Commercial Crime Policy Covers Losses Involving Fraudulent Emails Asking Employee to Make Payments | Wiley Kidney LLP
The United States Court of Appeals for the Ninth Circuit, applying California law, ruled that a loss resulting from payments made by an employee to a third party after receiving fraudulent emails directing her to wire funds to a outside organization was covered by computer fraud and funds. Transfer fraud coverage to a commercial crime policy. Ernst & Haas Mgt. Co. v. Hiscox, Inc.23 F.4e 1195 (9th Cir. 2022).
An accounts payable clerk at an insured property management company received an email, allegedly from the company’s founder, instructing her to wire money to an outside organization. She made two wire transfers totaling $200,000 before speaking with the founder and learning the emails weren’t legitimate, resulting in a net loss of $200,000.
The company applied for coverage under a commercial crime insurance policy for its losses, which provided computer fraud coverage for certain losses “resulting directly from the use of any computer to fraudulently cause a transfer of this property” of the insured’s company or his bank to a person or place outside the insured’s company or his bank. The policy also provided funds transfer fraud coverage for losses “resulting directly from a [Fraudulent Instruction] transfer, pay or deliver money” from the insured’s bank account. The policy defined a fraudulent instruction as including an “instruction originally received by [the insured] that claims to have been transmitted by an employee but was in fact fraudulently transmitted by someone else without [the insured’s] or the employee’s knowledge or consent. After the insurer denied coverage of the claim, a coverage dispute ensued. In this coverage dispute, the district court dismissed the insured company’s suit after finding that the loss resulted from the employee’s initiation of the wire transfer, not from the fraudulent email ordering her to initiate the transfer.
On appeal, the Ninth Circuit backtracked. First, the court rejected the district court’s finding that computer fraud coverage was limited to losses resulting from “unauthorized use of a computer, such as hacking.” The Ninth Circuit also found that the fraudulent emails were the direct cause of the loss, overturning the district court’s ruling that the payments did not result “directly” or “immediately” from the wire fraud. Second, the court ruled that funds transfer fraud coverage also applied, rejecting the insurer’s argument that coverage was limited to fraudulent instructions sent directly from an unauthorized third party (and not from an authorized employee) at a bank. For these two reasons, the court ruled that the police were responsible for the loss.