9th Circuit Clarifies Meaning of Direct Causation in Ruling on Claim for Phishing Scam
A decision by a panel of the 9th Circuit Court of Appeals on Wednesday will make it more difficult for insurers to deny claims by victims of phishing scams, which one industry group says have more than doubled in frequency since the advent of COVID-19.
The appellate panel reversed a decision by the US District Court in Los Angeles that found a wire transfer induced by a spoofed email was not a direct loss as defined by a crime insurance policy issued by Hiscox. The opinion says the trial court had misinterpreted a previous appellate court ruling to require a more literal interpretation of “directly” than was required by the insurance contract.
District Court Judge Andre Birotte Jr. dismissed Ernst & Haas Management Co.’s claim to Hiscox because no money had been directly stolen from the company’s bank account — it was transferred by an employee who followed instructions in an email that she thought had been sent by her boss.
“The district court’s interpretation overlooks the express language of the policy, which states that funds transfer fraud includes not only fraudulent instructions sent directly to a bank, but also fraudulent instructions initially received by an employee,” the 9th Circuit’s opinion says. “Either type of fraudulent instruction that results in ‘directing’ a financial institution to transfer funds is covered by the policy.”
Numerous industry groups have reported that cybercrime has exploded during the COVID-19 pandemic, in part because businesses are relying on remote workers.
The Anti-Phishing Working Group reported that as of the third quarter of 2021, the number of phishing attacks has more than doubled since early 2020, when it was observing 68,000 to 94,000 attacks per month. APGW observed 260,642 attacks in July 2021, the highest monthly attack count APWG had ever reported.
Email spoofing, that is, deceiving someone by sending an email with an address that looks very similar to someone else’s, is one form of phishing. The scheme cost Ernst & Haas, a property management firm in Long Beach, Calif., $200,000.
Attorney Robert L. Bastain Jr., of Bastian & Dini in Beverly Hills, handled Ernst & Haas’ appeal. He said in an email to the Claims Journal that attorneys who work within the 9th Circuit’s jurisdiction have asked to be kept apprised of developments in the case, which tells him that other insureds are confronting similar coverage issues.
“The opinion provides welcome and authoritative clarity regarding how specific computer fraud and funds transfers clauses, and, in such context, direct causation are properly understood,” he said.
Ernst & Haas was scammed in March 2019, when an accounts payable clerk received an email from an address that appeared to belong to David Haas, the managing broker for the firm. The email instructed the employee to wire $50,000 to a Fifth Third Bank account owned by an entity called Zang Investments LLC. An invoice was attached. The employee thought the email was legitimate and instructed her employer’s bank to wire the money.
The next week, the accounts payable clerk received a second email from the same address requesting a payment of $150,000, again with an email attached. The employee complied.
But the employee became suspicious when she received a third email from the same address asking for a $470,000 payment. This time she forwarded the email to the real David Haas and asked if it was a legitimate request. Haas told her it wasn’t.
The employee tried to block the previous payments but the bank told her it was too late. Later, a manager reminded the employee that the company’s protocols prohibit making payments via wire transfer. Ernst & Haas filed a claim with Hiscox to recover its $200,000.
The insurer refused to pay. Hiscox contended that the loss was not covered because the policy required the loss to “result directly” from the use of a computer. Furthermore, the insurer contended that the account payable’s clerk violation of protocols triggered an exclusion in the policy.
Judge Birotte said in his ruling that there is sparse legal authority, but he found a 9th Circuit unpublished decision in a case brought by Pestmaster Services against Travelers instructive. In that 2014 decision, the appellate court affirmed a ruling denying coverage for money that was stolen by a payroll company that had regularly withdrew funds from its client’s bank account.
The 9th Circuit panel said, however, that the facts in the Pestmaster case were very different than Ernst & Haas’ claim. For one thing, the thief in Pestmaster had authority to withdraw funds. The theft occurred after the first authorized transfer, when monies were diverted to another unauthorized account.
“Here, Ernst immediately lost its funds when the funds were transferred as directed by the fraudulent email, and there was no intervening event,” the panel’s opinion says.
The appellate court remanded the case back to the Central District of California. Other issues remain to be decided: Ernst & Haas alleges that Hiscox “skinnied down” its insurance coverage without giving notice when it renewed the policy in 2019, a violation of California law. The district court and the appellate court decisions assume that the language in the previous version of the policy was still in force, so a decision that the later policy applied might have bearing on the outcome.
Ernst & Young’s lawsuit also accuses Hiscox of bad faith and unfair trade practices, which could result in an award for more damages.
About the photo: The reception area for Ernst & Haas’ office in Long Beach, Calif. is shown in this office taken from the company’s website.