Is an Email Scam Causing a Business to Lose Clients’ Money Covered Under a First-Party Commercial Policy?

In unpublished decision, the Ninth Circuit Court of Appeals recently denied an accounting firm’s appeal relating to a claim for coverage triggered by an email scam that caused the firm to mistakenly send wire transfers of client funds to fraudsters.

The accounting firm received two emails from an impostor using a client’s email address, requesting wire transfers totaling more than $190,000 to accounts in Malaysia and Singapore. Believing it was a client request, the accounting firm had the bank carry out the wire transfers. Later that month, after receiving a third email requesting a transfer exceeding $121,000, the accounting firm finally contacted its client directly to inquire. To its dismay, the accounting firm discovered that its client had not requested the wire transfers, and that the emails had been a scam.

Although the accounting firm recovered more than $93,000 of the first transfer, it couldn’t recover any of the funds from the second transfer.

The accounting firm sought coverage under an insurance policy issued by Federal Insurance Company. The insurance policy’s relevant coverage provisions read:

• Forgery Coverage: “The Company shall pay the Parent Corporation for direct loss sustained by an Insured resulting from Forgery or alteration of a Financial Instrument committed by a Third Party.”
• Computer Fraud Coverage: “The Company shall pay the Parent Corporation for direct loss sustained by an Insured resulting from Computer Fraud committed by a Third Party.”
• Funds Transfer Fraud Coverage: The Company shall pay the Parent Corporation for direct loss sustained by an Insured resulting from Funds Transfer Fraud committed by a Third Party.

Federal Insurance Company denied coverage, which led the accounting firm to file suit.

The parties filed cross motions for summary judgment. The accounting firm argued that the insurer:

[B]reached [its] contract because the Policy should have been honored under each of three different sections. . . .. These sections are as follows: Forgery Coverage (Coverage D), because the email constitutes a forged signature. . . . Computer Fraud Coverage (Coverage E), because the email sent to Plaintiff constitutes a computer violation. . . . and Funds Transfer Coverage (Coverage F), because Plaintiff is a financial institution per a policy covering “fraudulent written electronic instructions issued to a financial institution¹

The insurer’s argued that:

Plaintiff does not show that it suffered a direct loss because the e-mails did not immediately and without intervening cause result in a loss….In fact…Plaintiff’s loss only occurred after the bank was unable to recover all of the lost funds and the Client demanded payment from Plaintiff. In essence, Plaintiff is attempting to recover for a third-party loss.²

The trial court ruled for the insurer, finding there was no “direct loss” that could give rise to coverage. The trial court reasoned that there was a series of intervening events between the fraudulent email and the accounting actions, and further concluded that the firm was not a bailee or trustee of the client’s funds, since the money was held in a third-party bank account:

[If a] hacker had entered into Plaintiff’s computer system and been able to withdraw funds such that Plaintiff’s accounts were immediately depleted, then Plaintiff would be correct in asserting coverage from the Policy…. [Here however], Client gave Plaintiff power of attorney over Client’s money held in Client’s own account; a perpetrator of fraud motivated Plaintiff’s agent to use the power of attorney to transfer funds out of Client’s account; Plaintiff discovered this fraud and attempted to recover the funds; Client requested repayment of the lost funds and Plaintiff obliged.³

On appeal, the 9th Circuit affirmed the trial court’s ruling.⁴

First, the 9th Circuit ruled that the forgery coverage was inapplicable because:

[T]he emails instructing [the accounting firm] to wire money were not financial instruments, like checks, drafts, or the like. (Under the policy, financial instruments include “checks, drafts or similar written promises, orders or directions to pay a sum certain in money, that are made, drawn by or drawn upon” an insured, its agent, “or that are purported to have been so made or drawn.”) See Vons Cos., Inc. v. Fed. Ins. Co., 57 F. Supp. 2d 933, 945 (C.D. Cal. 1998) (holding that wire instructions, invoices, and purchase orders were not “documents of the same type and effect as checks and drafts.”). And even if the emails were considered equivalent to checks or drafts, they were not “made, drawn by, or drawn upon” [the accounting firm], the insured. Rather, they simply directed [the accounting firm] to wire money from [its] client’s account. In sum, there is no forgery coverage.

Second, the 9th Circuit found that the Computer Fraud Coverage was inapplicable. The court reasoned that: (1) merely sending an email did not constitute an unauthorized entry into the accounting firm’s computer system, and (2) the emails were not an unauthorized introduction of instructions that propagated themselves through the accounting firm’s computer system. The emails instructed the accounting firm to effectuate certain wire transfers. The court’s rationale was:

[T]here is no support for [the accounting firm’s] contention that sending an email, without more, constitutes an unauthorized entry into the recipient’s computer system. See, e.g., Intel Corp. v. Hamidi, 71 P.3d 296, 304 (Cal. 2003) (holding that the “mere sending” of emails does not amount to actionable trespass to a computer system in the absence of “some actual or threatened interference with the computers’ functioning”); see also Spam Arrest, LLC v. Replacements, Ltd., No. C12-481RAJ, 2013 WL 4675919, at *20 (W.D. Wash. Aug. 29, 2013) (“[N]o Ninth Circuit court has ever held that the mere act of sending an email constitutes access to a computer through which the email passes on the way to its recipient.”).

Second, the emails were not an unauthorized introduction of instructions that propagated themselves through [the accounting firm’s] computer system. The emails instructed [the accounting firm] to effectuate certain wire transfers. However, under a common sense reading of the policy, these are not the type of instructions that the policy was designed to cover, like the introduction of malicious computer code. See Emp’rs Reinsurance Co. v. Superior Court, 74 Cal. Rptr. 3d 733, 744 (Ct. App. 2008) (“We interpret words in accordance with their ordinary and popular sense, unless the words are used in a technical sense or a special meaning is given to them by usage.”). Additionally, the instructions did not, as in the case of a virus, propagate themselves throughout T&L’s computer system; rather, they were simply part of the text of three emails. Accordingly, under the plain meaning of the policy, the computer fraud coverage does not apply.

Last, the 9th Circuit found that the funds transfer fraud coverage did not apply because “[the accounting firm] requested and knew about the wire transfers. After receiving the fraudulent emails, [the accounting firm] directed its client’s bank to wire the funds. [The accounting firm] then sent emails confirming the transfers to its client’s email address. Although [the accounting firm] did not know that the emailed instructions were fraudulent, it did know about the wire transfers.”
_________________________________
¹ Taylor & Lieberman v. Federal Ins. Co., No. CV 14-3608, 2015 WL 3824130, at *2 (C.D. Cal. June 18, 2015).
² Id. at *3.
³ Id. at *4.
⁴ Taylor & Lieberman v. Federal Ins. Co., No. 15-56102, 2017 WL 929211 (9th Cir. Mar. 9, 2017).