As an update to our March 8, 2022 blog post discussing coverage for phishing scams in the context of Ernst & Haas Mgt. Co. v. Hiscox, Inc., 23 F.4th 1195 (9th Cir. 2022), a new Alaska case relied on Ernst & Haas to find coverage under a similar set of facts. See City of Unalaska v. Natl. Union Fire Ins. Co., 3:21-CV-00096-SLG, 2022 WL 826501, at *1 (D. Alaska Mar. 18, 2022).
Background: Different Insurer, Same Story
As a reminder, in Ernst & Haas, a property management company was defrauded when a fraudulent attacker posing as a superior directed an employee to wire money to an outside organization. City of Unalaska involves similar facts. There, another fraudster pretending to be a City vendor tricked an accounts payable employee into changing the purported vendor’s bank account for receiving ACH transfers. Ultimately, nearly $3 million was transferred to the fraudulent bank account before the City discovered the fraud. After recovering most of the lost funds, the City sought coverage for the remainder.
Similar to Ernst & Hass, the insurer here, National Union, denied coverage under the Policy’s Computer Fraud Insuring Agreement. With language nearly identical to that in the policy in Ernst & Hass, the Insuring Agreement applied to the “loss of or damage to ‘money,’ ‘securities’ and ‘other property’ resulting directly from the use of any computer to fraudulently cause a transfer of that property” to a person outside of the premises.
Taking a narrow view of the language, National Union argued that the Computer Fraud coverage applied only to computer hacking, such as the “introduction of malicious computer code,” and that the computer was not the “direct cause” of the loss because numerous intervening communications and actions between the fraudster and City employees took place to implement the ACH transfers.
The Alaska Court Cites Ernst & Haas to Affirm Coverage
As in Ernst & Haas, the Alaska court found that the conduct at issue fell directly within coverage, although it reached the conclusion from a different vantage point. While the Ninth Circuit in Ernst & Haas relied on the Policy’s plain language to find coverage under California law, the Alaska court applied Alaska law, which considers whether a “reasonable insured would expect coverage.” Under that interpretive framework, the court reasoned that National Union’s proposed interpretation of the Insuring Agreement was too narrow. The court pointed out that “a reasonable layperson would consider the phrase ‘use of a computer’ to encompass a broad range of activities, including sending emails,” and not just computer hacking.
The court also rejected the insurer’s argument that the phrase “resulting directly from the use of any computer” required proof of “more than proximate causation for coverage.” Applying a proximate cause analysis, the court found that the City’s unwitting actions in facilitating the funds transfer were all foreseeable parts of the causal chain that derived from the fraudulent phishing email.
In addition to Ernst & Haas, the Alaska court found the similar facts, policy language, and analysis in a Sixth Circuit case persuasive. See Am. Tooling Ctr., Inc. v. Travelers Cas. and Sur. Co. of Am., 895 F.3d 455, 461 (6th Cir. 2018) (finding coverage for loss of funds directed by insured but arising from phishing emails). In each case, the courts distinguished an unpublished Ninth Circuit case finding no coverage for an embezzlement scheme. See Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., 656 Fed. App’x. 332 (9th Cir. 2016). Explaining the distinction, the Alaska court asserted that in Pestmaster, “the fraudulent action was the embezzlement of funds after the funds were properly authorized for payment, whereas the insured’s loss in Ernst & Haas was due to transferring funds based on a fraudulent email authorization.”
The Alaska court concluded its analysis by pointing out two issues that policyholders would be wise to bear in mind when obtaining or renewing cyber or crime coverage:
- Several published decisions have concluded that the same or similar Computer Fraud Insuring Agreements apply to phishing losses. Because policies with this language have been enforced by courts, it may be beneficial to ensure similar language is included in your policy.
- Different policy language or factual situations may compel different results. Always consider the unique risks faced by your company when procuring insurance to ensure the best fit and avoid coverage gaps.