CITY OF UNALASKA 

v.

NATIONAL UNION FIRE INSURANCE COMPANY

ORDER RE PENDING MOTIONS

This order addresses two pending motions: (1) Defendant National Union Fire Insurance Company's ("National Union's") Motion for Judgment on the Pleadings at Docket 11; and (2) Plaintiff City of Unalaska's ("the City's") Motion for Summary Judgment at Docket 18. Oral argument was held on December 20, 2021.

BACKGROUND

This action stems from an insurance dispute regarding coverage for computer fraud under the City of Unalaska's Government Crime Policy ("the Policy") with National Union Fire Insurance Company. The undisputed facts are as follows:

On April 11, 2019, the City's Accounts Payable Assistant received an email purportedly sent by one of the City's regular vendors, Northern Alaskan Contractors ("NAC"), requesting a copy of the City's "ACH/EFT form" in order to change its method of receiving payments for invoices from paper checks to electronic ACH transfers. The email was not in fact from NAC but rather from a person whom both parties term a "fraudster." On the same day, another City employee emailed the fraudster an ACH form and advised them that even after receipt of the completed form, it would take at least ten days for the City to process the request before issuing payments. The fraudster returned the completed ACH form by email, designating a Citibank Account in New York as the new method for receiving payments.

The following day, the fraudster sent another email asking about receiving payment of an invoice, and the City responded by email that it could not yet make the payment because additional steps needed to be taken to process the request, as conveyed in its previous email. On April 18, 2019, the City advised the fraudster by email that its Controller had given verbal authorization for future payments by ACH. Between May 7, 2019 and July 9, 2019, the City initiated ACH payments for several NAC invoices totaling $2,985,406.10 to the fraudster's Citibank account.

On July 10, 2019, the City discovered the fraud and reported it to the FBI. It was able to recover close to $2.35 million, resulting in a net loss of $637,861.67. The City submitted a claim for the loss to National Union, which accepted coverage under the Impersonation Fraud Coverage endorsement of the Policy and paid the City the $100,000 policy limits of that coverage, reducing the loss to $537,861.67. The City requested coverage for this remaining amount under the Computer Fraud Insuring Agreement ("CFIA") of the Policy, but National Union responded that no coverage was available under that provision because the City's claim "[did] not directly involve the use of any computer to fraudulently cause a transfer of property from inside the premises to a person or place outside the premises." Following National Union's partial denial of coverage, the City also received a $22,500 payment from Alaska Public Entity Insurance, reducing the total remaining loss to $515,631.67.

The City filed this action for breach of contract and declaratory relief in Alaska state court on March 22, 2021, alleging that National Union breached its contractual duty to provide coverage for the City's loss under the CFIA. On April 15, 2021, National Union removed the case to federal court on the basis of diversity jurisdiction.

The Government Crime Policy in question was issued to Alaska Public Entity Insurance with effective dates of July 1, 2019 to July 1, 2020 and extends coverage to the City as an additional insured. The Impersonation Fraud Coverage endorsement of the Policy amends the Funds Transfer Fraud Agreement to add:

[National Union] will also pay for loss of "funds" resulting directly from a "fraudulent instruction" directing a financial institution to transfer, pay or deliver "funds" from your "transfer account."

Notwithstanding the above requirement that the loss of "funds" result directly from a "fraudulent instruction," we will also pay for the loss of "funds" resulting from your receipt of a "fraudulent instruction" from a purported vendor, which advises you that the vendor's bank account information has been changed and you suffer a loss of "funds."

The Policy also includes the aforementioned CFIA, which states:

[National Union] will pay for loss of or damage to "money," "securities" and "other property" resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the "premises" or "banking premises" . . . [t]o a person (other than a "messenger") outside those "premises"[] or . . . [t]o a place outside those "premises."

The CFIA has a policy limit of $1 million, subject to a $25,000 deductible.

The parties filed the instant motions in July and September 2021, each asserting that it is entitled to judgment as a matter of law. The parties agree that there are no disputed facts and that Alaska law applies.

LEGAL STANDARDS

I. Judgment on the Pleadings

Federal Rule of Civil Procedure 12(c) provides that "[a]fter the pleadings are closed—but early enough not to delay trial—a party may move for judgment on the pleadings." "Judgment on the pleadings is properly granted when there is no issue of material fact in dispute, and the moving party is entitled to judgment as a matter of law." When deciding such a motion, the court "accept[s] all factual allegations in the complaint as true and construe[s] them in the light most favorable to the non-moving party." The court may consider documents relied on in a complaint without converting the motion for judgment on the pleadings to one for summary judgment.

II. Summary Judgment

Federal Rule of Civil Procedure 56(a) directs a court to "grant summary judgment if the movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law." The burden of showing the absence of a genuine dispute of material fact lies with the movant. If the movant meets this burden, the non-moving party must demonstrate "specific facts showing that there is a genuine issue for trial." In deciding a motion for summary judgment, "a court must view the evidence 'in the light most favorable to the opposing party." Even when, as here, "both parties assert[] that there are no uncontested issues of material fact," a court still has the independent "responsibility to determine whether disputed issues of material fact are present."

DISCUSSION

There are no genuine disputes of material fact regarding the events leading to Unalaska's loss, the amount of the loss, or the applicable policy language. The only dispute between the parties is whether the CFIA applies to the City's loss, resolution of which calls for interpretation of the Policy.

Because this is a diversity action, Alaska law applies to interpretation of the Policy. Generally, Alaska courts construe insurance contracts "so as to provide that coverage which a layperson would have reasonably expected from a lay interpretation of the policy terms." An insured's expectation of coverage must be "objectively reasonable." To determine an insured's reasonable expectations, Alaska courts look to: "1) the language of the disputed policy provisions; 2) the language of other policy provisions; 3) relevant extrinsic evidence; and 4) case law interpreting similar provisions." "Construction of an insurance policy under the principle of reasonable expectations does not depend on a prior determination of policy ambiguity," but "where a clause in an insurance policy is ambiguous . . . , the court accepts that interpretation which most favors the insured." However, "[t]he mere fact that the parties disagree about the proper interpretation of the contract does not mean the contract is ambiguous." Rather, an ambiguity exists only when "inconsistent, but reasonable, interpretations of the contract are possible."

National Union contends that a reasonable insured would not expect coverage based on the language of the policy for two reasons. First, National Union asserts that a reasonable insured would not consider the "incidental" use of email to perpetuate a fraud to constitute "computer fraud.'" The insurer asserts that "[c]omputerization [has] become pervasive in nearly every method of human communication that is not in person," so the "incidental use of a computer as the means of communication does not turn every act of fraud that involves the incidental use of a computer into computer fraud." Rather, National Union maintains, "[t]he computer fraud insurer agreement covers computer hacking 'like the introduction of malicious computer code.'"

Second, National Union contends that the City's loss is not covered under the CFIA because the use of a computer was not the "direct cause" of the loss. The insurer asserts that "directly" means "to 'proceed' without deviation or interruption" and thus CFIA coverage is only triggered if "the Fraudster's use of a computer . . . directly bring[s] about the funds transfer." National Union suggests that the Court should follow a "direct means direct" approach rather than a "proximate cause" approach, but maintains that Unalaska's claim would fail even under a proximate cause approach "because of the significant and substantial intervening acts and actors, between the fraudulent communication and the authorized transfers by Unalaska." Moreover, the insurer asserts that Unalaska's claim "lacks directness from a temporal standpoint." The insurer maintains that other sections of the Policy should have made this interpretation of "resulting directly" clear to the City, as the Impersonation Fraud Coverage endorsement uses both the phrase "resulting" and the phrase "resulting directly," implying that the two have different meanings and that the latter requires more immediacy.

National Union explains that there were "many intervening events between the Fraudster's email communications and the insured's final decision to issue ACH payments"; the City internally processed the change of payment request, worked with its bank to set up the ACH payment process, and obtained approval from the Controller and Director of Public Works before reviewing the invoices and authorizing ACH payments to the fraudster's account. More than thirty days passed between the fraudster's initial email and the City's first ACH payment to the fraudster's account. Thus, National Union maintains that the City's loss did not "result[] directly from the Fraudster's emails" but rather was "temporally remote and involved a chain of intervening and independent steps and decisions that did not involve the fraudster."

In response, the City first contends that the ordinary meaning of the phrase "use of any computer" creates a reasonable expectation of coverage because "[v]irtually everyone that is familiar with e-mail knows that sending and receiving e-mails requires computer hardware and computer software." If "the policy language is lagging the pervasive use of computers and emails," the City asserts, "the solution is to change the language, not to improperly deny coverage." Indeed, the City maintains that National Union could have worded the CFIA more narrowly if it intended to limit coverage to "hacking," pointing to examples of other insurance policies. A different National Union policy, for example, defined "Computer Systems Fraud" as "Moss resulting directly from a fraudulent (1) entry of Electronic Data or Computer Program into, or (2) change of Electronic Data or Computer Program within the Insured's proprietary Computer System." The City also highlights a later iteration of the computer fraud policy at issue in Ernst & Haas Management Co. v. Hiscox, Inc., which stated that "[c]omputer fraud does not include any fraudulent transfer of money, securities, or other property which required you, your employees, your executive employees, or others on your behalf to take any action in order to complete the transfer of such money, securities, or other property."

Second, the City disputes National Union's interpretation of the phrase "resulting directly from," asserting that the ordinary meaning of the phrase is "proximately caused by." The City maintains that a reasonable insured would not expect the policy language to exclude "all instances in which an employee of the insured had to act after receipt of a fraudulent e-mail," given that "[c]omputer frauds that involve duping employees into revealing their network passwords are legion." The City also points to the context in which "resulting directly" is used, noting that "[t]he policy speaks to directly causing a transfer," not "'effectuating' or 'making' a transfer, which might more closely suggest to a reasonable lay person that something like 'hacking' is required, or that acts by employees would sever the 'causal chain.'"

Both parties agree that this case presents an issue of first impression in Alaska and offer authority from other jurisdictions as guidance for interpretation of the CFIA. "When the state's highest court has not squarely addressed an issue," federal courts "must 'predict how the highest state court would decide the issue using intermediate appellate court decisions, decisions from other jurisdictions, statutes, treaties and restatements for guidance.'"

National Union notes that the CFIA and similar provisions have been the subject of prior litigation in the Ninth Circuit and maintains that those cases "have uniformly held that an impersonation fraud scheme like that at issue [here] does not trigger coverage under the [CFIA]." It first points to Pestmaster Services, Inc. v. Travelers Casualty & Surety Co. of America, 656 Fed. App'x 332 (9th Cir. 2016), an unpublished case involving an identical CFIA in a Travelers insurance policy. In that case, the plaintiff had electronically transferred funds to a payroll services company that was hired to handle the plaintiffs employee salaries and payroll taxes using those funds, but the company then failed to pay the plaintiffs payroll taxes with the transferred funds. The plaintiff asserted that it was entitled to coverage for this loss under the CFIA. The Ninth Circuit disagreed, holding that the CFIA's definition of computer fraud—"[t]he use of any computer to fraudulently cause a transfer"—required an "unauthorized transfer of funds." The court reasoned that "[b]ecause computers are used in almost every business transaction, reading this provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a 'General Fraud' Policy."

National Union also identifies Taylor & Lieberman v. Federal Insurance Co., 681 Fed. App'x 627 (9th Cir. 2017), an unpublished case in which a fraudster impersonated the plaintiffs client via email to send wire payment instructions. There, the relevant insurance policy provided coverage for a "direct loss sustained by an Insured resulting from Computer Fraud committed by a Third Party." The Ninth Circuit held that "under a common sense reading of the policy, [the fraudster's email was] not the type of instructions that the policy was designed to cover, like the introduction of malicious computer code."

Further, National Union points to a pair of unpublished cases from the Fifth Circuit: Apache Corp. v. Great Am. Ins. Co., 662 Fed. App'x 252 (5th Cir. 2016) and Mississippi Silicon Holdings, L.L.C. v. Axis Ins. Co., 843 Fed. App'x 581, 584 (5th Cir. 2021) (per curiam). In Apache, the Fifth Circuit adopted Pestmaster's reasoning and held that the CFIA did not cover a loss similar to the City's, concluding that "the email was merely incidental to the occurrence of the authorized transfer of money." In Mississippi Silicon Holdings, which National Union incorrectly describes as a Sixth Circuit case at multiple points in its briefing, the Fifth Circuit held that a "Computer Transfer Fraud" provision was inapplicable to a loss similar to the City's, reasoning that "the mere receipt of an email does not constitute computer fraud in the context of similar insurance provisions." Finally, National Union also cites a number of district court and state court decisions with varying levels of factual similarity to the case at bar, including Ernst & Haas, a Central District of California decision that has since been overturned by the Ninth Circuit and is discussed more extensively below.

The City, by contrast, maintains that this Court should adopt the reasoning of a Sixth Circuit decision, American Tooling Center, Inc. v. Travelers Casualty & Surety Co. of America. In that case, the insured received "a series of emails, purportedly from its Chinese vendor, claiming that the vendor had changed its bank accounts and [the insured] should wire transfer its payments to these new accounts," and the insured completed three wire transfers before discovering the fraud. The insured's Travelers policy covered the "direct loss of, or direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud," which the policy defined as "[t]he use of any computer to fraudulently cause a transfer of Money, Securities or Other Property from inside the Premises or Financial Institution Premises . . . to a person (other than a Messenger) outside the Premises or Financial Institution Premises; or . . . to a place outside the Premises or Financial Institution Premises."

The Sixth Circuit, applying Michigan law, held that the insured's loss was covered under the CFIA, rejecting several arguments similar to those made by National Union here. Travelers, like National Union, relied on Pestmaster to argue against coverage, but the court found Pestmaster distinguishable on its facts because, in that case, "everything that occurred using the computer was legitimate and the fraudulent conduct occurred without the use of a computer." Travelers also "attempt[ed] to limit the definition of 'Computer Fraud' to hacking and similar behaviors in which a nefarious party somehow gains access to and/or controls the insured's computer," but the court concluded that this argument was "not well-founded" because "[i]f Travelers had wished to limit the definition of computer fraud to such criminal behavior it could have done so." Further, the Sixth Circuit concluded that the insured's loss was "directly caused" by the fraud even though "[t]he chain of events that was precipitated by the fraudulent emails and led to the wire transfers involved multiple internal actions [by the insured]." In support of this conclusion, the court cited a Michigan Court of Appeals decision that stated that "[t]he use of the word 'direct' signals 'immediate' or 'proximate' cause, as distinct from remote or incidental causes." In addition to American Tooling Center, the City highlights Principle Solutions Group, LLC v. Ironshore Indemnity, Inc., a case in which the Eleventh Circuit, applying Georgia law, concluded that "the ordinary meaning of the phrase 'resulting directly from' requires proximate causation between a covered event and a loss, not an 'immediate' link." The court conceded that "'directly' can sometimes mean 'immediately," but cautioned that "discerning the ordinary meaning of a term requires more than uncritically citing dictionaries." Rather, the Eleventh Circuit reasoned, "reading the phrase 'resulting directly from' as a whole requires us to define 'directly' within the context of causation[, a]nd in that context, 'directly' means 'proximately." In addition to Principle Solutions, the City cites two other federal cases—from the Second Circuit and the Eastern District of Virginia—that also held that employees' unwitting facilitation of fund transfers did not sever the causal chain when the relevant policy language required that losses result "directly" from the fraudulent action.

Neither party has directed the Court's attention to the Ninth Circuit's recent decision in Ernst & Haas, which was published after briefing and oral argument on the instant motions. There, an insurer denied coverage under a CFIA identical to the provision at issue here when the insured's employee "was directed by fraudulent email requests and payment invoices to transfer . . . funds to a swindling third party." The district court granted the insurer's motion to dismiss, finding that the Ninth Circuit's unpublished decision in Pestmaster was "relatively on point" and concluding that the loss was not covered under the computer fraud provision because "the relevant wire transfers were authorized and the . . . imposter's fraudulent emails did not directly cause the transfer of any funds."

The Ninth Circuit reversed the district court's decision, holding that the insured's loss was covered by the CFIA. First, the panel concluded that the district court wrongly relied solely on Pestmaster because that case involved "dispositively different" facts. In Pestmaster, the fraudulent action was the embezzlement of funds after the funds were properly authorized for payment, whereas the insured's loss in Ernst & Haas was due to transferring funds based on a fraudulent email authorization. Second, the panel determined that the district court engaged in an "improperly narrow reading of the contractual language" when it interpreted the CFIA to mean that "a direct loss is limited to unauthorized computer use, like hacking." Instead, the panel found the Sixth Circuit's reasoning in American Tooling persuasive on this point, concluding that the insured's loss "result[ed] directly" from the fraud despite the fact that an unwitting employee authorized the wire transfers.

After examining the policy language and case law interpreting similar provisions, the Court finds that a reasonable insured would expect coverage under the CFIA. By its plain language, the CFIA applies under these circumstances; the City experienced a loss of money resulting directly from the fraudster's use of a computer—sending an email impersonating the City's vendor—to fraudulently cause a transfer of funds from the City to the fraudster's bank account. The ubiquity of computer usage does not alter the fact that a reasonable layperson would consider the phrase "use of a computer" to encompass a broad range of activities, including sending emails, rather than being limited to instances of computer hacking. Interpreting "use of a computer" in this manner will not, as National Union cautions, turn the CFIA and similar provisions into "general fraud" policies. As the Sixth Circuit noted in distinguishing Pestmaster from American Tooling, the CFIA would not cover circumstances in which "everything that occurred using the computer was legitimate and the fraudulent conduct occurred without the use of a computer," such as the embezzlement that occurred in Pestmaster following a properly authorized electronic funds transfer.

Further, the plain language of the CFIA does not require more than proximate causation for coverage. The Court finds the reasoning of the Eleventh Circuit in Principle Solutions persuasive on this point—though the word "directly" may connote immediacy when read in isolation, a reasonable insured would consider the phrase "resulting directly from" to convey the concept of proximate cause. The Court's finding is unaltered by the fact that the Impersonation Fraud Coverage endorsement, a provision that appears 44 pages after the CFIA in the Policy, may imply a distinction between "directly resulting" and "resulting." This is precisely the kind of "painstaking study of . . . policy provisions" that the Alaska Supreme Court eschews when gauging an insured's reasonable expectations of coverage.

National Union's contention that the City's claim fails even under a proximate-cause analysis is unavailing. Under Alaska law, "proximate cause requires only that the general kind of harm be foreseeable for an actor's conduct to be considered the proximate cause of the plaintiffs injuries." While National Union characterizes the unwitting actions of City employees in authorizing the funds transfer as "significant and substantial" acts that broke the causal chain, the fraudster's email was clearly intended to bring about those actions. The City's loss was a foreseeable kind of harm arising from a fraudulent email scheme.

In addition to the plain language of the CFIA, the weight of relevant authority in other jurisdictions indicates that the CFIA provides coverage under these circumstances. The Court finds the reasoning of the Sixth Circuit in American Tooling and the Ninth Circuit in Ernst & Haas particularly persuasive as both those cases concerned near-identical CFIAs and factually similar fraudulent schennes. While those cases were applying Michigan and California law rather than Alaska law, their reasoning is still persuasive, particularly because Michigan and California law on insurance contract interpretation is less favorable to insureds than Alaska's pure reasonable expectations approach.

The majority of cases cited by National Union, on the other hand, are distinguishable. In Apache, the Fifth Circuit was clear that its decision was made "[b]earing in mind the limited weight accorded . . . non-binding authority, as well as Texas' policy preference for cross-jurisdictional uniformity." Given that several published decisions have since concluded that the CFIA is applicable to losses similar to the City's, the Apache court may well have reached a different conclusion. Apache also relied on the reasoning of Pestmaster, which, as discussed above, has since been distinguished on a factual basis by the Sixth and Ninth Circuits. Mississippi Silicon Holdings, too, is distinguishable because it concerned a "Computer Transfer Fraud provision" different in key respects from the CFIA at issue here. That provision required that the fraudulent transfer occur "without the Insured Entity's knowledge or consent" and defined "computer transfer fraud" as the fraudulent entry or alteration of information in the insured's computer system, essentially limiting coverage to "instances in which a computer itself is tricked into fraudulently transferring funds." Finally, the Court agrees with the City that the majority of the lower court decisions cited by National Union are distinguishable as they involved different policy language more focused on computer hacking or factually different fraudulent schemes where the use of a computer was more incidenta1. Thus, among cases involving similar insurance provisions and fraudulent schemes, the balance of authority indicates that the CFIA covers the City's loss.

CONCLUSION

Based on the plain language of the CFIA and factually similar cases from other jurisdictions, and bearing in mind Alaska's approach to interpreting insurance contracts, the Court finds that the CFIA provides coverage for the City's loss. The City's Motion for Summary Judgment at Docket 18 is therefore GRANTED, and National Union's Motion for Judgment on the Pleadings at Docket 11 is DENIED. The Clerk of Court is directed to enter a Final Judgment for the City in the amount of $515,631.67.

DATED this 18th day of March, 2022, at Anchorage, Alaska.

/s/ Sharon L. Gleason

UNITED STATES DISTRICT JUDGE