Last week, the U.S. Court of Appeals for the Fifth Circuit narrowed the conduct covered under an insurance policy’s computer fraud provision by vacating the judgment in favor of the insured, Apache Corp., and rendering judgment for the insurer, Great American Insurance Company, in Apache Corp. v. Great Am. Insur. Co., No. 15-20499 (S.D. Tex. Oct. 18, 2016).
Apache Corp. is an oil-production company headquartered in Houston, Texas. In March 2013, during the coverage period of Apache’s insurance policy with Great American Insurance Company (GAIC), an individual identifying herself as a representative of Petrofac, a vendor of Apache, called an Apache employee and requested that Apache change the bank account information for Petrofac. The Apache employee stated that the requested change could not be implemented without a formal request on Petrofac letterhead.
A week later, Apache’s accounts-payable department received an email with a “petrofacltd.com” address. Petrofac’s actual email address was “petrofac.com.” The email stated that Petrofac’s account information had changed and that all future payments were to be made into the new account. A signed letter on Petrofac letterhead providing the new bank account information with instructions to use the new account immediately was attached to the email. An Apache employee called the telephone number on the Petrofac letterhead to verify the request and concluded that the requested change was authentic. Another Apache employee approved and implemented the change. A week later, Apache began transferring funds to the new account for payment of Petrofac’s invoices.
Petrofac soon notified Apache that it had not received the approximately $7 million payment that Apache had transferred to the new (fraudulent) account. After an investigation determined that the criminals involved in the fraudulent scheme were likely based in Latvia, Apache recovered a portion of the transferred funds. However, Apache still suffered a loss of $2.4 million.
Apache submitted a claim for the loss to GAIC under the computer fraud provision of Apache’s insurance policy with GAIC, which stated:
We will pay for loss of, and loss from damage to, money securities and other property resulting from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises:a. to a person (other than a messenger) outside those premises; or
b. to a place outside those premises.
GAIC denied Apache’s claim, stating that the “loss did not result directly from the use of a computer nor did the use of a computer cause the transfer of funds.”
In January 2014, Apache filed suit in Texas state court against GAIC. The district court granted summary judgment in favor of Apache, finding that the “intervening steps of the [post-email] confirmation phone call and supervisory approval do not rise to the level of negating the email as being a ‘substantial factor [in the fraudulent transfer of funds].’”
The Fifth Circuit reversed the grant of summary judgment in favor of Apache and rendered judgment for GAIC. The Fifth Circuit began by examining the Ninth Circuit’s decision in Pestmaster Servs., Inc. Travelers Cas. & Sur. Co. of Am., No. 14-56294 (9th Cir. July 29, 2016). In Pestmaster, a contractor who had been hired to withhold and submit payments for an insured’s payroll taxes instead used the insured’s funds to pay her own expenses. The insurer denied the insured’s claim under the computer fraud provision of the insurance policy, which defined computer fraud as “[t]he use of any computer to fraudulently cause a transfer[.]” The Ninth Circuit affirmed the grant of summary judgment in favor of the insurer, finding that “[b]ecause computers are used in almost every business transaction, reading this provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a ‘General Fraud’ Policy.” Pestmaster, No. 14-56294, at 2.
Turning to the facts of the case, the Fifth Circuit observed that the “computer use” at issue in the case was the email to Apache with the new account information, instructions to change accounts, and the attached fraudulent letter on Petrofac letterhead. Once the email was received, the court noted, Apache verified the requested change by calling the phone number in the fraudulent Petrofac letter and not the pre-existing contact information used in past communications. Only after receiving this confirmation from the criminals did Apache change the account information and transfer funds to the fraudulent account to pay legitimate Petrofac invoices. The court found that “[t]he email was part of scheme; but the email was merely incidental to the occurrence of the authorized transfer” and “[t]o interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would… convert the computer-fraud provision to one for general fraud.” Apache, No. 15-20499, at 12 (citing Pestmaster). The Fifth Circuit remarked: “[F]ew-if any-fraudulent schemes would not involve some form of computer-facilitated communication” and the fraudulent email “was but one step in Apache’s multi-step, but flawed process that ended in its making required and authorized, very large invoice payments, but to a fraudulent bank account.” Id.
The Apache decision has significant consequences for the coverage of claims under the computer fraud provisions of insurance policies. Along with Pestmaster, it substantially narrows the type of fraudulent conduct covered by such provisions. The unauthorized transfer of funds caused by computer hacking would presumably continue to be covered under the computer fraud provisions in insurance policies. However, transfers of funds where the use of a computer is only incidental in the fraudulent scheme would likely not be. For example, as in the Apache case, if a computer was used only to send an electronic communication as part of a larger scheme, a court would likely uphold the denial of the claim under the computer fraud provision in an insurance policy. In light of the Apache decision, companies should review their existing insurance policies to determine if there are other provisions which may provide coverage for the types of losses caused by fraudulent schemes not otherwise covered by computer fraud provisions.1
1 The Apache decision also provides a helpful suggestion for companies. When individuals purporting to be representatives of third party business partners or vendors contact companies seeking to make changes to pre-existing payment instructions, companies should verify those changes with the partners and vendors using the contact information already in their possession, and not with any newly provided contact information.