Canada: The Brick Warehouse LP v Chubb Insurance Company Of Canada

Last Updated: November 7 2017
Article by Field LLP

I. INSURANCE ISSUES

A. Where an insured's employee followed an email from a fraudster posing as a vendor to change the electronic payment instructions to an account controlled by the fraudster, coverage was denied under the funds transfer fraud coverage in a crime policy because the payment instructions to the bank were issued by the insured with its employee's consent and not by the third party fraudster.

The Brick Warehouse LP v Chubb Insurance Company of Canada, 2017 ABQB 413, per Fraser, J.

I. FACTS AND ISSUES

In August 2010, an individual called the Brick's accounts payable department, stating that he was a new employee calling from Toshiba and that he was missing some payment details. Upon receipt of the call, The Brick employee faxed payment documentation to a number provided by the caller.
 
On August 20, 2010, a different individual in the Brick accounts payable department received an email allegedly from controller of Toshiba and using the email address silbers_toshiba@eml.cc. The alleged Toshiba employee stated that Toshiba had changed banks and that from now on all payments should be made to the new RBC account. The email provided the necessary information to transfer money into that account. On August 24, 2010, someone called the Brick's accounts payable department and spoke to the same Brick employee who had received the August 20 email. The caller wanted to confirm the transfer of banking information.
 
The Brick employee changed the bank information for Toshiba in the Brick's payment system, updating it with the new banking account information. The employee followed the Brick's standard practice on changing account information. No one from the Brick took any independent steps to verify the change in bank accounts, nor did anyone contact Toshiba.
 
As a result of this, the Brick directed payment on ten Toshiba invoices to the RBC account. The real Toshiba eventually followed up on its outstanding receivables, at which point the fraud came to light. The Brick incurred a net loss of $224,475.

The Brick submitted a claim to Chubb under the funds transfer fraud coverage in the crime prevention policy it had issued to the Brick. The policy defined "funds transfer fraud" as follows:
 
Funds transfer fraud means the fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver money or securities from any account maintained by an insured at such institution without an insured's knowledge or consent.
 
Chubb denied the claim on March 15, 2012, on the basis that the Brick's instructions to its own bank had emanated from an authorized employee of the Brick, and that the instructions were not themselves fraudulent.
 
The issue was as to whether or not the Chubb policy covered social engineering fraud.
 
II. HELD:  For the defendant insurer; claim dismissed.
  1. The Court referred to previous Supreme Court case law where the Supreme Court had held that in relation to insurance policies, there is a two-step interpretation procedure (Consolidated-Bathurst Export Ltd. v Mutual Boiler and Machinery Insurance Co. [1980] 1 S.C.R. 888; B. Billingsley, General Principles of Canadian Insurance Law, 2nd ed. (LexisNexis Canada Inc., 2014) at 146):
     
    1. Interpretation of the intention of the parties; and
       
    2. Resolution of any ambiguities that exist.
       
  2. The court held that when looking at the intention of the parties, the following principles will apply (B. Billingsley, General Principles of Canadian Insurance Law, 2nd ed. (LexisNexis Canada Inc., 2014) at 146):
     
    1. Undefined contract is you will;
       
    2. Clearly worded terms should be given full effect of the contract read as a whole;
       
    3. An undefined word with two meanings should be assigned a meaning which "is more reasonable in promoting the intention of the parties"; and
       
    4. The objective of the contract should not be negated by a technical definition or by an interpretation "which will result in either a windfall to the insurer or an unanticipated recovery to the insured".
       
  3. With respect to ambiguities in the policy, the Court held that if, after applying the above principles, "a conflict exists between two reasonable but differing interpretations of the policy" the court may resort to principles of interpretation which assist the courts in resolving contractual ambiguities, including:
     
    1. the contra proferentem rule;
       
    2. the broad interpretation of coverage clauses and the narrow interpretation of exclusion clauses;
       
    3. the fulfilment of the reasonable expectations of the parties so as to avoid an unrealistic result; and
       
    4. the continuity or consistency of judicial interpretation.
       
  4. Fraser, J. held that the Brick was not entitled to recover its loss from Chubb due to the limitations and language of the policy.
     
    1. The Court held that the Policy wording required the fraudulent payment instructions to have emanated from the third party fraudster posing as the insured Brick:
19    In order for the Brick to be successful, it must show that its bank transferred funds out of the Brick's account under instructions from a third party impersonating the Brick. It is not covered if the Brick knew about, or consented to the instructions given to the bank. The insurance policy also contains in the exclusion section a clause which denies coverage if the loss is due to the insured knowingly having given or surrendered money, securities or property in exchange or on purchase to a third party, not in collusion with an employee. The only exceptions to this clause involve money orders and counterfeit currency.
  1. In this case the Brick's employee was held to have consented to the payment instructions issued to the bank within the meaning of the policy:
23    The Brick contends that the policy provision states that Chubb will pay for direct loss resulting from funds transfer fraud by a third-party, and the focus should be on the fraud itself and not on the fraudulent instructions. While it is true that clause 1(E) does state that, that clause must be examined in conjunction with the definition of fund transfer fraud contained in the contract. That definition includes the words "insured's knowledge or consent". There is no definition in the contract of either the term "knowledge" or "consent". There is no mention anywhere in the insurance policy of the term "informed consent". If the policy contained these words, again it is unlikely the parties would be before the court. When a word or a term is undefined, the word should be given its "plain, ordinary and popular" meaning, "such as the average policy holder of ordinary intelligence, as well as the insurer, would attach to it".
 
24    One of the definitions of consent is "permission for something to happen, or agreement to do something. Examining the facts, a Brick employee did give instructions to the bank to transfer funds. The employee was permitting the bank to transfer funds out of the Brick's account. Consequently, the transfer was done with the Brick's consent. Even applying the contra proferentem rule, the Brick still consented to the funds transfer.
  1. In addition, the payment instructions were not given to the bank by the third party fraudster as required by the policy but by the insured Brick itself:
25    Even if the Brick did not consent to the funds transfer, there is still the issue of whether the transfer was done by a third party. Certainly, the emails with the fraudulent instructions were from a third party. The actual transfer instructions; however, were issued by a Brick employee. There was no one forcing the employee to issue the instructions, there were no threats of violence or other harm. The employee was simply a pawn in the fraudster's scheme. Therefore, the transfer was not done by a third party.
  1. The Court referenced several analagous American cases, all of which absolved the insurance company of liability: Ameriforge Group Inc v Federal Insurance Company No.4:16 cv-00377; Medidata Solutions, Inc. v. Federal Insurance Company, No. 1:15-cv-00907 (S.D.N.Y. Mar. 10, 2016). These U.S. cases included one where the insurer was a corporate relative of Chubb: Taylor and Lieberman v Federal Insurance Company, 2:14-cv-03608, unreported.
III. COMMENTARY: 

This case is in line with the majority of American cases. Aqua Star (USA) Corp v. Travelers Casualty and Surety Co., No. C14-1368 (W.D. Wash. 2016) is an example where the crime policy excluded from computer fraud coverage for "loss resulting directly or indirectly from the input of Electronic Data by an actual person having the authority to enter the Insured's Computer System". The Court held that the entry of the data by the insured's treasurer was an immediate step in a chain of events resulting in the loss. It rejected the insured's arguments, including that the exclusion was meant to exclude only "inside jobs". Where the policy covers losses caused by computer fraud, some U.S. courts have held that the mere fact that the insured's employee was duped by the fraudster by a communication which happened to be electronic (such as an e-mail as opposed to a telephone call or a hard copy letter) does not render the loss to have been caused by a computer.
 
In American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, 5:16-cv-12108-JCO-APP Doc # 33 (U.S.D.C., Mich. Southern Div., 2017), a criminal, posing as one of the insured ATC's vendors, sent a fraudulent email to ATC instructing payment for legitimate invoices to be wired to the criminal's bank account. ATC's arrangement with the vendor is that upon receipt of invoices it would issue payment after confirming that the invoiced work had been done. The email was displayed the "yifeng-rnould" domain name, as opposed to the vendor's correct domain name of "yifeng-mould.com". ATC's staff verified that the work invoiced had been done and instructed its bank to wire the funds to the criminal's account. The Court denied ATC's claim under its "Computer Fraud" coverage, which provided coverage for "Computer Fraud" defined as "[t]he use of any computer to cause a transfer of Money". The Court held that the loss was not a "direct loss" that was "directly caused by the use of a computer" because "the mere sending/receipt of fraudulent emails did not constitute 'the use of any computer to fraudulently cause a transfer.'": Apache Corp. v. Great American Ins. Co., 662 Fed. Appx. 252 (5th Cir. 2016):
      
Although fraudulent emails were used to impersonate a vendor and dupe ATC into making a transfer of funds, such emails do not constitute the "use of any computer to fraudulently cause a transfer." There was no infiltration or "hacking" of ATC's computer system. The emails themselves did not directly cause the transfer of funds; rather, ATC authorized the transfer based upon the information received in the emails.
 
Further, the Court followed Pestmaster Servs., Inc. v. Travelers Casualty & Surety Co. of America, 656 Fed. Appx. 332 (9th Cir. 2016) which had held that "[b]ecause computers are used in almost every business transaction, reading this provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a 'General Fraud' Policy."
 
By contrast, Medidata Solutions Inc. v. Federal Insurance Co., 15–CV–907 (SDNY July 21, 2017) is an example where the insured Medidata's finance department had been issued emails from corporate management to personnel instructing them "to be prepared to assist with significant transactions on an urgent basis" because of the company's business plans which included a possible acquisition. A fraudster posing as the company's president sent a spoofed email (made to falsely appear to be an internal company email, displaying the president's email address in the "From" line and a photo of the president) to an employee, Evans, advising her of a pending acquisition and that she would soon hear from a lawyer known to her about that. The fraudster then phoned Evans, posing as the lawyer and instructed her to process a wire funds transfer. Evans insisted that she would require an email from the president requesting the transfer and an authorization from the Vice-President (Chin) and the Director Of Revenue (Schwartz). Chin, Schwartz and Evans then received another spoofed email from the fraudster (again made to appear to be an internal email) posing as the president to the effect that he had spoken to Evans about the transfer and expected Chin and Schwartz to sign off on it. Chin and Schwartz approved the transfer on the company's electronic accounting system and Evans instructed the bank to make the transfer. Medidata had a policy from Federal that provided Computer Fraud Coverage and Funds Transfer Coverage.
 
Computer Fraud Coverage covered "direct loss of Money, Securities or Property sustained by an Organization resulting from Computer Fraud committed by a Third Party." "Computer Fraud" was defined as "the unlawful taking or the fraudulently induced transfer of Money, Securities or Property resulting from a Computer Violation." A "Computer Violation" included both "the fraudulent: (a) entry of Data into ... a Computer System; [and] (b) change to Data elements or program logic of a Computer System, which is kept in machine readable format ... directed against an Organization." The Court held that the loss was covered under Computer Fraud Coverage, it relied on Universal Am. Corp. v. Nat'l Union Fire Ins. Co., 25 N.Y.3d 675, 680, (NYCA, 2015) which held that such unambiguous policy language applied to unauthorized access to the insured's computer system but not losses arising from fraudulent content submitted to authorized users. The fraud on Medidata was held to be the deceitful and dishonest access to the insured's computer system contemplated in Universal.
 
Fraudulent Funds Transfer Coverage provided coverage for a "direct loss of money . . . by fraudulent instructions purportedly issued by" the insured. The Court rejected the insurer's argument that there was no causal link between the spoofed emails and the loss because the employee also relied on a phone call and took other steps to validate the transfer instructions. The Court held Medidata's claim to be covered:
 
. . . In this case, it is undisputed that a third party masked themselves as an authorized representative, and directed Medidata's accounts payable employee to initiate the electronic bank transfer. It is also undisputed that the accounts payable personnel would not have initiated the wire transfer, but for, the third parties' manipulation of the emails. The fact that the accounts payable employee willingly pressed the send button on the bank transfer does not transform the bank wire into a valid transaction. To the contrary, the validity of the wire transfer depended upon several high level employees' knowledge and consent which was only obtained by trick. As the parties are well aware, larceny by trick is still larceny. Therefore, Medidata has demonstrated that the Funds Transfer Fraud clause covers the theft in 2014.
 
In our view, the facts in Medidata are distinguishable from those in Star Aqua, American Tooling and The Brick. The use of email to dupe the employees did not only incidentally involve an electronic communication. The emails involved more than the use of a similar but incorrect email address of the party purportedly instructing the transfer. It involved a manipulation of the company's internal email system by altering the data displayed in the fraudulent emails. Either way, companies receiving requests to change payment instructions should take steps to verify such instructions from the authentic parties in question.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Alexander Holburn Beaudin + Lang LLP
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Alexander Holburn Beaudin + Lang LLP
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions