Court Rules Computer Fraud Insurance Policy Inapplicable to Most Common Form of Computer-Related FraudPDF
A federal appeals court has issued a ruling that is bad news for businesses victimized by computer fraud scams. The ruling renders computer fraud coverage virtually worthless in relation to the most common form of computer-related fraud. Although the ruling was issued under Texas law, it may signal a growing trend. The ruling underscores the importance of thorough investigation before making any payment that presents even a hint of irregularity.
The case, Apache Corporation v. Great American Insurance Company, arose from the sort of email scam we read about with growing frequency. In this instance, Latvia-based crooks targeted Apache Corporation, a sophisticated public company with annual revenues exceeding $6 billion. An email the fraudsters sent to Apache’s accounts-payable department appeared to come from a regular vendor, although the email domain name was modified slightly. The fraudulent email informed Apache that the “vendor” had changed banks, and future invoices should be sent to the new account. Attached to the email was a letter that appeared in all respects to have come from the actual vendor. The letter contained all necessary details regarding the old and new bank accounts. An Apache employee telephoned the number on the letterhead, and the “vendor” confirmed the change. Of course, like the email address, the telephone number belonged to the crooks. Apache later received legitimate invoices from the actual vendor, and wired about $7 million to the new account.
Upon discovering the fraud, Apache asked its insurer to cover the loss under the “computer fraud” section of its crime insurance policy. The policy covers losses “resulting directly from the use of any computer to fraudulently cause a transfer” of money. Seems clear enough, but the insurance company denied the claim on the ground that the loss “did not result directly from the use of a computer nor did the use of a computer cause the transfer of funds.”
Apache sued the insurer, and the trial court granted summary judgment in Apache’s favor. However, the court of appeals sided with the insurer and vacated the judgment. Although the court of appeals conceded the crucial role of computer fraud in the loss, it nonetheless ruled that the policy provided no coverage. The court found that the “reason” Apache sent funds to the crooks’ bank account was not the email that fraudulently instructed Apache to use the account, but rather the invoices from its actual vendor. Notably, the court of appeals pointed out that a more careful investigation by Apache before sending the funds would have prevented the loss, suggesting that coverage may somehow depend on the insured’s vigilance. However, the insurance policy said nothing of the sort, and it is the inherent nature of fraud that the victim is duped into taking action.
The court of appeals’ decision teaches a couple of lessons. First, a computer fraud insurance policy providing coverage only where the loss is caused “directly” by the use of a computer may offer no coverage for the most common form of computer-related fraud. Second, businesses must investigate carefully before sending money under circumstances that appear abnormal in the slightest.