The fraudster in that case sent spoofed e-mails in 2012 to an accounting firm purporting to be from one of the firm’s clients. At the “client’s” request, the accounting firm executed two wire transfers from the client’s bank account, over which the firm had power of attorney, in amounts just under $100,000 each to banks in Malaysia and Singapore. The firm finally detected the scheme when it called the client for confirmation after receiving a third e-mail requesting another transfer of $128,000 to Malaysia. The accounting firm was able to recover most of the first wire transfer but nothing from the second, resulting in a $100,000 loss to the client’s account, which the firm restored.
“Business E-mail Compromise” (BEC) scams, which we have previously discussed, are becoming an increasing concern. The FBI’s most recent report in June 2016 identified a 1,300% increase in reported incidents, reaching 22,000 victims targeted for $3.1 billion. Policyholders victimized by BEC scams should cheer the most recent decision addressing coverage for such scams. In Principle Solutions Group v. Ironshore Indemnity, a federal district court in Georgia ruled on summary judgment that a commercial crime policy covered a BEC scam in which a fraudster deceived a Principle Solutions employee into wiring $1.72 million to an account in China. The court rejected the insurer’s argument that the wire transfer was not directly caused by the BEC scam.
Principle Solutions suffered a hallmark BEC scam. The fraudster sent a spoofed email, purportedly from Principle Solutions’ CEO, to the company’s controller. The spoofed email instructed the controller to work with a specified attorney to wire funds that day for a highly confidential company acquisition. The controller then received an email from the named “attorney” with the wiring instructions. The “attorney” called the controller, representing that the CEO had approved execution of the wire and emphasizing the urgency of the funds transfer.
The controller initiated the necessary steps to execute the transfer that day. She logged into the company’s online account at its financial institution to enable the transfer approval, instructed another employee to create the wire instructions, and approved the wire transfer. The financial institution’s fraud prevention unit flagged the transaction and requested verification of the wire. The controller called the “attorney” to verify how he had received the wire instructions. The “attorney” told her he had received the instructions verbally from the CEO. The controller relayed this information to the financial institution, which then allowed the transaction to proceed.
The company discovered the fraud the next day when the controller told the CEO she had completed the wire transfer. The company immediately reported the fraud but unfortunately could not recover the funds.
The Eighth Circuit’s decision last Friday in State Bank of Bellingham v. BancInsure, holding that computer systems fraud insurance indeed insures against such fraud, even where employee negligence was a contributing factor, was a positive development for financial institutions as well as any crime insurance policyholder. The Eighth Circuit agreed with the district court that under Minnesota’s concurrent-causation doctrine, the insured could recover under a standard Computer Systems Fraud insuring agreement regardless of whether any excluded peril, i.e., employee negligence, contributed to the loss because the covered peril of computer systems fraud was the “efficient and proximate cause” of the loss.
The case involved a small Minnesota bank that was the victim of a computer fraud attack. It began with a bank employee, who initiated a legitimate wire transfer through a bank computer using a security USB token issued to her by the Federal Reserve, the password provided by the security token, and her personal passphrase. The employee inappropriately verified the wire transfer using another employee’s security token, password, and passphrase. She then improperly left both security tokens in the computer and the computer running when she left the bank for the day.
Unbeknownst to anyone at the bank, a hacker had previously infected the computer with a Trojan horse virus. The next morning, the hacker accessed the bank computer through the malware delivered via the virus. The hacker used the security tokens that had been left in the computer, along with the passwords and passphrases of the two bank employees, to complete two fraudulent wire transfers to bank accounts in Poland totaling $940,000. The bank employee discovered the fraudulent transfers within an hour. The bank was able to recover the funds from one of the wire transfers, but could not recover the funds from the other wire transfer.
The bank sought coverage for the loss of these bank funds under its financial institution bond, which provides coverage similar to a crime insurance policy. The policy had a Computer Systems Fraud insuring agreement, which covered loss resulting directly from a fraudulent entry or change of electronic data or computer program on the bank’s computer systems. The issuer of the policy apparently conceded that the Computer Systems Fraud insuring agreement would cover the loss but argued that several exclusions operated to preclude coverage: exclusions for loss caused by an employee, for loss resulting from theft of confidential information, and for loss resulting from mechanical failure or gradual deterioration of a computer system.
Imprecise usage of the word “only” in policy language may create ambiguities favorable to policyholders. The Second Circuit recently agreed with policyholders that their homeowners’ policy, which insured for property damage involving the collapse of a part of a building “caused only by one or more of the following” specifically named perils, provided coverage so long as a collapse was caused by one of the enumerated perils, regardless of whether a non-enumerated peril also contributed to the collapse. In an unpublished opinion, the Court rejected the insurer’s interpretation, which the district court had accepted, that coverage was limited to collapses exclusively caused by one of the enumerated perils.
The Court found not only that both interpretations of the plain language were reasonable, which should lead to a resolution of the ambiguity in the policyholder’s favor, but further determined that several considerations supported the homeowners’ interpretation. First, the Court explained that under settled New York case law on insurance contracts, the word “caused” implicates the concepts of proximate causation: if a covered peril is the predominant cause of the loss, the concurrent operation of a non-covered peril will not defeat coverage. (See our recent coverage of the Fifth Circuit’s application of the concurrent-cause doctrine under Texas law.) The policy did not indicate any intent to override this established rule by drafting reasonably clear language. Moreover, the Court pointed out that the insurer obviously knew how to draft language to that effect because another provision in the same policy included a so-called “anti-concurrent cause” claims, which excluded certain perils from coverage “regardless of any other cause or event contributing concurrently.” Additionally, the Court observed that it would be reasonable for a homeowner whose home collapsed predominantly due to a listed peril to expect coverage.
The Court also dismissed the insurer’s contention that the charge from the district court to the jury was proper because the jury instructions used the same “caused only by” language as the policy. Rather, the Court found that the actual use of that phrase in the jury instructions either improperly altered the phase’s context from that in the policy or else preserved the ambiguity and impermissibly relegated the task of contract interpretation to the jury.
This decision reinforces the point that policyholders who pay close attention to the grammatical construction of policy provisions may find the key to obtaining the policy benefits for which they have paid. As the Second Circuit stressed, “most fundamentally, insurance policies are to be construed, and ambiguity assessed, in light of the reasonable expectations of the insured.”
Your company’s controller receives an email instruction from your CEO to wire funds to complete a time-sensitive and confidential deal–seems like a clear directive to execute, but it’s not. It’s an increasingly common scam known as the “Business E-mail Compromise” (BEC).
In a BEC scam, as we previously described, fraudsters send spoofed e-mail to trick employees into making unauthorized transfers of funds, generally through wire transfers. The employee, usually a controller or other individual responsible for wiring money, receives an e-mail which appears to be from a high-level company executive, company lawyer or advisor, or even a trusted long-standing supplier or vendor. The e-mail pressures the employee to transfer company funds to a bank account, often offshore, urgently and secretly. The scammers may attempt to add credibility by sending the targeted employee spoofed e-mails from multiple trusted accounts or by plying the employee with fraudulent telephone calls, websites, and documents on formal letterhead. As discussed by our White Collar defense colleagues, victims of the BEC scam have reported to the FBI and international law enforcement agencies over $1.2 billion in exposed losses, much of which occurred in 2015 alone. While being victimized by a BEC scam can be costly, some of these losses may be covered by insurance.
October ordinarily brings the return of crisp air, fall foliage, and Halloween. This year, for the first time, it also brings National Cyber Security Awareness Month. Yet designating a month to increase cybersecurity awareness seems redundant. We are reminded almost daily of the importance of cybersecurity, as media reports of cyber breaches have become commonplace. Of course, the most widely reported cyber incidents have been data privacy breaches that have affected tens of millions of consumers nationwide. These are the sorts of incidents that have spawned a growing market for so-called “cyber policies” (although as we wrote recently, the CEO of one of the largest insurers has acknowledged that cyber insurance capacity remains relatively small).
California is in the midst of one of the worst droughts on record. In January 2015, Governor Jerry Brown issued an executive order that requires cities and towns to reduce water use by 25%. The $45 billion agriculture industry was spared from the mandatory water reduction, but nonetheless, the drought is expected to cause $2.7 billion in agriculture industry losses.
An important additional threat to California’s economy is the increased risk of wildfires following from both the drought and the water use controls. Over recent decades, wildfires have caused massive damage in California. According to one study, California is home to “[m]ore than 80% of all wildfire insured losses in the period 1980–2011 and the five costliest wildfire events for the insurance industry[.]”
The current drought conditions have created an even greater risk of catastrophic wildfires. The insurance industry recently warned that “the potential for wildfire has reached a peak that could cause $237.3 billion in property damages in high-risk areas.” This risk is exacerbated by commercial and residential development in rural areas that are more prone to fires than urban areas. And as of July 11, 2015, the California Department of Forestry and Fire Protection recorded almost 1,000 more wildfires than during the same time period in 2014.
Considering these depressing statistics, it is important for companies to manage their wildfire exposure by maximizing insurance coverage, to the extent practicable; obtaining as much coverage for wildfires as is possible in current policies; remaining alert to proposed changes in their insurance programs; and scrutinizing coverage available through subcontractors.
When you, as a policyholder, give an insurance company notice of a claim, the insurance company often will send a “reservation of rights” letter—especially where there are complex liability claims—preserving its right to give you a coverage decision after it investigates the claim (that is, if it doesn’t accept or deny the claim outright). These letters usually include lengthy lists of coverage defenses the insurance company reserves the right to assert and questions that it wants you to answer. Many policyholders are naturally overwhelmed by the questions and have no idea how to respond. But respond you must. And how you respond has the potential to make or break your claim. Luckily, common sense and some simple rules are usually enough to make sure your claim survives this early hurdle.
The insurance company’s questions often pose three problems. First, they may seek information solely to enable the insurance company to deny coverage, often on grounds that the notice was late. Questions such as “When did you know that there was a problem” seek to gain information to enable the insurance company to deny coverage on the basis that you failed to notify them timely of the problem. But you must remember that you are under no obligation to give the insurance company information that it can use to defeat coverage. You should provide information adequate to describe the nature of the claim, but it is the insurance company’s obligation to figure out how to defeat coverage.
Data breaches and cyber-attacks dominated headlines during 2014. As the dust from the Target data breach settled, corporate America watched as well-respected companies came forward with their own public disclosures. The attacks varied in design and spanned industries: within the retail sector, Target and Home Depot were breached; within the finance sector, J.P. Morgan revealed that it suffered a breach that affected 76 million households; and Community Health Systems—a publicly traded company that operates 206 hospitals—reported in August that Chinese hackers stole medical records from 4.5 million patients. The sources of the data breaches range from high school students to foreign governments. In addition to intentional attacks, the public discovered that an encryption flaw dubbed “Heartbleed” had opened a window for the past two-and-one-half years through which hackers could steal personal information with little risk of detection.
Happy New Year! For a sneak peek at the developments the year may bring to the legal landscape for insurance policyholders, here are five cases worth watching in 2015:
1. Fluor Corporation v. Superior Court (Hartford Accident and Indemnity Company), No. S205889 (Cal. filed Oct. 10, 2012)
The California Supreme Court likely will issue its long-awaited decision in Fluor and, in doing so, may overturn its controversial 2003 decision concerning the assignment of insurance policies to successor corporations in Henkel Corporation v. Hartford Accident and Indemnity Company, 29 Cal. 4th 934 (2003). If the Court overturns Henkel, California would join the majority of states that permit a successor corporation to recover under the predecessor’s liability insurance policies for pre-assignment liabilities, regardless of a “no-assignment” provision in the policies. The Fluor case has been fully briefed for more than a year, and many California attorneys expected the Court to issue its decision in 2014. In the interim, California Governor Jerry Brown has recently appointed two new justices to the Court, which some commentators believe may push the court in a more liberal direction and could affect the Court’s decision.