The U.S. Court of Appeals for the Sixth Circuit, applying Michigan law, has held that the computer fraud provision of a commercial crime policy covers losses from wire transfers sent by the insured pursuant to fraudulent emails.  American Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co., 2018 WL 3404708 (6th Cir. Jul. 13, 2018).

The insured manufacturer outsourced some of its manufacturing work to vendors.  One of those vendors was a Chinese manufacturer; the insured company paid for the manufacturer’s work by wire transfer.  In 2015, the company received a series of emails from a third party purporting to be an employee of the manufacturer.  The emails requested that the insured make its wire payments to a different bank account because of an audit.  Over the course of several weeks, the insured company wired $834,000 to that account.  When the insured’s actual contact at the manufacturer demanded payment for outstanding invoices, the insured realized that it had been communicating with an imposter and wiring money to the imposter’s account.  The company’s insurer concluded that the crime policy did not afford coverage for the loss, and the insured sued for breach of contract.  The district court granted summary judgment in an opinion here.

On appeal, the Sixth Circuit reversed, holding that the insured company suffered a “direct loss,” and that the loss was “directly caused by Computer Fraud” as set forth in the policy.  The insurer argued that there was no “direct loss” because the insured performed a series of internal approval procedures that broke the causal connection between the request and when the loss occurred.  The appeals court rejected this argument, explaining that the insured “immediately lost its money when it transferred the [funds] to the impersonator,” which the court found represented a “direct” loss resulting from an “immediate” or “proximate” cause, as distinct from “remote or incidental causes.”  In addition, the court held that the insured met its burden of showing that the fraudulent emails were the immediate, and therefore “direct,” cause of its loss.

The appeals court also concluded that the scheme constituted “Computer Fraud” under the policy.  The policy defined “Computer Fraud” as “[t]he use of any computer to fraudulently cause a transfer of Money, Security or Other Property from inside the Premises . . . to a person . . . outside the Premises[.]”  The insurer argued that this definition requires a computer to actually cause the transfer, suggesting that the definition is limited to instances where the perpetrator gains access to or somehow controls the insured’s computers, which did not happen in this case.  The court rejected that rationale and concluded that limiting the definition of “Computer Fraud” to certain criminal behavior was not supported by the policy language, as the operative definition does not require that the fraudster cause any computer to do anything.

Finally, the court held that three policy exclusions raised by the insurer did not apply to bar coverage for the loss.