5th Circuit Computer Fraud

No Coverage Because Fraudulent Email Inducing the Transfer of Funds Was Only Part of a Larger Scheme to Deceive Policyholder.

The Fifth Circuit, applying Texas law, held that a “Computer Fraud” provision did not cover the loss associated with Apache Corporation’s unwitting transfer of millions of dollars to an imposter vendor, even though the crime was based in part on Apache’s receipt of a fraudulent email containing the new bank account information provided by the criminal enterprise.

In March 2013, Apache, an oil production company, received a call from a person identifying herself as a representative of an Apache vendor, Petrofac.  The caller instructed Apache to change the bank account information for its payments to Petrofac.  Apache replied that the change request must be made on Petrofac’s letterhead.   A week later, Apache received an email from a “petrofacltd.com” address created by the criminals.  Petrofac’s authentic domain name is “petrofac.com.”  The nefarious email attached a letter purportedly on Petrofac’s letterhead containing both the old and new bank account information.  Apache called the telephone number provided on the letter to verify the request and concluded that the change request was authentic.

Shortly thereafter, Apache began transferring payments for Petrofac invoices to the new fraudulent bank account.  Within a month, Petrofac contacted Apache claiming that it had not received payment for the invoices.  An investigation revealed that Apache had transferred approximately $7 million to the fraudulent bank account.  Apache was able to recover some of the funds, but ultimately lost approximately $3.4 million.

Apache submitted the claim to its insurer, Great American Insurance Company (“Great American”), seeking coverage under the “Computer Fraud” provision of a crime-protection insurance policy.  The “Computer Fraud” provision states:  “We will pay for loss of … money … resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises … to a person … or … to a place outside those premises.”

Great American claimed the loss was not covered because “the email did not ‘cause a transfer’ … and coverage under this provision is ‘unambiguously limited’ to losses from ‘hacking and other incidents of unauthorized computer use.’”  Instead, Great American argued that the transfer of funds resulted from the telephone calls both before and after the email was sent.

Apache argued that the plain meaning of the computer fraud language covered the loss, and the language of the provision “says nothing about ‘hacking.’”  Thus, according to Apache, “Apache needs to show only that ‘any computer was used to fraudulently cause the transfer of funds’” to obtain coverage.

The Fifth Circuit sided with Great American:  “The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money.  To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would … convert the computer-fraud provision to one for general fraud.”  “[B]oth the plain meaning of the policy language, as well as the uniform interpretations across jurisdictions, dictate Apache’s loss was not a covered occurrence under the computer-fraud provision.”  Apache Corp. v. Great Am. Ins. Co., No. 15-20499 (5th Cir. Oct. 18, 2016).

Leave a Reply