Phishing for Computer Fraud Insurance Coverage

• Publication year: 2020

Phishing for Computer Fraud Insurance Coverage

Stephen Swanson

Georgia State University College of Law, sswanson12@student.gsu.edu

[Page 407]

PHISHING FOR COMPUTER FRAUD INSURANCE COVERAGE

Stephen Swanson^*

Introduction

"Insurance is the only product that both the seller and buyer hope is never actually used."¹ This quotation certainly has merit, but the proliferation of technology in recent decades and the associated risks to sensitive business data are making insurance coverage claims a necessity as cyber threats continue to rise.² Cyber threats involve "persons who attempt unauthorized access to a [computer] system device and/or network using a data communications pathway[, and] [t]his access can be directed from within an organization by trusted users or from remote locations by unknown persons using the [i]nternet."³ Cyber threats originate from many sources,⁴ but in the insurance litigation arena, courts across the country are struggling to interpret the proper coverage for monetary business losses pursuant to phishing attacks.⁵

[Page 408]

Generally, phishing entails "attempt[s] by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques [that] are crafted to appear as if they have been sent from a legitimate organization or known individual."⁶ Phishing attacks proceed quickly with minimal exposure to the cybercriminal.⁷ For example, France-based Etna Industrie was targeted when the company president contacted its accountant regarding a "very confidential" acquisition of a company in Cyprus.⁸ The president instructed that a lawyer supporting the transaction would make contact with details of where to wire the funds for the purchase.⁹ Within one hour, and after about ten urgent emails and several phone calls, the accountant had wired €500,000 to foreign bank accounts.¹⁰ While the accountant seemingly acted in accordance with the business's needs, the president's communication, the external lawyer, and the confidential transaction were actually all a fraudulent phishing attack aimed at rapidly excising funds from Etna Industrie with little or no paper trail.¹¹

Following a successful phishing attack, businesses seek to recoup these losses and turn to their cyber insurance policy or the computer fraud provision of their crime insurance policy.¹² Oftentimes,

[Page 409]

however, the insurer denies coverage under latter provisions, and litigation ensues.¹³ Courts faced with this insurance coverage issue are split on whether phishing attacks result in a direct loss of money that should be covered under a computer fraud provision of a crime insurance policy.¹⁴ The Fifth and Ninth Circuits side with the insurers in denying coverage under similar computer fraud provisions.¹⁵ The Second and Sixth Circuits have found direct losses and sustain coverage in favor of the insureds, whereas the Eleventh Circuit is divided.¹⁶

Accordingly, the following note discusses the disparity between the federal circuit courts regarding the proper insurance coverage for phishing-type attacks. Part I examines the cyber threats companies face when handling sensitive transactions and customer data, as well as the coverage gap between traditional crime insurance policies and the targeted cyber insurance policies that help prevent, detect, and ultimately mitigate the damages resulting from a cybersecurity breach.¹⁷ Part II analyzes the current circuit split and the various

[Page 410]

contract interpretation strategies, policy considerations, and tests employed in reaching a coverage decision. Part III proposes a resolution to the overarching circuit split that will provide more clarity and predictability to victims of phishing attacks and the insurance companies they employ.

I. Background

Scams and schemes are not new phenomena in human history.¹⁸ They have traditionally varied in sophistication,¹⁹ but the rise of cyber threats in recent years is so pervasive that the public likely has already "been hacked" or they just "don't [yet] know [that] they've been hacked."²⁰ The insurance market responded to these threats in 1997 with its first iteration of cyber insurance policies.²¹ Initially covering only third-party liability, insurers soon realized that a significant amount of data breaches originated from within companies, so the policies expanded in kind to include first-party liability coverage to the affected company.²² Further developments in

[Page 411]

the cyber insurance arena seemingly came about in response to evolving cyber threats and businesses looking to be made whole for revenue interruption, digital investigations, and public relations expenses.²³ Still, businesses struggle "to stay ahead of criminals and stop old cat and mouse games" in an age when information security is increasingly vulnerable.²⁴ Targeted cyber threats, coupled with limited options for business recovery, have created a gap that courts nationwide are grappling to fill.

A. Cyber Threats

The social engineering attack is prominent among the cyber threats facing businesses.²⁵ This involves "manipulat[ing] . . . a victim's understanding of a transaction . . . so that they unwittingly . . . provide the thief with funds or information."²⁶ Under the social engineering umbrella, group and spear phishing attacks target businesses with demonstrated success.²⁷

[Page 412]

1. Business Email Compromise

Business Email Compromise (BEC) is a type of spear phishing attack where scammers target businesses that routinely send large sums of money via wire transfer.²⁸ Between October 2013 and December 2016, the Federal Bureau of Investigation reported BEC losses nearing $1.6 billion.²⁹ The scam proceeds when a company employee, usually in the accounting or finance department, is contacted by a third-party posing as a high-ranking company executive or trusted external vendor who requests a monetary wire transfer to a new or slightly-different-than-normal bank account.³⁰ The employee completes the transfer, and the company later discovers that the internal executive or external vendor never requested the transaction.³¹ All, or part, of the transferred funds are typically unrecoverable from the third-party scammer, and the company immediately looks to recover those losses.³²

[Page 413]

B. Coverage Options

Apart from absorbing the loss, phished companies have limited avenues to recover the fraudulently transferred funds.³³ They may look to the involved parties or even to the bank that facilitated the transfer. If this fails, a claim may be tendered under a relevant business insurance policy.

1. Between Parties

The involved parties may seek to recover the losses as between themselves. In Bile v. RREMC, LLC, a $63,000 employment discrimination settlement agreement was erroneously transmitted to a third party posing as the plaintiff's counsel.³⁴ Unable to retrieve the wire transfer, the payee refused to dismiss the employment discrimination action until the payor initiated a second $63,000 payment.³⁵ The payor refused as well, and both parties sought resolution in the United States District Court for the Eastern District of Virginia as per the settlement agreement's venue stipulation.³⁶ Though the court ultimately held that no duplicate payment was due because the plaintiff's counsel failed to warn the opposing parties of a known fraudulent email issue,³⁷ the court interpreted common law contract principles and Uniform Commercial Code Article 3 provisions to form the rule that "if a person has an obligation to deliver a check, and does not deliver that check due to that person's own error, then that person remains liable on the underlying obligation."³⁸ Consequently, the risk of loss remains with the payor

[Page 414]

in the context of hacked settlement agreements. The payor is also unable to recover lost funds from the bank involved in a fraudulent transfer.

2. Financial Institutions

The Uniform Commercial Code generally allocates the risk of loss to banks that honored requests for fraudulent wire transfers.³⁹ Yet, banks oftentimes are not bound to reinstate lost funds when the "bank and its customer agree to implement a security procedure designed to protect themselves against fraud."⁴⁰ The risk of loss will shift to the customer, that is, the party whose funds were fraudulently transferred, when "the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure."⁴¹ With yet another recovery mechanism closed, companies look to their individual insurance policies for repayment of the lost funds.

3. Cyber Insurance and Crime Insurance Policies

One source of insurance coverage may be a cyber risk policy, though many U.S. businesses have not yet subscribed.⁴² For those that have, a typical cyber insurance policy may not cover "losses . . . where companies have funds, data, or intellectual property stolen by computer hackers."⁴³ Instead, cyber policies tend

[Page 415]

to focus on "provid[ing] . . . [consulting] resources to mitigate cyberfraud [sic ]."⁴⁴ Without a cyber policy specifically covering losses from computer or funds transfer fraud, phished companies must tender a claim under a more traditional insurance policy.⁴⁵ Though a crime insurance policy may seem like a logical source of coverage after a phishing attack, the prevailing case law demonstrates that courts differ on the interpretation of such provisions.⁴⁶

II. Analysis

Federal circuit courts nationwide interpret crime insurance policies differently.⁴⁷ The Fifth and Ninth Circuits align with traditional contract interpretation strategies or policy considerations to deny the insured's claim for coverage.⁴⁸ The Second and Sixth Circuits focus on the technical accomplishment of a phishing attack and apply that process to the policy language in question, and ultimately in favor of the insured.⁴⁹...