Regulatory/Law (WEB ONLY)
US Courts Offer Differing Interpretations of Cyberfraud Cases
In some ways, inconsistent law can be worse than bad law.
A prominent court recently addressed whether commercial crime insurance covers cyberfraud. The decision illustrates courts' confusion in this area. When it comes to cyberfraud, courts continue to give different answers to the same questions.
As I've previously written, the questions are easily remembered with the acronym “ACAI.”
Act: Is the “act” covered?
Causation: Were the act and injury linked by the “causation” that the policy required?
Authorization: Did the policyholder “authorize” the act in a way that bars coverage?
Injury: Did the claim involve a covered “injury”?
The decision was from the U.S. Court of Appeals for the 9th Circuit, Ernst & Haas Management Co. v. Hiscox Inc., No. 20-56212 (Jan. 26, 2022), and addressed two provisions in commercial crime policies: computer fraud and funds transfer fraud.
The claim involved a familiar scam. It was normal for the policyholder to instruct his clerk, by email, to pay people. One day, an imposter sent an email, posing as the boss, instructing the clerk to send money to the imposter. The clerk paid the money, and the policyholder lost a substantial sum.
Here, the coverage dispute turned on the first three questions in our four-part acronym: act, causation and authorization.
“Act,” as some courts have found, requires more than “using” a computer. It requires “hacking” a computer. In fact, the trial court here had followed the “hacking” view. But the 9th Circuit interpreted the coverage more broadly and rejected the hacking view. That it involved email fraud was enough.
“Causation” is an issue because this policy limited coverage to a loss “result[ing] directly from the use of a computer to fraudulently cause transfer.” Insurers' use of “directly” reinforces the concept that causation—a concept that has created confusion in American tort law for more than a century—is to be closely linked. “Direct” should mean just that, an immediate causal linkage. The trial court, like many other courts, found that an imposter emailing a clerk who contacts a bank that then issues money is not “direct.” But again, the 9th Circuit interpreted coverage to favor policyholders and rejected the narrow view of “direct.” The court found that the policyholder immediately lost their money upon transfer to the imposter. There was no intervening event; the clerk directly caused the loss by acting on the fraudulent instruction.
Finally, “authorization” was an issue because the insured's clerk told the bank to pay money. The clerk was fully authorized to initiate the transfer; there was nothing fraudulent about that instruction. But the 9th Circuit found that the key instruction was, instead, the imposter's instruction to the clerk, and that was fraudulent. It narrowly distinguished between initiating a wire transfer and authorizing payment. In the court's view, the clerk could not authorize payment herself. She was tricked into sending the wire instructions, but she was never properly authorized to do so.
We can draw two lessons from this case.
First, in this area, prominent courts answer the same questions differently. Judges, law professors, and other clever people may try to read these cases as being consistent. Nonsense. Courts take different approaches. And for insurers, in some ways, inconsistent law can be worse than bad law.
And second, ACAI is more than just a delicious brown berry; it's a helpful way to view the different court cases in this area.
Best’s Review contributor Alan Rutkin is a partner in the law firm Rivkin Radler LLP. He can be reached at alan.rutkin@rivkin.com.