“Cause(ation)” For Concern: Two Recent Troubling Social Engineering Cases
AuthorsMichael Keeley , J. Caralisa Connell
The most significant coverage issue facing the fidelity industry today is the scope of causation. Whether a court applies a “direct means direct” or a tort-based proximate cause standard often is the deciding factor in whether a claim is covered, particularly in the context of social engineering losses. A little history is helpful in gleaning insight into the issue. Early fidelity policy forms provided coverage for “loss through” a covered peril. Because of adverse court decisions broadly construing this language, in 1976 the industry replaced “loss through” with “loss resulting directly from,” with the intent to limit coverage to losses immediately flowing from the covered peril with no intervening events. Today, all standard form fidelity policies, and to the authors’ knowledge, all fidelity policies regularly issued in the United States and London, intentionally use such narrow causation language in each of the multiple insuring agreements in such policies. And, courts nationwide have historically construed such language narrowly, applying a “direct means direct” or “immediate” standard—until recently, that is.
As social engineering claims exploded over the last decade, policy holders latched onto computer fraud insuring agreements as a possible avenue for coverage. But, those insuring agreements were intended to provide coverage for computer hacking, not social engineering—that is, loss caused when a fraudster unlawfully accesses a computer and manipulates the data to immediately transfer money for the fraudster’s benefit. In such a scenario, the insured’s loss is direct, unlike the typical social engineering claim. We know Computer Fraud insuring agreements were not intended to cover social engineering losses based not only upon institutional knowledge, but the mere fact that Computer Fraud coverage first was offered by ISO as Form F in 1983, long before impersonation and related social engineering schemes became popular. But, while history is a helpful context for courts, the meaning of the terms of a policy are, or should be, construed based upon the common everyday meaning of those words. While it seems eminently clear that the contractual concept of direct causation does not equate to the tort concept of proximate causation, too many courts are wrongly deciding the issue, including two within the last two months.
Most in the industry already have read the unfortunate decision in Ernst v. Hiscox, 23 F.4th 1195 (9th Cir. 2022). While it certainly is not favorable, for the reasons explained below, it is not as bad as many think and it is important to understand why. Unfortunately, twelve days ago a district court in Alaska, in City of Unalaska v. National Union, Case No. 3:21-cv-00096-SLG, 2022 WL 826501 (D. Ak. Mar. 18, 2022), equated direct cause to proximate cause. Unlike Ernst, this case may be as bad as first appears.
Ernst involved a typical social engineering scheme. Krystale Allen, an accounts payable clerk with Ernst, received an email from a fraudster purporting to be the founder of Ernst, directing her to pay an invoice for $50,000 to Zang Investments by wire transfer. Allen complied, and did the same with a second email requesting payment of $150,000. Fortunately, Allen became suspicious before making payment as a result of a third email and the scheme was discovered. Ernst thereafter submitted a claim to Hiscox under both the Computer Fraud and Funds Transfer Fraud Insuring Agreements of a Crime Insurance Policy. Hiscox denied coverage under that policy (issued in 2019), and Ernst contended that an earlier policy issued in 2012 applied because Hiscox violated California law by not informing Ernst that coverage had purportedly been narrowed. The district court considered coverage only under the 2012 policy, presumably on the basis that it provided broader coverage and if there was no coverage under the 2012 policy, as the court found, there would be no coverage under the 2019 policy. The district court correctly granted Hiscox’s motion to dismiss on the basis that Ernst “claimed losses did not ‘flow immediately’ and ‘directly’ from [the Haas’ imposters’s] use of a computer,” relying upon Pestmaster Services, Inc. v. Travelers Casualty and Surety Co. of America, No. CV 13-5039-JFW, 2014 Westlaw 3844627, at *8 (C.D. Ca. July 8, 2014).
On appeal, Hiscox relied upon the seminal case of Vons Cos. v. Federal Insurance Co., 57 F. Supp. 2d 933, 943 (C.D. Cal. 1998), aff’d 212 F.3d 489 (9th Cir. 2000), for the proposition that “direct means direct,” as well as on Pestmaster and the numerous other jurisdictions holding that “loss resulting directly from” requires an immediate loss, with no intervening causes. In head-scratching fashion, the Ninth Circuit relegated its discussion of Vons to a footnote, merely noting that it was inapplicable because it involved a different insuring agreement. And, it refused to apply its earlier decision in Pestmaster because of a difference in facts. Instead, the Ninth Circuit found “the Sixth Circuit’s American Tooling decision persuasive and much more on-point.”
There is concern circulating that Ernst overrules Vons “direct means direct” proclamation, and that the Ninth Circuit is now a “proximate cause” jurisdiction. Neither is true. Here is what the Ninth Circuit stated in reversing the district court’s decision: “Here, the computer fraud provision provides that Ernst’s loss must ‘result directly’ from the fraud. In other words, like ATC, Ernst must suffer a direct loss. And like, ATC, Ernst immediately lost its funds when those funds were transferred to Zang as directed by the fraudulent email. There was no intervening event—Allen acting pursuant to the fraudulent instruction ‘directly’ caused the loss of the funds. Thus, taking the pleaded facts as true, Ernst suffered a loss resulting ‘directly’ from the fraud, arguably entitling Ernst to coverage under the policy. So here, as in American Tooling, we cannot conclude that Ernst’s alleged immediate loss of funds based on the fraudulent email was not ‘direct.’” Thus, while the Ninth Circuit panel was unwilling to pay credence to Vons because it was an employee dishonesty claim as opposed to a computer fraud claim, the court nevertheless did follow Vons’ conclusion that “direct means direct,” or immediate. The problem with the court’s decision is it focuses on whether Ernst’s loss resulted directly from Allen’s wire transfer request. But, the issue under the insuring agreement is not whether Allen’s honest transfer of the funds directly caused the loss, but whether the fraudulent email resulted in a direct loss. The court’s decision conflated the predicate act—the fraudulent email—with Allen’s subsequent transfer of the funds.
Another critical problem with the court’s decision is it overlooked the fact that there were multiple intervening causes between Allen’s act of sending a wire transfer request to Ernst’s bank and the ultimate payment. The court’s failure to note these events demonstrates the critical importance of clearly explaining all intervening acts between the fraudulent conduct and the ultimate loss. Here, even though the court seemed to recognize that the loss must be “immediate” under the insuring agreement, it found coverage for loss that was not immediate, explaining that there “was no intervening act.” In sum, while the court found coverage in this particular case, the decision does not overrule Vons and the Ninth Circuit is still a “direct means direct” circuit.
Unalaska also involved a typical social engineering scheme. The City of Unalaska’s employee received a fraudulent email purporting to be from one of the City’s regular vendors, requesting a copy of the form necessary to change the method of future payments from paper checks to ACH transfers. A City employee provided the fraudster a blank form and the fraudster returned the completed form designating the fraudster’s bank account as the new method for receiving payments. A week later, the City advised the fraudster that it had received verbal authorization to make future payments by ACH. Thirty-days after the fraudster’s first email, the City initiated the first of many ACH payments totaling $2,985,401.10 to the fraudster’s bank account.
National Union paid the $100,000 policy limits under the Impersonation Fraud Coverage of its policy, but denied coverage under the Computer Fraud Insuring Agreement which, as is standard, had higher limits. The City filed suit seeking coverage under the Computer Fraud Insuring Agreement, which provided coverage for loss “resulting directly from the use of any computer to fraudulently cause a transfer” of property.
National Union argued that the “direct means direct” approach applied, that “directly” means “to ‘proceed’ ‘without deviation or interruption,’” and that the City’s loss was not “direct” because there were “many intervening events between the fraudster’s emails and the insured’s final decision to issue ACH payments.” The City also pointed out that there was a thirty-day lapse between the fraudster’s initial email and the first ACH payment to the fraudster’s account.
The City argued that the ordinary meaning of the phrase “resulting directly from” is “proximately caused by.” The City asserted that a reasonable insured would not expect the policy to exclude instances where the insured’s employee had to act after receipt of a fraudulent email and that “[t]he policy speaks to directly causing a transfer,” rather than “‘effectuating’ or ‘making’ a transfer, which might more closely suggest to a reasonable lay person that something like ‘hacking’ is required, or that acts by employees would sever the ‘causal chain.’”
The court held in favor of the City, finding that a reasonable insured would indeed expect coverage because “[b]y its plain language, the CFIA applies under these circumstances; the City experienced a loss of money resulting directly from the fraudster’s use of a computer – sending an email impersonating the City’s vendor – to fraudulently cause a transfer of funds from the City to the fraudster’s bank account.” The court expressly held that the policy “does not require more than proximate causation for coverage.” Relying on the Eleventh Circuit’s reasoning in Principle Solutions Group, LLC v. Ironshore Indemnity, Inc., 944 F.3d 886 (11th Cir. 2019), the court reasoned “though the word ‘directly’ may connote immediacy when read in isolation, a reasonable insured would consider the phrase “resulting directly from” to convey the concept of proximate cause.” The court further expressly declined to recognize a distinction between the computer fraud insuring agreement’s use of the phrase “resulting directly from” and the impersonation fraud coverage endorsement, which required loss “resulting” from.
The court further found that the City’s loss met the applicable proximate cause standard, rejecting National Union’s argument that the employee’s actions in authorizing the transfer were “significant and substantial” acts that broke the chain of causation. Rather, the court determined that “the fraudster’s email was clearly intended to bring about those actions” and the “loss was a foreseeable kind of harm arising from a fraudulent email scheme.”
The court also found the reasoning of the Sixth Circuit in American Tooling Center, Inc. v. Travelers Casualty & Surety Co. of America, 895 F.3d 455 (6th Cir. 2018), and the Ninth Circuit in Ernst persuasive in showing that the computer fraud insuring agreement provides coverage where a fraudster sends an email impersonating a vendor. Notably, Alaska follows the pure reasonable expectations approach, which is considerably more favorable to insureds. However, Unalaska’s reliance on Ernst and its continuation of the recent trend allowing for coverage for losses that are not “direct” is clearly concerning. And, to add insult to injury, the court went out of its way, in dicta, to cast doubt on the Fifth Circuit’s oft-cited decision in Apache Corp. v. Great American Insurance Co., 662 Fed. App’x 252 (5th Cir. 2016), stating, “In Apache, the Fifth Circuit was clear that its decision was made ‘[b]earing in mind the limited weight accorded . . . non-binding authority, as well as Texas’ policy preference for cross-jurisdictional uniformity.’ Given that several published decisions have since concluded that the CFIA is applicable to losses similar to the City’s, the Apache court may well have reached a different conclusion.”
While many well-reasoned decisions have held that direct does mean direct, these two recent decisions, as well as others over the last couple of years, obviously change the landscape for at least social engineering and other electronic crime claims. The authors believe it is critical that insurers in these cases educate the courts on the history of the causation language in the policy, explain why the tort concept of proximate cause has no place in construing the contractually agreed upon direct causation requirement, and take great pains to explain each separate intervening act between the fraudulent email and eventual loss, which does not occur until the insured’s money actually leaves its account.
2023 Cybersecurity and Data Privacy Laws Summit: Chicago
Join us for our inaugural, in-person program, where legal, in-house, and technical professionals will delve into the latest cyber and privacy topics and trends.
Legal, Tax and Infrastructure Requirements for Fleet EV Charging
Organizations that currently own or intend to acquire electric vehicles can gain insights into tax, legal, and infrastructure requirements by understanding best practices and common mistakes. The panel will also discuss new EV laws and charging technology.
For companies considering a full or partial transition to EV fleets, the webinar will discuss how to maximize tax rebates, determine optimal legal contracts, and identify funding opportunities. The presentation will also cover infrastructure considerations with regard to electrical and cyber requirements.