UNITED STATES FIFTH CIRCUIT HOLDS $7 MILLION “SOCIAL ENGINEERING” SCAM NOT COVERED BY “COMPUTER FRAUD” INSURANCE POLICY
On October 18, 2016, the United States Court of Appeals for the Fifth Circuit issued its Opinion in Apache Corp. v. Great American Ins. Co., 2016 WL 6090901. The Court reversed the district court’s holding that Apache was entitled to coverage under its crime protection insurance policy that insured losses as a result of alleged computer fraud. The Fifth Circuit found that just because a computer was used in perpetrating the fraud (in that the imposter had used email to send information relating to bank accounts to which improper payments were made), that did not mean that the “Computer Fraud” provision of Apache’s policy provided coverage. The Fifth Circuit held that the use of a computer was merely incidental to the fraudulent scheme and that there was, therefore, no coverage under the policy.
In March 2013 an Apache employee in Scotland received a telephone call from a person identifying herself as a representative of Petrofac, a vendor of Apache. The caller asked Apache to change the bank account information for its payments to Petrofac. The Apache employee explained that such change would have to be made by a formal request on Petrofac letterhead. A week later, Apache’s accounts-payable department received such correspondence requesting the change from an email domain name that was facially similar to Petrofac’s domain name but was in reality one created to perpetrate the fraud. The email also advised that a letter had been mailed and included a number to call in order to verify the request. An Apache employee called the (also fraudulent) number and concluded that the change request was authentic. Another Apache employee approved and implemented the change. A week later, Apache was transferring funds for payment of Petrofac’s legitimate invoices to the new fraudulent bank account. About $7 million was transferred to the fraudulent account before the scheme was uncovered. Apache recouped some of the losses but still advanced a claim against the Great American policy well in excess of the $1 million deductible.
Apache argued that the claim was covered under the “Computer Fraud” provision of the Great American policy which provided coverage for “loss of … money… resulting directly from the use of any computer to fraudulently cause a transfer…” Great American denied the claim on the basis that the loss did not result directly from the use of a computer and that the use of a computer did not cause the transfer of funds.
The district court granted Apache’s motion for summary judgment finding that the use of email was a “substantial factor” in the fraudulent scheme such that the claim was covered. The district court, however, denied Apache’s claim for statutory penalties under the Texas Insurance Code.
The Fifth Circuit noted that there was only limited authority (none of which was controlled under Texas law) interpreting the meaning of the phrase “the use of any computer to fraudulently cause a transfer.” After reviewing case law from other jurisdictions, the Fifth Circuit noted that the use of email was only part of the scheme and merely incidental to the occurrence of the authorized transfer of money. The Fifth Circuit stressed that the use of email in a fraudulent scheme did not automatically mean that was computer fraud, reasoning that: “To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would… convert the computer-fraud provision to one of general fraud.”
The opinion was designated by the Fifth Circuit as “unpublished,” meaning it is technically of limited precedential value but given the few appellate opinions considering cyber fraud and insurance coverage for that, it will likely still be an important case in this developing area of law. In any event, the case provides some useful reminders of certain general issues in the context of cyber fraud and insurance coverage.
First, it is worth noting that the Fifth Circuit was critical of Apache’s internal systems for preventing this type of fraud describing it as “flawed” going so far as to suggest that “arguably” Apache had actually invited the computer use that was central to the fraudulent insurance claim. The clear message from the Fifth Circuit was that insureds should have better internal systems to avoid such fraud and claims in the first place.
Second, this case represents the key point that insureds need to make sure that they have the right insurance coverage in place to guard against different risks. The Fifth Circuit appeared to see Apache is trying to force a claim into a policy wording that was not designed to cover such claims. There are insurance policies that would have provided coverage for Apache’s loss. In particular, a Social Engineering Fraud endorsement should provide coverage where cyber coverage may not. Insureds should work actively with their lawyers and brokers to make sure that they have the appropriate coverages to protect them from this new and growing area of fraud.
For more information contact: Bland & Partners P.L.L.C.
Bland & Partners is a law firm with offices in Houston, Texas and New Orleans, Louisiana, that has substantial experience in the construction, marine, energy and insurance industries, offering exceptional legal representation and advice. With our specialized focus on specific industries, our accomplished team of partners and associates has obtained extraordinary results. It is this experience that allows us to provide you with the concise, actionable advice required to achieve your goals. For more information regarding this or other matters, please contact us.