Earlier this week, I published a post noting the challenges policyholders can face in establishing coverage under traditional crime and cyber liability insurance policies for losses arising from “payment instruction fraud” (sometimes called “social engineering fraud). I also discussed the recent availability of sublimited coverage extensions for these kinds of losses. In response to my earlier post, several readers sent me messages noting that several courts have, in fact, found coverage under commercial crime policies for payment instruction fraud losses. As if to prove their point, the same day as I published my post, the 11th Circuit issued an opinion affirming a district court ruling that a firm’s payment instruction fraud losses are covered under the “fraudulent instruction” provisions of the applicable commercial crime policy.  The 11th Circuit’s December 9, 2019 opinion can be found here.

 

Background

This insurance coverage dispute involves $1.7 million loss the insured, Principle Solutions Group, incurred after an employee of the firm received an email imposter posing as a company employee.

 

On July 8, 2015, the company’s controller received an email that purported to be from a managing director of the firm. The email advised that the managing director was working on a “key acquisition” and that he needed the controller to wire funds “as soon as possible,” pursuant to wire transfer instructions she would receive from an attorney (Mark Leach). The email advised that the transaction was not public so the matter should be treated with “utmost discretion” and the controller should “deal solely” with Leach.

 

The controller then received an email purporting to be from Leach, who claimed to be a partner in a London based law firm. Leach sent the controller the remittance details for a bank in China. The controller transmitted the transfer instructions to the company’s bank. The bank’s fraud protection department then contacted the controller advising her that it was holding the funds and encouraging her to verify that the wire transfer was legitimate. The controller contacted Leach, who confirmed that the company’s managing director had authorized the transaction. The controller relayed the confirmation to the bank. The bank transferred the funds.

 

The next day, when the controller spoke to the managing director that she thought had authorized the funds, the controller discovered that the transfer was a fraud. The company reported the fraud to the authorities but was unable to recover the funds.

 

The Coverage Dispute

The company reported the loss to its crime insurer. The policy’s Computer and Funds Transfer Fraud section included a “payment instruction fraud” provision, which covers “loss resulting directly from a fraudulent instruction directing a financial institution to debit [Principle’s] transfer account and transfer, pay or deliver money or securities from that account.”

 

The insurer denied coverage for the loss because the initial bogus email purporting to be from the managing director did not “direct a financial institution to debit” the account (because it only told the controller to communicate with Leach) and also because the loss did not “result directly from” a fraudulent instruction, as Leach conveyed the necessary details to the controller after the initial email, and also because Wells Fargo held the funds awaiting verification, before the transfer went through.

 

Principle sued the insurer seeking payment under the policy and alleging bad faith. The parties filed cross-motions for summary judgment. The district court judge granted summary judgment for Principle on the breach of contract claim, finding that the relevant policy provision was ambiguous and applied Georgia insurance construction principles to find in favor of the policyholder. The district court granted the insurer’s summary judgment motion on the bad faith claim. The insurer appealed the district court’s ruling on the breach of contract claim.

 

The December 9, 2019 Opinion

In a December 9, 2019 opinion, written by Judge William H. Pryor, Jr. for a 2-1 majority (Judge Gerald Tjoflat dissenting), the 11th Circuit affirmed the district court’s ruling.

 

In trying to argue that the requirements of the “fraudulent instruction” provision were not satisfied, the insurer had contended that the initial bogus email purporting to be from a Principle employee did not itself “direct” a bank to transfer the funds, and that in fact the separate email purporting to be from Leach actually had the wire transfer instructions.

 

In rejecting this argument, the appellate court said that “nothing in the policy language warrants the assumption that the two emails could not be part of the same fraudulent instruction.” Indeed, the court said, “reading the emails together leaves no doubt that they were part of the same fraudulent instruction.” Viewing the emails together, the sole purpose of Leach’s email was to provide details to effectuate an explicit instruction to make a wire transfer. So “the fraudulent instruction from the scammer purporting to be [the managing director] unambiguously falls within the coverage provision.”

 

The insurer also argued that Principle’s losses did not result “directly” from the fraudulent instruction, because the word “directly” requires an “immediate” link. Because the fraudulent transfer depended on conversations with Leach and with Wells Fargo, no immediate link existed.

 

The appellate court “disagreed” with the insurer’s interpretation of the “directly” requirement. The court said that under Georgia law the “resulting directly from” provision required only “proximate causation” between a covered event and a loss, not an “immediate link,” as the insurer had argued. The proximate causation requirement, the court said, encompasses “all of the natural and probable consequences” of an action, “unless there is a sufficient and independent intervening cause.”

 

The appellate court said that neither the subsequent communications with Leach nor Wells Fargo’s imposition of a transfer hold awaiting verification “sever the causal chain” – both, the appellate court said, “were foreseeable consequences of the email.”

 

The appellate court rejected the dissent’s contention (noted below) that various events between the initial email and the actual funds transfer broke the causal chain. The majority also rejected the dissent’s contention that the proximate causation question was an issue for a jury to decide, noting that under Georgia law, proximate causation can be decided as a matter of law “where the evidence is clear and leads to only one reasonable conclusion,” adding that because “no unforeseeable cause intervened between [the first email] and Principle’s loss,” the evidence leads to only one reasonable conclusion on the proximate causation issue.

 

In his dissenting opinion, Judge Tjoflat disagreed with the majority’s conclusion. First, he stated that he believed the fraudulent instruction coverage provision was ambiguous, in the sense that it is not clear what is required in order for a fraudulent to “direct” a financial institution to transfer funds. Second, he said that he felt the question of whether or not the fraudulent instruction proximately caused the transfer of funds was a question for a jury to decide, rather than for an issue to be decided as a matter of law. In support of this position, he cited a list of 11 events after the controller first received the email and before the funds were actually transferred based upon which a jury might conclude that the causal connection between the email and the transfer were broken.

 

Discussion

The net effect of the appellate court’s decision is that the district court’s conclusion that the policy covers the company’s loss is affirmed. However, the appellate court’s decision arguably is even stronger in the policyholder’s favor than was the district court’s ruling.

 

The district court had interpreted the relevant coverage provisions to be ambiguous, and concluded that the provisions nevertheless covered the policyholder’s loss by operation of the Georgia insurance contract construction principle that requires policies to be construed in the policyholder’s favor. The appellate court’s conclusion, by contrast, does not depend on a finding of ambiguity and on the application of the rules of construction. The appellate court found that the policy provisions unambiguously applied to cover the policyholder’s loss.

 

The outcome of this case is then a great win for the policyholder, and arguably for policyholders generally. However, in thinking about the larger implications of this decision, there are some important things to keep in mind.

 

First and foremost, this coverage dispute depends on the courts’ interpretation of a “fraudulent instruction” provision in the Computer and Funds Transfer Fraud section of the crime policy at issue. Many of the other published cases involving disputes in which policyholders sought to have their crime policies reimburse them for payment instruction fraud losses have involved policies whose Computer Fraud sections that do not have this same “fraudulent instruction” provision.

 

Whether the 11th Circuit’s decision in this case will be helpful to other policyholders seeking coverage under their crime policies for payment instruction fraud losses will depend on whether their policy has the “fraudulent instruction” coverage provision similar to the one at issue here. If the policyholder’s crime policy does not have a similar “fraudulent instruction” provision, the 11th Circuit’s decision here is going to be of less usefulness.

 

Another consideration may affect the ability of other policyholders seeking to rely on this decision. This additional consideration has to do with the fact that the court here interpreted the policy according to the law of Georgia.

 

This made a difference because, applying Georgia law, the court interpreted the “direct” causation requirement to require only “proximate causation”;  under the law of some other jurisdictions, a court might conclude that “direct” means, well, direct – as in, immediately linked, as the insurer tried to argue here. A court’s application of a “direct” causation test rather than a “proximate” causation might reach a different conclusion about whether the circumstances here satisfied the “direct” connection requirement in the coverage provision.

 

An even more general observation about this case – and about the cases addressing insurance coverage for payment instruction fraud generally – is that the outcome of this case and of the other cases is very much a reflection of the facts and of the specific policy language at issue.

 

If you were to survey the various cases out there on this issue, you would find a variety of outcomes. In some cases, the courts have found coverage for these kinds of losses under crime policies, and in other cases the courts have concluded that a loss of this kind is not covered under the policy.

 

The variation in these decisions is very much a reflection of two factors: the differences in the circumstances of what actually happened in connection with the payment instruction fraud; and the differences in policy wording at issue. Because of these important variables, I think it is very important to guard against over-generalizing about the significance of the outcome of any one case. Whether or not there is going to be coverage in the next case is going to depend on what happened and on what the policy at issue says.

 

All of that said, the 11th Circuit’s decision in this case should hearten other policyholders seeking coverage for payment instruction fraud losses. The decision certainly weighs against anyone trying to argue as a blanket matter that there is no coverage under crime policies for payment instruction fraud losses.

 

Even if there may be coverage for these kinds of losses, the best risk mitigation approach for companies worried about the possibility of payment instruction losses is going to be for the companies to adopt strong financial controls.

 

In that regard, it is worth taking the time to read the dissenting opinion here. Judge Tjoflat recounts the specifics of happened here, and it is pretty clear that the controller who got ensnared by this scam basically drove right through a number of stop signs. This case shows how human error can circumvent controls. So education and training and the requirement of multiple approval levels will also be an important part of the efforts of any company trying to seek to avoid these kinds of losses.

 

Special thanks to the several loyal readers who sent me a copy of the 11th Circuit’s opinion.