters, 752 N.W.2d 396 (Wis. Ct. App. 2008).

71 Schmidt v. Travelers Indem. Co. of Am., 101 F. Supp. 3d 768 (S.D. Ohio 2015).


purported debtor. The debtor agreed to make payment, and thereafter sent a cashier’s check to the attorney in satisfaction of the debt. The attorney deposited the check into the firm’s client trust account and, pursuant to the email instructions of his “client,” wired the funds to his client’s account. After discovering that the cashier’s check was fraudulent, the attorney submitted an insurance claim for the loss. In the ensuing litigation, the insured argued that, where the funds transfer is induced by fraud, it is not a “voluntary parting” under the policy. The court disagreed, finding the language of the exclusion plain, clear, unambiguous, and applicable to bar coverage for the loss.72

In Schweet Linde & Coulson, PLLC v. Travelers Casualty Insurance Co. of America, a law firm fell subject to a similar collection scam.73 The purported client, this time an alleged architectural firm in London, asserted that it needed assistance in collecting a debt from a client in Washington. After believing it had collected the debt, the firm wired funds to the client, only to then learn that the cashier’s check it had deposited into its client trust account was fake. Faced with the voluntary parting exclusion’s bar to coverage, the insured argued that, since the exclusion did not include reference to fraud, it was ambiguous and should be construed as limited to the transfer of gifts or similar items. The court disagreed, finding that the exclusion unambiguously barred coverage for parting with property, regardless of the reason for the parting.74

The court in PNS Jewelry, Inc. v. Penn-America Ins. Co., also found the exclusion unambiguous and rejected a similar claim that it did not apply where the insured was tricked into parting with his property.75 In so holding, the court noted that the exclusion is known as the “theft by trickery” exclusion and bars coverage for losses where the insured voluntarily parts with its property as the result of some scam or scheme.76

72 Id. at 778. 73 No. C14-1883RSL, 2015 WL 3447242 (W.D. Wash. May 28, 2015). 74 Id. at *3. 75 PNS Jewelry, Inc. v. Penn-Am. Ins. Co., No. B212348, 2010 WL

685967 (Cal. Ct. App. Mar. 1, 2010). 76 Id.


In sum, as courts have continually found the voluntary parting exclusion to be plain, clear, and unambiguous, the presence of this exclusion in a policy may operate to bar coverage for any social engineering loss.

V. THE MARKETPLACE’S REACTION: THE FRAUDULENT

IMPERSONATION AND FRAUDULENTLY INDUCED TRANSFER INSURING AGREEMENTS

Because of the case law described above, which to a large extent finds limited or no coverage for losses caused by social engineering scams, insurance products are now available that explicitly cover an insured’s volitional transfer of fund resulting from a fraudulent scheme. For instance, an insuring agreement published by the Insurance Services Office, Inc. (“ISO”) in 2015 provides coverage for loss caused by “Fraudulent Impersonation.”77 Specifically, this insuring agreement covers:78

[L]oss resulting directly from [the insured] having, in good faith, transferred “money,” “securities” or “other property” in reliance upon a “transfer instruction,” purportedly issued by [the insured] or an “employee,” but which “transfer instruction” proves to have been fraudulently issued by an imposter without the knowledge or consent of [the insured] or such employee.

A second section within this insuring agreement also provides coverage for loss resulting from the transfer of funds based upon fraudulent instructions from a purported “customer” or “vendor.”79

77 Interestingly, the ISO form combines Computer and Funds Transfer

Fraud into a single insuring agreement. 78 Insurance Services Office, Inc. Form CR 04 17 11 15 (2015)

(excerpts reprinted with permission). 79 Id. That section provides, in its entirety: “We will pay for loss

resulting directly from your having, in good faith, transferred ‘money’, ‘securities’ or ‘other property’ in reliance upon a ‘transfer instruction’ purportedly issued by your ‘customer’ or ‘vendor’, but which transfer


Similarly, a form developed in 2015 by the Surety & Fidelity Association of America80 includes coverage for “Fraudulently Induced Transfers.” In the SFAA form, the insuring agreement provides coverage for “loss of funds resulting directly from a ‘fraudulently induced transfer’ causing the ‘funds’ to be transferred from your ‘premises’ or ‘banking premises’ to a person, entity, place or account outside of your control.” The form defines “Fraudulently induced transfer” to mean:81

A transfer resulting from a “payment order” transmitted from you to a financial institution, or a check drawn by you, made in good faith reliance upon an electronic, telefacsimile, telephone or written instruction received by you from a person purporting to be an “Employee,” your customer, a “Vendor” or an “Owner” establishing or changing the method, destination or account for payments to such “Employee”, customer, “Vendor” or “Owner” that was in fact transmitted to you by someone impersonating the “Employee,” customer, “Vendor” or “Owner” without your knowledge or consent and without the knowledge or consent of the “Employee,” customer, “Vendor” or “Owner.”

Notably, both the “Fraudulent Impersonation” and “Fraudulently Induced Transfer” insuring agreements contain explicit conditions that certain security verifications be established and followed during the transfer. For instance, the Fraudulent Impersonation coverage requires, as a precondition of coverage, that the insured verify all transfer instructions “according to a pre-arranged callback or other established verification procedure before acting upon any such ‘transfer instruction’.” The Fraudulently Induced Transfer insuring agreement requires, as a condition to coverage, that:

before forwarding the payment order . . . or issuing the check, [the insured] verified the authenticity and

instruction proves to have been fraudulently issued by an imposter without the knowledge or consent of such ‘customer’ or ‘vendor’.

80 Hereinafter SFAA. 81 The SFAA form is included in the Appendix (reprinted with

permission).


accuracy of the instruction received from the purported ‘Employee,’ customer, ‘Vendor’ or ‘Owner,’ including routing numbers and account numbers, by calling, at a predetermined telephone number, the ‘Employee,’ customer, ‘Vendor’ or ‘Owner’ who purportedly transmitted the instruction to you, and you preserved a contemporaneous ‘written’ record of this verification.82

Since these new social engineering forms and endorsements have only been available since 2015, the language of these forms has not yet been the subject of any court decision. However, as is the case with the computer fraud and funds transfer fraud insuring agreements, coverage will likely turn upon the precise language used in these insuring agreements, the specific facts of the social engineering scheme, and the applicable policy exclusions. Clearly, certain policy exclusions will limit the scope of these new coverages. For instance, the ISO form contains a Confidential or Personal Information Exclusion which expressly applies to loss resulting from confidential information of others held by the insured, and which expands the meaning of “confidential information” (and thus limits coverage for the disclosure or use of confidential information). However, this same exclusion does not exclude loss resulting from the disclosure or use of the insured’s confidential information if the loss is otherwise covered under the policy, and if the loss results directly from the use of that confidential information.83 In

82 The proprietary policy endorsement issued by Zurich, also found in

the Appendix and reprinted with permission, similarly provides that: There shall be no coverage afforded under this [Fraudulent Impersonation] endorsement unless before acting upon any Transfer Instruction the Insured shall confirm the validity of such Transfer Instruction. Such confirmation shall include a prearranged procedure in which the Insured either (1) verifies the authenticity and accuracy of the Transfer Instruction by means of a call back to a predetermined telephone number; or (2) uses some other verification procedure agreed to by the Underwriter in writing. 83 See, e.g., Commercial Crime Policy (Discovery Form) ISO Form CR

00 22 11 15 (excerpts reprinted with permission). The exclusion provides in its entirety: “Loss resulting from: (1) The disclosure or use of another person’s or organization’s confidential or personal information; or (2) The disclosure of your confidential or personal information. However, this paragraph 1.d.(2) does not apply to loss otherwise covered under this Policy that results directly from


addition, it seems likely that coverage would be excluded under these new forms to the extent that there is coverage under another insuring agreement for the social engineering loss. Accordingly, one could expect to see exclusions for employee dishonesty or theft, or loss due to data theft (which might be covered under the computer fraud and funds transfer fraud insuring agreements).

VI. CONCLUSION

Regardless of the actual language adopted by insurers when they fully develop their proprietary forms, the explosion of social engineering scams and related losses will undoubtedly cause insureds, risk managers and brokers to continue to strongly advocate for broader social engineering coverage that eliminates pre-conditions and that is subject to a policy’s full limit of liability. Hopefully, underwriters of those policies will remain mindful of the substantial monetary risk involved in many social engineering scams. Given the increasing severity and frequency of social engineering claims, insurers should consider lower limits of liability (i.e. sub-limits), larger retentions, and more fulsome responses during the insurance application process (to better understand the insured’s processes with regard to information technology training and security) before offering such coverage. Moreover, one would hope that when developing their own proprietary forms, insurers would follow the example of ISO and SFAA and require certification that commercially reasonable security procedures be observed before agreeing to insure such risks, and would set observance of those procedures as a pre-condition to coverage. However, how the insurance marketplace resolves the many unanswered questions surrounding these coverages, and whether the ongoing cyber security threat abates or proceeds apace, remains to be seen.

the use of your confidential or personal information. For the purposes of this exclusion, confidential or personal information includes, but is not limited to, patents, trade secrets, processing methods, customer lists, financial information, customer lists, financial information, credit card information, health information or any other type of nonpublic information.”

The Fidelity Law Journal · that target large numbers of people, i.e. phone frauds (“vishing”),...

Documents

Transcript of The Fidelity Law Journal · that target large numbers of people, i.e. phone frauds (“vishing”),...