Home Page The Publication The Editor Contact Information Insurance Key issues Book Subscribe


Vol. 8 - Issue 5
May 31, 2019


Just In: Insurer's Unique Approach To E-Mail Spoofing Under Computer Fraud Coverage


Just as this issue of Coverage Opinions was going to print, a Washington federal court decided Tidewater Holdings v. Westchester Fire Ins. Co., No. C18-6006 (W.D. Wash. May 31, 2019).  There's no time to analyze it in any detail.  But it was worth getting it into this issue – even if as a brief mention. 
The Tidewater court addressed coverage, for an e-mail spoofing claim, under a policy that included Computer Fraud coverage.  This has been a widely discussed topic of late, as losses from spoofing schemes have become prevalent.  The issue got a lot of attention in coverage circles last year when two federal courts of appeal, just days apart, handed policyholders wins in their pursuits of coverage: Medidata Solutions, Inc. v. Federal Ins. Co. (2d Cir.) and American Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co. of Am. (6th Cir.).
The facts in Tidewater are these: "On November 16, 2017, a Tidewater accounts payable clerk received a computer generated external email from an impostor instructing the clerk to alter the payment details Tidewater held on file for JH Kelly, a general contractor for Tidewater.  In response to the email, Tidewater's clerk changed the payment details for JH Kelly in Tidewater's computer system.  This resulted in four subsequent payments to the imposter's bank account instead of JH Kelly's account totaling $568,448.92. . . . Tidewater was able to recover $288,388.91 of the fraudulently diverted funds."
For various reasons, the insurer argued that no coverage was owed under "Computer Fraud coverage," which provided as follows: "The Insurer will pay for loss of or damage to Money, Securities and Other Property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the Premises or Banking Premises: a) To a person (other than a Messenger) outside those Premises; or b) To a place outside those Premises."
The court rejected some of the insurer's arguments.  However, it ultimately held that no coverage was owed, under the Computer Fraud section, for a simple reason.  The policy contained an exclusion as follows: "With respect to all Insuring Clauses other than the Supplemental Funds Transfer Insuring Clause, the Insurer shall not be liable for any loss resulting from any Fraudulent Transfer Request."  The policy defined "Fraudulent Transfer Request" as "the intentional misleading of an Employee, through a misrepresentation of a material fact which is relied upon by an Employee, sent via an email, text, instant message, social media related communication, or any other electronic telegraphic, cable, teletype, telefacsimile, telephone or written instruction, regardless of whether such misrepresentation is part of a phishing, spearphishing, social engineering, pretexting, diversion, or other confidence scheme."  [The policy provided some coverage for a Fraudulent Transfer Request.  That's a different story.]
Policyholders are fond of saying that, if an insurer did not want to cover something, it could have written an exclusion into the policy.



Website by Balderrama Design Copyright Randy Maniloff All Rights Reserved