Reversal goes against Travelers in tool company's spoofing suitReprints
A federal appeals court has reversed a lower court ruling and held that a Travelers Cos. Inc. unit is obligated to indemnify a tool and die manufacturer that lost $834,000 in a spoofing scam.
Friday’s ruling by the 6th U.S. Circuit Court of Appeals in Cincinnati is the second appeals court ruling this month to rule an insurance policy covers a loss caused by spoofing emails.
In the latest case, the U.S. District Court in Ann Arbor, Michigan, had agreed last year with Hartford, Connecticut-based Travelers Casualty and Surety Co. of America that Grass Lake, Michigan-based American Tooling Center Inc. could not recover from its loss under its insurance policy’s computer fraud provision because it was not a “direct” loss “directly caused” by the use of any computer, according to the ruling in American Tooling Center Inc. v. Travelers Casualty and Surety Co. of America.
According to court papers in the case, on March 18, 2015, the vice president of American Tooling Center sent an email to one of the company’s vendors requesting copies of all outstanding invoices.
The vice president received emails purportedly from the vendor instructing ATC to send payment for several legitimate outstanding invoices to a new bank account, according to the ruling.
Without verifying the new banking instructions, ATC wire-transferred about $834,000 to a bank account that was not, in fact, controlled by the vendor.
But by the time the fraud was detected, the funds had been transferred, and the wire transfers could not be retracted. ATC eventually paid the vendor about half of the money lost, and agreed the remaining half would be contingent on the company’s insurance claim, according to the ruling.
ATC filed a claim with Travelers, which denied coverage on the basis the loss was not a “direct loss” that was “directly caused by the use of a computer” as required by the policy.
ATC filed suit seeking coverage. The district court agreed with the insurer. Intervening events “between ATC’s receipt of the fraudulent emails and the transfer of funds …. preclude a finding of ‘direct’ loss ‘directly caused’ by the use of any computer,” said the ruling.
“There was no infiltration or ‘hacking’ of ATC’s computer system,” said the district court ruling. “The emails themselves did not directly cause the transfer of funds; rather, ATC authorized the transfer based upon the information received in the emails,” said the ruling, in granting Travelers summary judgment dismissing the case.
A unanimous three-judge appeals court panel overturned that ruling. “Despite Travelers’ argument to the contrary…the fact that ATC contractually owed that money to (the vendor) and the two parties later agreed to spread the loss between them has no bearing on whether this loss was directly suffered by ATC,” the ruling said.
There was computer fraud here, said the ruling. The “impersonator sent ATC fraudulent emails using a computer,” which caused the company to transfer the money to the impersonator, it said.
The policy definition “does not require, as Travelers argues, that the fraud ‘cause any computer to do anything,’” said the ruling, which said also that ATC has met its burden of showing it had suffered a direct loss “because the computer fraud was an immediate cause of its loss.”
The ruling also held that three policy exclusions, which had not been considered by the district court, were inapplicable.
The case was remanded for further proceedings.
Earlier this month, the 2nd U.S. Circuit Court of Appeals in New York upheld a lower court ruling that said a Chubb Ltd. unit is obligated to provide coverage to a cloud-based services firm that lost $4.8 million because of spoof emails.