No, your “computer fraud” policy does not cover that.

hacker-images-03Apache Corporation had an insurance policy for computer fraud, which said: “We will pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises: (a) to a person (other than a messenger) outside those premises; or (b) to a place outside those premises.” (emphasis added) The Fifth Circuit, after a “detailed — albeit numbing — analysis of the cited authorities,” concluded that the weight of the case law did not create coverage under this policy for the following events:

  1. Apache received a call from a vendor (actually, a criminal posing as the vendor) asking that Apache change its payments to a new bank account.
  2. Apache asked for a formal request on the vendor’s letterhead; one arrived about a week later by email with an attachment on letterhead (from a domain used by the criminals to further pose as the vendor);
  3. Apache called the number on the letterhead to verify the request, and after thinking it had confirmed the authenticity of the request, began sending payments to a new bank account.

While computer use obviously played a role in the deception, the Court noted: “To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would . . . convert the computer-fraud provision to one for general fraud.” Apache Corp. v. Great Am. Ins. Co., No. 15-20499 (Oct. 18, 2016, unpublished).

Recent Related Posts