Social engineering remained a hot topic in 2019 and there were several noteworthy decisions concerning loss resulting from social engineering or "phishing" schemes that helped shape the landscape in favor of policyholders. (Credit: wk1003mike/Shutterstock)
This is a summary of a few of the 2019 social engineering insurance coverage decisions that will undoubtedly shape the coverage landscape for years to come.
Social engineering remained a hot topic in 2019, and there were several noteworthy decisions concerning loss resulting from social engineering or "phishing" schemes that helped shape the landscape in favor of policyholders.
The cases
1. EDVA finds computer fraud occurred "directly" from a computer despite numerous non-computer acts in the causal chain of events.
Following a bench trial, the United States District Court for the Eastern District of Virginia found in Cincinnati Insurance Co. v. Norfolk Truck Center that a commercial truck dealer's social engineering loss arose directly from a computer, thereby triggering the dealer's computer fraud coverage, notwithstanding that the scheme involved numerous non-computer acts in the causal chain of events. The case arose when the City of Norfolk placed an order for two trucks with the Norfolk Truck Center (NTC). In order to fill the order, NTC ordered parts from Kimble Mixer Company (KMC). On the same day, the order was placed, a fraudster posing as a KMC employee, and using a slightly modified email sent NTC's CEO two legitimate invoices for the order and provided wire instructions for payment. The CEO approved the invoices and directed his bank to issue payment pursuant to the instructions provided. After preparing the appropriate paperwork, which was executed by the CEO, NTC's bank issued the payment. It took over a month before KMC followed up for payment, at which point NTC realized it had been the victim of fraud.
The court rejected the argument that the loss did not result directly from a computer because NTC issued the payment pursuant to a legitimate invoice. The court was also unpersuaded by the insurer's argument that the number of actors involved both inside and outside of NTC over the course of six days demonstrated that the loss was not "directly" from a computer. Finally, the court rejected the insurer's argument that NTC's failure to uncover the fraud was an intervening cause.
The case is Cincinnati Ins. Co. v. Norfolk Truck Ctr., Inc., No. 2:18-cv-531, 2019 WL 6977408 (E.D. Va. Dec. 20, 2019).
2. Insurer on the hook for loss resulting from phishing scheme.
In Principle Solutions, the Eleventh Circuit held that a loss of over $1.7 million to scammers was covered under a commercial crime insurance policy's fraudulent instruction provision. The loss resulted from a "sophisticated phishing scheme" where a scammer posed as an executive of Principle and persuaded an employee to wire the money to a foreign bank account. The fake executive instructed the employee that the details of the wire transfer would be provided from a purported outside attorney.
The Eleventh Circuit held that, when read together, the emails from the purported Principle executive and the second email from the purported outside attorney were a fraudulent instruction; the sole purpose of the email from the outside attorney was to provide the necessary details to make the wire transfer. The court held that the fraudulent instruction from the scammer unambiguously fell within the policy's fraudulent instruction provision. The court further held that only a proximate cause between the covered event and the loss was required, and proximate cause "encompasses 'all of the natural and probable consequences' of an action, 'unless there is a sufficient and independent intervening cause.' "
The case is Principle Sols. Group, LLC v. Ironshore Indem., Inc., 944 F.3d 886 (11th Cir. Dec. 9, 2019).
3. Insurer breached duty to defend in social engineering scam
In Quality Sausage Co., LLC v. Twin City Fire Ins a Texas federal court vacated its prior ruling and entered summary judgment for the insured in the Quality Sausage case, finding that the insurer had a duty to defend its insured against claims by its customer after a hacker impersonating the customer convinced the insured to wire $1 million out of the customer's account because the potential for coverage existed.
The case arose from fraudulent wiring instructions received by HMI from a hacker pretending to be HMI's client. The instructions directed HMI to transfer $1 million from the client's account to a bank account controlled by the fraudster. After the fraud was discovered and the funds lost, the client sought compensation from HMI for the loss. HMI sought coverage and a defense under its D&O and crime coverage insurance with Twin City Fire Insurance Company, but the insurer denied coverage. HMI subsequently settled the underlying demand from its client and moved for summary judgment on the duty to defend. Twin City moved for summary judgment on the duty to defend, arguing that certain exclusions applied. The court denied both motions for summary judgment on the duty to defend, finding that fact issues existed regarding the application of the exclusions.
On Twin City's motion for reconsideration, the court analyzed its prior ruling and held that its prior ruling was in error because coverage potentially existed based upon a demand letter, so the insurer had a duty to defend as a matter of law. The court vacated the portion of its prior order stating that fact issues existed, granting summary judgment to HMI on the duty to defend.
The case is Quality Sausage Co., LLC v. Twin City Fire Ins, Co., No. 4:17-CV-111 (S.D. Tex. Sept. 18, 2019), ECF No. 110.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.