No insurance coverage for being duped into paying criminalsReprints
A federal appeals court has overturned a lower court ruling and held that an oil production company is not entitled to coverage under the computer fraud provision of its crime policy in a case where it authorized payments of legitimate invoices from its vendor to criminals’ bank account.
In March 2013, an Apache Corp. employee in Scotland received a telephone call from a person identifying herself as a representative of London-based Petrofac Ltd., an Apache vendor, according to Monday’s ruling by the 5th U.S. Circuit Court of Appeals in New Orleans in Apache Corp. v. Great American Insurance Co.
The caller instructed Apache to change the bank account information for its payments to Petrofac. The Apache employee replied the request could not be processed without a formal request on Petrofac letterhead.
A week later, Houston-based Apache’s accounts payable department received an email from a “petrofacltd.com” address, although Petrofac’s authentic email domain name is “petrofact.com.” Attached was a signed letter on a fake Petrofac letterhead providing both old and new bank account information.
In response, an Apache employee called the phone number provided on the fake letterhead to verify the request, and a different employee then approved the bank account change. A week later, Apache began transferring funds for payment of Petrofac’s invoices to the new bank account.
Within a month, though, Apache was notified by Petrofac it had not received about $7 million in payment. An investigation was launched and determined the criminals were likely based in Latvia. Although it was able to recoup a substantial portion of the funds, Apache contends it still suffered about a $2.4 million loss, according to the court ruling.
Apache submitted a claim to Cincinnati-based Great American seeking coverage under the computer fraud provision of its policy, which provided coverage for “the use of any computer to fraudulently cause a transfer” of property.
Great American denied coverage for the claim, stating the loss “did not result directly from the use of a computer nor did the use of a computer cause the transfer of funds.”
The U.S. District Court in Houston held Apache had coverage under the policy in its ruling, which the three-judge appellate court panel unanimously overturned.
The “transfers were made not because of fraudulent information, but because Apache elected to pay legitimate invoices,” said the ruling. “Regrettably, it sent the payments to the wrong bank account. Restated, the invoices, not the email, were the reason for the funds transfers.”
“In sum … both the plain meaning of the policy language, as well as the uniform interpretations across jurisdictions, dictate Apache’s loss was not an occurrence under the computer-fraud provision,” said the 5th Circuit in vacating the lower court’s ruling.