In American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, the U.S. District Court for the Eastern District of Michigan recently ruled that a tool and die manufacturer’s $800,000 loss was not covered under the “Computer Fraud” coverage of its Travelers commercial crime policy. The insured manufacturer had authorized payment to a foreign bank account in response to fraudulent emails appearing to have been sent from one of its vendors. Because that vendor had, in fact, previously issued valid invoices based on the achievement of certain production milestones, the email scam was successful. But Travelers denied coverage of the manufacturer’s claim, contending the $800,000 payment was not a covered loss under the policy. U.S. District Judge John Corbett O’Meara agreed.
The coverage in question provided that Travelers would “pay the Insured for the Insured’s direct loss of, or direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud.” The term “Computer Fraud,” in turn, was defined as “[t]he use of any computer to fraudulently cause a transfer of Money, Securities or Other Property . . . .” Judge O’Meara ruled that the insured manufacturer had not suffered a “direct” loss “directly caused” by the use of any computer. Instead, the court held that the manufacturer’s verification of production milestones, authorization of the transfers, and initiation of the transfers without verifying bank account information constituted “intervening events” between receipt of the fraudulent emails and the transfer of funds, such that the loss was not “directly caused” by the fraudulent emails.
The decision in American Tooling Center begs the question of whether any loss arising out of a socially engineered email scheme will be covered as “Computer Fraud” under a commercial crime policy. If failing to verify the validity of the transferee’s bank account information truly constitutes an “intervening event” precluding a finding of direct loss, then the answer appears to be no. Other courts have reached similar conclusions when evaluating the “directly caused” language in the context of coverage for email scams, although some, including the Northern District of Georgia’s decision in Principle Solutions Group, LLC v. Ironshore Indemnity, Inc., have found coverage despite the existence of intervening employee actions.
American Tooling Center is currently on appeal before the U.S. Court of Appeals for the Sixth Circuit. Regardless of the Sixth Circuit’s decision, however, American Tooling Center and decisions like it should compel policyholders to closely scrutinize their existing cyber and commercial crime policies to ensure they have adequate coverage for loss caused by email scams.