I. INSURANCE ISSUES
A. Where an insured's employee followed an email from a fraudster posing as a vendor to change the electronic payment instructions to an account controlled by the fraudster, coverage was denied under the funds transfer fraud coverage in a crime policy because the payment instructions to the bank were issued by the insured with its employee's consent and not by the third party fraudster.
The Brick Warehouse LP v Chubb Insurance Company of Canada, 2017 ABQB 413, per Fraser, J.
I. FACTS AND ISSUES
In August 2010, an individual called the
Brick's accounts payable department, stating that he was a new
employee calling from Toshiba and that he was missing some payment
details. Upon receipt of the call, The Brick employee faxed payment
documentation to a number provided by the caller. On August 20, 2010, a different individual in the Brick accounts payable department received an email allegedly from controller of Toshiba and using the email address silbers_toshiba@eml.cc. The alleged Toshiba employee stated that Toshiba had changed banks and that from now on all payments should be made to the new RBC account. The email provided the necessary information to transfer money into that account. On August 24, 2010, someone called the Brick's accounts payable department and spoke to the same Brick employee who had received the August 20 email. The caller wanted to confirm the transfer of banking information. The Brick employee changed the bank information for Toshiba in the Brick's payment system, updating it with the new banking account information. The employee followed the Brick's standard practice on changing account information. No one from the Brick took any independent steps to verify the change in bank accounts, nor did anyone contact Toshiba. As a result of this, the Brick directed payment on ten Toshiba invoices to the RBC account. The real Toshiba eventually followed up on its outstanding receivables, at which point the fraud came to light. The Brick incurred a net loss of $224,475. The Brick submitted a claim to Chubb under the funds transfer fraud coverage in the crime prevention policy it had issued to the Brick. The policy defined "funds transfer fraud" as follows: Funds transfer fraud means the fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver money or securities from any account maintained by an insured at such institution without an insured's knowledge or consent. Chubb denied the claim on March 15, 2012, on the basis that the Brick's instructions to its own bank had emanated from an authorized employee of the Brick, and that the instructions were not themselves fraudulent. The issue was as to whether or not the Chubb policy covered social engineering fraud. |
|
II. HELD: For the defendant
insurer; claim dismissed.
19 In order for the
Brick to be successful, it must show that its bank transferred
funds out of the Brick's account under instructions from a
third party impersonating the Brick. It is not covered if the Brick
knew about, or consented to the instructions given to the bank. The
insurance policy also contains in the exclusion section a clause
which denies coverage if the loss is due to the insured knowingly
having given or surrendered money, securities or property in
exchange or on purchase to a third party, not in collusion with an
employee. The only exceptions to this clause involve money orders
and counterfeit currency.
23 The Brick contends
that the policy provision states that Chubb will pay for direct
loss resulting from funds transfer fraud by a third-party, and the
focus should be on the fraud itself and not on the fraudulent
instructions. While it is true that clause 1(E) does state that,
that clause must be examined in conjunction with the definition of
fund transfer fraud contained in the contract. That definition
includes the words "insured's knowledge or consent".
There is no definition in the contract of either the term
"knowledge" or "consent". There is no mention
anywhere in the insurance policy of the term "informed
consent". If the policy contained these words, again it is
unlikely the parties would be before the court. When a word or a
term is undefined, the word should be given its "plain,
ordinary and popular" meaning, "such as the average
policy holder of ordinary intelligence, as well as the insurer,
would attach to it".
24 One of the
definitions of consent is "permission for something to happen,
or agreement to do something. Examining the facts, a Brick employee
did give instructions to the bank to transfer funds. The employee
was permitting the bank to transfer funds out of the Brick's
account. Consequently, the transfer was done with the Brick's
consent. Even applying the contra proferentem rule, the
Brick still consented to the funds transfer.
25 Even if the Brick
did not consent to the funds transfer, there is still the issue of
whether the transfer was done by a third party. Certainly, the
emails with the fraudulent instructions were from a third party.
The actual transfer instructions; however, were issued by a Brick
employee. There was no one forcing the employee to issue the
instructions, there were no threats of violence or other harm. The
employee was simply a pawn in the fraudster's scheme.
Therefore, the transfer was not done by a third party.
|
|
III. COMMENTARY: This case is in line with the majority of American cases. Aqua Star (USA) Corp v. Travelers Casualty and Surety Co., No. C14-1368 (W.D. Wash. 2016) is an example where the crime policy excluded from computer fraud coverage for "loss resulting directly or indirectly from the input of Electronic Data by an actual person having the authority to enter the Insured's Computer System". The Court held that the entry of the data by the insured's treasurer was an immediate step in a chain of events resulting in the loss. It rejected the insured's arguments, including that the exclusion was meant to exclude only "inside jobs". Where the policy covers losses caused by computer fraud, some U.S. courts have held that the mere fact that the insured's employee was duped by the fraudster by a communication which happened to be electronic (such as an e-mail as opposed to a telephone call or a hard copy letter) does not render the loss to have been caused by a computer. In American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, 5:16-cv-12108-JCO-APP Doc # 33 (U.S.D.C., Mich. Southern Div., 2017), a criminal, posing as one of the insured ATC's vendors, sent a fraudulent email to ATC instructing payment for legitimate invoices to be wired to the criminal's bank account. ATC's arrangement with the vendor is that upon receipt of invoices it would issue payment after confirming that the invoiced work had been done. The email was displayed the "yifeng-rnould" domain name, as opposed to the vendor's correct domain name of "yifeng-mould.com". ATC's staff verified that the work invoiced had been done and instructed its bank to wire the funds to the criminal's account. The Court denied ATC's claim under its "Computer Fraud" coverage, which provided coverage for "Computer Fraud" defined as "[t]he use of any computer to cause a transfer of Money". The Court held that the loss was not a "direct loss" that was "directly caused by the use of a computer" because "the mere sending/receipt of fraudulent emails did not constitute 'the use of any computer to fraudulently cause a transfer.'": Apache Corp. v. Great American Ins. Co., 662 Fed. Appx. 252 (5th Cir. 2016): Although
fraudulent emails were used to impersonate a vendor and dupe ATC
into making a transfer of funds, such emails do not constitute the
"use of any computer to fraudulently cause a transfer."
There was no infiltration or "hacking" of ATC's
computer system. The emails themselves did not directly cause the
transfer of funds; rather, ATC authorized the transfer based upon
the information received in the emails.
Further, the Court followed Pestmaster Servs., Inc. v. Travelers Casualty & Surety Co. of America, 656 Fed. Appx. 332 (9th Cir. 2016) which had held that "[b]ecause computers are used in almost every business transaction, reading this provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a 'General Fraud' Policy." By contrast, Medidata Solutions Inc. v. Federal Insurance Co., 15–CV–907 (SDNY July 21, 2017) is an example where the insured Medidata's finance department had been issued emails from corporate management to personnel instructing them "to be prepared to assist with significant transactions on an urgent basis" because of the company's business plans which included a possible acquisition. A fraudster posing as the company's president sent a spoofed email (made to falsely appear to be an internal company email, displaying the president's email address in the "From" line and a photo of the president) to an employee, Evans, advising her of a pending acquisition and that she would soon hear from a lawyer known to her about that. The fraudster then phoned Evans, posing as the lawyer and instructed her to process a wire funds transfer. Evans insisted that she would require an email from the president requesting the transfer and an authorization from the Vice-President (Chin) and the Director Of Revenue (Schwartz). Chin, Schwartz and Evans then received another spoofed email from the fraudster (again made to appear to be an internal email) posing as the president to the effect that he had spoken to Evans about the transfer and expected Chin and Schwartz to sign off on it. Chin and Schwartz approved the transfer on the company's electronic accounting system and Evans instructed the bank to make the transfer. Medidata had a policy from Federal that provided Computer Fraud Coverage and Funds Transfer Coverage. Computer Fraud Coverage covered "direct loss of Money, Securities or Property sustained by an Organization resulting from Computer Fraud committed by a Third Party." "Computer Fraud" was defined as "the unlawful taking or the fraudulently induced transfer of Money, Securities or Property resulting from a Computer Violation." A "Computer Violation" included both "the fraudulent: (a) entry of Data into ... a Computer System; [and] (b) change to Data elements or program logic of a Computer System, which is kept in machine readable format ... directed against an Organization." The Court held that the loss was covered under Computer Fraud Coverage, it relied on Universal Am. Corp. v. Nat'l Union Fire Ins. Co., 25 N.Y.3d 675, 680, (NYCA, 2015) which held that such unambiguous policy language applied to unauthorized access to the insured's computer system but not losses arising from fraudulent content submitted to authorized users. The fraud on Medidata was held to be the deceitful and dishonest access to the insured's computer system contemplated in Universal. Fraudulent Funds Transfer Coverage provided coverage for a "direct loss of money . . . by fraudulent instructions purportedly issued by" the insured. The Court rejected the insurer's argument that there was no causal link between the spoofed emails and the loss because the employee also relied on a phone call and took other steps to validate the transfer instructions. The Court held Medidata's claim to be covered: . . . In this case, it is undisputed
that a third party masked themselves as an authorized
representative, and directed Medidata's accounts payable
employee to initiate the electronic bank transfer. It is also
undisputed that the accounts payable personnel would not have
initiated the wire transfer, but for, the third parties'
manipulation of the emails. The fact that the accounts payable
employee willingly pressed the send button on the bank transfer
does not transform the bank wire into a valid transaction. To the
contrary, the validity of the wire transfer depended upon several
high level employees' knowledge and consent which was only
obtained by trick. As the parties are well aware, larceny by trick
is still larceny. Therefore, Medidata has demonstrated that the
Funds Transfer Fraud clause covers the theft in 2014.
In our view, the facts in Medidata are distinguishable from those in Star Aqua, American Tooling and The Brick. The use of email to dupe the employees did not only incidentally involve an electronic communication. The emails involved more than the use of a similar but incorrect email address of the party purportedly instructing the transfer. It involved a manipulation of the company's internal email system by altering the data displayed in the fraudulent emails. Either way, companies receiving requests to change payment instructions should take steps to verify such instructions from the authentic parties in question. |
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.