Policy holders are on a “cyber” roll in July, having prevailed in claims against their insurance carriers in two closely-watched “computer fraud” cases on appeal. In Medidata Solutions, Inc. v. Federal Insurance Company, the U.S. Court of Appels for the Second Circuit affirmed the lower court’s grant of summary judgment in favor of the insured to the tune of $6 million. And just a few days later, in American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, the U.S. Court of Appeals for the Sixth Circuit reversed a lower court judgment in favor of the insurer, rendered summary judgment in favor of the insured, and remanded the case back to the district court for further proceedings.
Each of these cases involved employees who were tricked into initiating wire transfers after having received fraudulent e-mails from cybercriminals posing as a vendor in one instance and a company executive in the other. These types of business e-mail compromise scams are successful, profitable, and growing. The FBI recently estimated total losses attributable to these scams to be well over $12 billion.
A typical scenario involves a cybercriminal using social engineering to convince an employee to click on a link or download a file that provides the fraudster access to the company network using malware or a similar program designed to achieve that objective. Once the criminal has access to the system, he gains information about the procedures in place and the people involved in wire transfers. After obtaining the necessary information from this electronic reconnaissance (e.g., when the CFO will be unavailable and unlikely to respond to e-mails seeking wiring transfer confirmations), the fraudster spoofs the e-mail address of a vendor and persuades a company employee to initiate a wire transfer to the criminal’s offshore bank account.
When I give cyber insurance presentations, I will usually survey the audience and ask them who thinks this scenario would be covered by a “computer fraud” provision in an insurance policy. The audience almost universally raises their hands. However, as I described in a previous article, insurance companies are united in their efforts to establish that “computer fraud” coverage does not apply in these situations.
Although we can be heartened by these decisions, and I was glad to see language in the opinions that “any ambiguity must be resolved in favor of the insured and against the insurer” and that contract provisions should be construed “against its drafter,” it is a shame that these companies were forced to litigate these coverage claims at all. I sincerely hope that there is a mechanism whereby these companies can recover the attorney’s fees incurred during the years of litigation with their insurance carriers.
But for those of you on the verge of shedding a tear for the insurance companies, fear not! At this very moment, policy language is being revised and endorsements are being issued to better exclude from coverage any future claimants that fall victim to these scams, which are rapidly increasing in both frequency and severity.
RegitzMauck PLLC is an intellectual property boutique based in Dallas, Texas. The firm focuses on providing value-based legal services to cost-conscious clients seeking high-quality legal representation in intellectual property, cybersecurity, and data privacy matters and disputes.