Commercial Crime Policy Covers Loss Involving Fraudulent Email Directing Employee to Make Payments
The United States Court of Appeals for the Ninth Circuit, applying California law, has held that a loss resulting from an employee’s payments made to a third party after receiving fraudulent emails directing her to wire funds to an outside organization was covered under Computer Fraud and Funds Transfer Fraud coverages under a commercial crime policy. Ernst & Haas Mgt. Co. v. Hiscox, Inc., 23 F.4th 1195 (9th Cir. 2022).
An accounts payable clerk at an insured property management company received an email, purportedly sent by the founder of the company, directing her to wire money to an outside organization. She made two wire transfers totaling $200,000 before speaking with the founder and learning that the emails were not legitimate, resulting in a net loss of $200,000.
The company sought coverage under a commercial crime policy for its loss, which afforded Computer Fraud coverage for certain losses “resulting directly from the use of any computer to fraudulently cause a transfer of that property” from the insured’s business or its bank to a person or place outside the insured’s business or its bank. The policy also provided Funds Transfer Fraud coverage for loss “resulting directly from a [Fraudulent Instruction] to transfer, pay or deliver money” from the insured’s bank account. The policy defined a Fraudulent Instruction as including an “instruction initially received by [the insured] which purports to have been transmitted by an Employee but which was in fact fraudulently transmitted by someone else without [the insured’s] or the Employee’s knowledge or consent.” After the insurer denied coverage for the claim, coverage litigation ensued. In that coverage litigation, the district court dismissed the insured company’s lawsuit after concluding that the loss resulted from the employee’s initiation of the wire, not from the fraudulent email directing her to initiate the wire.
On appeal, the Ninth Circuit reversed. First, the court rejected the district court’s conclusion that the Computer Fraud coverage was limited to loss from “unauthorized computer use, like hacking.” The Ninth Circuit also found that the fraudulent emails were the direct cause of the loss, rejecting the district court’s ruling that the payments did not result “directly” or “immediately” from the computer fraud. Second, the court ruled that the Funds Transfer Fraud coverage also applied, rejecting the insurer’s argument that coverage was limited to fraudulent instructions sent directly from an unauthorized third party (and not an authorized employee) to a bank. For both reasons, the court ruled that the policy responded to the loss.