The Ninth Circuit Court of Appeals delivered a policyholder insurance coverage win in a phishing case centered in Long Beach, California (home of our California office), in Ernst & Haas Mgt. Co. v. Hiscox, Inc., 23 F.4th 1195 (9th Cir. 2022). The panel decision arrived January 26; on March 7, the Ninth Circuit declined rehearing en banc.
Background: A Phishing Email Results in an Unauthorized Funds Transfer
The facts tell a familiar story. An employee of Ernst & Haas, a property management company, responded to phishing emails sent by a fraudulent attacker posing as her superior. The fraudster directed the employee to wire money to an outside organization. The employee did not recognize that the emails were fraudulent, and ultimately wired $200,000.
The company’s commercial crime insurer, Hiscox, denied coverage for the claim under two coverage parts: (1) the Computer Fraud coverage, which covers losses “resulting directly from the use of any computer to fraudulently cause a transfer of that property”; and (2) Funds Transfer Fraud coverage, which covers loss “resulting directly from a [Fraudulent Instruction] to transfer, pay or deliver money” from the policyholder’s bank. Fraudulent Instruction was defined as an “instruction initially received by [the policyholder] which purports to have been transmitted by an Employee but which was in fact fraudulently transmitted by someone else without ... the Employee’s knowledge or consent.” Hiscox took an extremely narrow view of the policy’s “direct” causation requirement, and maintained that the loss was not covered because it resulted from the employee’s decision to initiate the wire, and not “directly” from the fraudulent instruction.
The Ninth Circuit Finds Coverage Amidst Conflicting Case Law
The Ninth Circuit rejected this argument and found coverage under both coverage parts. First, the Court held that the loss resulted directly from the fraudulent emails, triggering coverage under the Computer Fraud provision. Second, the Court found that the conduct at issue fell within the Funds Transfer Fraud coverage because the transfer was initiated because of a fraudulent act by an unauthorized party.
In finding coverage, the Ninth Circuit rejected the district court and insurer’s reliance on an unpublished Ninth Circuit case involving an embezzlement scheme, pointing out the non-binding nature of the prior ruling and distinguishable factual context compared to an email fraud scheme. See Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., 656 Fed. App’x. 332 (9th Cir. 2016). Specifically, the Court pointed out that initiating a wire transfer in response to a fraudulent email is not the same as knowingly authorizing a payment, then stealing it. The Ninth Circuit also rejected the argument that Computer Fraud coverage was limited to a “hack” rather than a “phish” situation. Instead, in finding coverage, the Court relied on Sixth Circuit and Eleventh Circuit decisions interpreting similar policy language in Am. Tooling Ctr., Inc. v. Travelers Cas. and Sur. Co. of Am., 895 F.3d 455 (6th Cir. 2018) and Principle Sols. Group, LLC v. Ironshore Indem., Inc., 944 F.3d 886 (11th Cir. 2019).
The Ninth Circuit decision in Ernst & Hass diverged from a Fifth Circuit decision just a few months earlier interpreting similar language in a commercial crime policy with AIG and an excess policy issued by Beazley: RealPage, Inc. v. Natl. Union Fire Ins. Co. of Pittsburgh, Pennsylvania, 21 F.4th 294 (5th Cir. 2021). RealPage is distinguishable because the insured there was a payment processing provider, so the Fifth Circuit held that the insured never “held” the funds that were stolen in a similar phishing scam as required to trigger coverage. See also Taylor & Lieberman v. Fed. Ins. Co., 681 Fed. Appx. 627 (9th Cir. 2017) (unpublished) (finding no direct loss involving phishing scam when case involved a series of “remote circumstances” that led to loss and accounting firm was seeking reimbursement for client’s funds). By contrast, the funds transferred from Ernst & Hass were its own.
Other courts have reached different conclusions under similar language and facts. Compare Apache Corp. v. Great Am. Ins. Co., 662 F. App’x 252 (5th Cir. 2016) (unpublished) (finding no direct loss where fraudulent emails were precipitated by phone calls that ultimately induced the policyholder to transfer money) with Medidata Sols., Inc. v. Fed. Ins. Co., 268 F. Supp. 3d 471 (S.D.N.Y. 2017) (distinguishing Apache and finding coverage where direct loss resulted from fraudulent emails and not phone calls).
These types of phishing and other cyber schemes are becoming ubiquitous, but cyber and commercial crime coverage is not. Because cyber and commercial crime coverage is not standardized, pitfalls are easy to miss. Here’s how to get the most out of your coverage:
- During underwriting and renewal periods, policy programs and policy terms should be scrutinized to ensure the coverage purchased meets the needs and risks of the insured. In RealPage, for example, if an experienced coverage attorney had reviewed the policy language at issue and identified the need for different coverage that would protect a payment processor that did not arguably “hold” client funds, the Fifth Circuit’s denial of coverage might have been avoided.
- Policyholders should read their policies once, then read them again. Because the third time’s the charm, have your coverage lawyer read them too.
- Minor sematic differences in policy language and distinguishable facts will determine the potential for coverage. Ernst & Hass affirms the principle that out-of-state cases implicating similar facts may be more persuasive to a court than in-state cases interpreting the same language under different facts. Ultimately though, a good argument will rely on in-state high court contractual interpretation principles as a guiding rule, even in the absence of controlling authority interpreting the language at issue.