Insurance Coverage for Funds-Transfer Scams: Six Recent Cases
Massachusetts’s partner William L. Boesch recently issued a Litchfield Alert reviewing cases involving insurance coverage for funds transfer scams and details six recently decided legal matters.
Background
This year, six federal and state courts have addressed issues of insurance coverage for “phishing,” email hacking, and other fraudulent schemes designed to lure a business into sending funds to a scammer. Of these 2024 cases, summarized below, three involved “cyber” policies with “computer and funds-transfer fraud” and “social engineering” coverage. The other cases involved commercial-crime, “corporate identity-theft,” and lawyer’s professional-liability coverage. These cases demonstrate that for the most part, insurers and courts remain highly cautious about extending coverage to businesses who fall for these schemes. But nuances of policy language continue to provide fodder for dispute.
Details
In Solem v. ALPS Property & Casualty Insurance Co. (D.N.D. January 2024),[1] a federal court found no coverage under a law firm’s professional-liability policy after the firm was induced to deposit a forged certified check, and then instruct its bank to wire funds to a scammer’s account. The firm’s liability policy contained broad exclusions for claims involving the misappropriation of money under the firm’s control, and the court agreed that the exclusions unambiguously applied.
In Interstate Removal LLC v. National Specialty Insurance Co. (D.Minn. March 2024),[2] a hacker interceded in email exchanges between a snow-removal business and the dealer from whom it bought its trucks, and provided bogus wiring instructions that misdirected payments due to the dealer. In Abraham Linc Corporation v. Spinnaker Insurance Co. (N.D.W.Va. July 2024),[3] similarly, the email accounts of one of a flooring distributor’s vendors were hacked, and the scammers sent the distributor bogus wire instructions. The federal district courts in the two cases reached somewhat conflicting conclusions on each of the two coverage issues presented.
First, the companies both had “cyber” policies with “social engineering” coverage, but a condition of this coverage was that, before authorizing the wire-transfers, the companies had followed an “established and documented verification procedure” to confirm the wire instructions. In both cases, the confirmation process had been notably deficient. In Abraham Linc, nonetheless, the West Virginia court was unwilling to dismiss the coverage case on this basis, holding open the possibility that the company might find a way to show that it satisfied the coverage condition. In Interstate Removal, however, the Minnesota federal court upheld the insurer’s denial of social-engineering coverage on this basis.
Both companies also had “computer and funds-transfer fraud” coverage, which applied to “fraudulent entry of electronic data into” the policyholder’s computer system. In both cases, the insurers argued that since the company employees who gave their banks wire instructions were fully authorized to do so, there was no “fraudulent entry” and this coverage did not apply. The Minnesota court in Interstate Removal rejected this attempt to view the computer “entries” “in isolation” from the fraudulent scheme. But the court then held that coverage was barred by a related exclusion. The West Virginia court in Abraham Linc agreed with the insurer that the coverage did not apply to a case where authorized computer users were defrauded into making entries in the company’s computer system.
Funds-transfer-fraud coverage was also at the center of a March 2024 decision of the Ninth Circuit reversing, in part, a lower court’s 2023 ruling in Cachet Financial Services v. Berkley Insurance Co. (C.D.Cal. January 2023),[4] The case involved an actual electronic theft by two of Cachet’s payroll-services clients of some $40 million, through manipulation of data exchanged between the companies. The district court held that because the clients were authorized to perform the data-exchanges, there could be no “fraudulent entry” coverage. But the Ninth Circuit reversed, holding that the broader reading of the “fraudulent entry” provision—as also applicable to authorized entry of fraudulent data—was at least reasonable, and thus subject to the rule of construing ambiguous policy provisions against an insurer. The Appeals Court noted, however, that a broad exclusion might apply and remanded the case for consideration of that issue. The Ninth Circuit also agreed with the lower court that the policy’s coverage for “forgery or alteration” offered no potential coverage for the loss at issue.
In Door Systems, Inc. v. CFC Underwriting Ltd. (Cal.App. June 2024),[5] a California state appellate court found no “corporate identity-theft” coverage after a scammer posed as a company’s president and provided bogus wire instructions to a customer. It was the customer, the court observed, not the policyholder company, which had suffered the loss of funds due to the scam. Since the customer remained obligated to the policyholder company, the latter had suffered no loss.
Finally, last month in National Union Fire Insurance Co. of Pittsburgh v. RealPage, Inc. (N.D.Tex. September 2024), a Texas federal district court issued a follow-up ruling in a phishing case which produced a 2021 coverage decision of the Fifth Circuit.[6] An employee of RealPage, which handles rent payments between tenants and property-management companies, received an email purporting to be from one of the company’s payment-processing partners, Stripe. Following the scammer’s instructions, the employee provided login information for a computer site used to direct payments from Stripe to RealPage. The scammer redirected the payments, resulting in a loss of some $6 million.
By 2024, the United States Secret Service had recovered $2.9 million of the stolen funds, and a dispute arose as to whether, and to what extent, the insurer was entitled to reimbursement of the $1.2 million paid in coverage for lost fees. In the September decision, the Texas federal district court held that this allocation dispute raised issues of fact and could not be resolved at summary judgment.
Summary
As these cases demonstrate, insurers providing various kinds of coverage are able to make forceful and often effective arguments that the coverage does not extend to loss of funds through phishing and other forms of “social engineering” and hacking schemes. At the same time, the high stakes involved, and issues raised by policy language, continue to result in active litigation over coverage for these losses.
William Boesch is a trial and appellate lawyer with more than 30 years’ experience in insurance, professional-liability, and other matters. To download a copy of this Litchfield Alert, please
[1] Solem v. ALPS Property & Casualty Insurance Company, 2024 WL 342327 (D.N.D. January 30, 2024).
[2] Interstate Removal LLC v. National Specialty Insurance Co., 2024 WL 1332006 (D.Minn. March 28, 2024).
[3] Abraham Linc Corporation v. Spinnaker Insurance Co., 2024 WL 3433661 (N.D.W.Va. July 16, 2024).
[4] Cachet Financial Services v. Berkley Insurance Company, 2024 WL 1042985 (9th Cir. March 11, 2024); see lower court decision at 2023 WL 2558413 (C.D.Cal. January 20, 2023).
[5] Door Systems, Inc. v. CFC Underwriting Ltd., 2024 WL 2813829 (Cal.App. June 3, 2024) (unpublished).
[6] National Union Fire Insurance Co. of Pittsburgh v. RealPage, Inc., 2024 WL 4116824 (N.D.Tex. September 5, 2024). See RealPage, Inc. v. National Union Fire Insurance Co. of Pittsburgh, 21 F.4th 294 (5th Cir. 2021).
William advises insurance companies in complex coverage matters and represents insurers in coverage and bad faith litigation in federal and state trial courts, and on appeal. He has extensive litigation experience in areas including professional liability, intellectual property and commercial disputes. William has tried complex bench and jury cases, as well as arbitrations, and has argued more than two dozen federal and state appeals in Massachusetts, Maine, New Hampshire, Vermont and outside of New England.
Litchfield Cavo attorneys operate out of 23 offices serving clients in more than 35 states nationwide.
Disclaimer: Contents of this article or others on LitchfieldCavo.com may be considered attorney advertising under the rules of certain jurisdictions. The material contained on Litchfield Cavo LLP’s website is provided for informational purposes only and does not constitute individualized legal advice. Prior results do not guarantee a similar outcome.