Where an insured’s employee followed an email from a fraudster posing as a vendor to change the electronic payment instructions to an account controlled by the fraudster, coverage was denied under the funds transfer fraud coverage in a crime policy because the payment instructions to the bank were issued by the insured with its employee’s consent and not by the third party fraudster.
The Brick Warehouse LP v Chubb Insurance Company of Canada, 2017 ABQB 413, per Fraser, J.
FACTS AND ISSUES
In August 2010, an individual called the Brick’s accounts payable department, stating that he was a new employee calling from Toshiba and that he was missing some payment details. Upon receipt of the call, The Brick employee faxed payment documentation to a number provided by the caller.
On August 20, 2010, a different individual in the Brick accounts payable department received an email allegedly from controller of Toshiba and using the email address firstname.lastname@example.org. The alleged Toshiba employee stated that Toshiba had changed banks and that from now on all payments should be made to the new RBC account. The email provided the necessary information to transfer money into that account. On August 24, 2010, someone called the Brick’s accounts payable department and spoke to the same Brick employee who had received the August 20 email. The caller wanted to confirm the transfer of banking information.
The Brick employee changed the bank information for Toshiba in the Brick’s payment system, updating it with the new banking account information. The employee followed the Brick’s standard practice on changing account information. No one from the Brick took any independent steps to verify the change in bank accounts, nor did anyone contact Toshiba.
As a result of this, the Brick directed payment on ten Toshiba invoices to the RBC account. The real Toshiba eventually followed up on its outstanding receivables, at which point the fraud came to light. The Brick incurred a net loss of $224,475.
The Brick submitted a claim to Chubb under the funds transfer fraud coverage in the crime prevention policy it had issued to the Brick. The policy defined “funds transfer fraud” as follows:
Funds transfer fraud means the fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver money or securities from any account maintained by an insured at such institution without an insured’s knowledge or consent.
Chubb denied the claim on March 15, 2012, on the basis that the Brick’s instructions to its own bank had emanated from an authorized employee of the Brick, and that the instructions were not themselves fraudulent.
The issue was as to whether or not the Chubb policy covered social engineering fraud.
HELD: For the defendant insurer; claim dismissed.
1. The Court referred to previous Supreme Court case law where the Supreme Court had held that in relation to insurance policies, there is a two-step interpretation procedure (Consolidated-Bathurst Export Ltd. v Mutual Boiler and Machinery Insurance Co.  1 S.C.R. 888; B. Billingsley, General Principles of Canadian Insurance Law, 2nd ed. (LexisNexis Canada Inc., 2014) at 146):
a. Interpretation of the intention of the parties; and
b. Resolution of any ambiguities that exist.
2. The court held that when looking at the intention of the parties, the following principles will apply (B. Billingsley, General Principles of Canadian Insurance Law, 2nd ed. (LexisNexis Canada Inc., 2014) at 146):
a. Undefined contract is you will;
b. Clearly worded terms should be given full effect of the contract read as a whole;
c. An undefined word with two meanings should be assigned a meaning which “is more reasonable in promoting the intention of the parties”; and
d. The objective of the contract should not be negated by a technical definition or by an interpretation “which will result in either a windfall to the insurer or an unanticipated recovery to the insured”.
3. With respect to ambiguities in the policy, the Court held that if, after applying the above principles, “a conflict exists between two reasonable but differing interpretations of the policy” the court may resort to principles of interpretation which assist the courts in resolving contractual ambiguities, including:
a. the contra proferentem rule;
b. the broad interpretation of coverage clauses and the narrow interpretation of exclusion clauses;
c. the fulfilment of the reasonable expectations of the parties so as to avoid an unrealistic result; and
d. the continuity or consistency of judicial interpretation.
4. Fraser, J. held that the Brick was not entitled to recover its loss from Chubb due to the limitations and language of the policy.
a. The Court held that the Policy wording required the fraudulent payment instructions to have emanated from the third party fraudster posing as the insured Brick:
19 In order for the Brick to be successful, it must show that its bank transferred funds out of the Brick’s account under instructions from a third party impersonating the Brick. It is not covered if the Brick knew about, or consented to the instructions given to the bank. The insurance policy also contains in the exclusion section a clause which denies coverage if the loss is due to the insured knowingly having given or surrendered money, securities or property in exchange or on purchase to a third party, not in collusion with an employee. The only exceptions to this clause involve money orders and counterfeit currency.
b. In this case the Brick’s employee was held to have consented to the payment instructions issued to the bank within the meaning of the policy:
23 The Brick contends that the policy provision states that Chubb will pay for direct loss resulting from funds transfer fraud by a third-party, and the focus should be on the fraud itself and not on the fraudulent instructions. While it is true that clause 1(E) does state that, that clause must be examined in conjunction with the definition of fund transfer fraud contained in the contract. That definition includes the words “insured’s knowledge or consent”. There is no definition in the contract of either the term “knowledge” or “consent”. There is no mention anywhere in the insurance policy of the term “informed consent”. If the policy contained these words, again it is unlikely the parties would be before the court. When a word or a term is undefined, the word should be given its “plain, ordinary and popular” meaning, “such as the average policy holder of ordinary intelligence, as well as the insurer, would attach to it”.
24 One of the definitions of consent is “permission for something to happen, or agreement to do something. Examining the facts, a Brick employee did give instructions to the bank to transfer funds. The employee was permitting the bank to transfer funds out of the Brick’s account. Consequently, the transfer was done with the Brick’s consent. Even applying the contra proferentem rule, the Brick still consented to the funds transfer.
c. In addition, the payment instructions were not given to the bank by the third party fraudster as required by the policy but by the insured Brick itself:
25 Even if the Brick did not consent to the funds transfer, there is still the issue of whether the transfer was done by a third party. Certainly, the emails with the fraudulent instructions were from a third party. The actual transfer instructions; however, were issued by a Brick employee. There was no one forcing the employee to issue the instructions, there were no threats of violence or other harm. The employee was simply a pawn in the fraudster’s scheme. Therefore, the transfer was not done by a third party.
d. The Court referenced several analagous American cases, all of which absolved the insurance company of liability: Ameriforge Group Inc v Federal Insurance Company No.4:16 cv-00377; Medidata Solutions, Inc. v. Federal Insurance Company, No. 1:15-cv-00907 (S.D.N.Y. Mar. 10, 2016). These U.S. cases included one where the insurer was a corporate relative of Chubb: Taylor and Lieberman v Federal Insurance Company, 2:14-cv-03608, unreported.
This case is in line with the majority of American cases. Aqua Star (USA) Corp v. Travelers Casualty and Surety Co., No. C14-1368 (W.D. Wash. 2016) is an example where the crime policy excluded from computer fraud coverage for “loss resulting directly or indirectly from the input of Electronic Data by an actual person having the authority to enter the Insured’s Computer System”. The Court held that the entry of the data by the insured’s treasurer was an immediate step in a chain of events resulting in the loss. It rejected the insured’s arguments, including that the exclusion was meant to exclude only “inside jobs”. Where the policy covers losses caused by computer fraud, some U.S. courts have held that the mere fact that the insured’s employee was duped by the fraudster by a communication which happened to be electronic (such as an e-mail as opposed to a telephone call or a hard copy letter) does not render the loss to have been caused by a computer.
In American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, 5:16-cv-12108-JCO-APP Doc # 33 (U.S.D.C., Mich. Southern Div., 2017), a criminal, posing as one of the insured ATC’s vendors, sent a fraudulent email to ATC instructing payment for legitimate invoices to be wired to the criminal’s bank account. ATC’s arrangement with the vendor is that upon receipt of invoices it would issue payment after confirming that the invoiced work had been done. The email was displayed the “yifeng-rnould” domain name, as opposed to the vendor’s correct domain name of “yifeng-mould.com”. ATC’s staff verified that the work invoiced had been done and instructed its bank to wire the funds to the criminal’s account. The Court denied ATC’s claim under its “Computer Fraud” coverage, which provided coverage for “Computer Fraud” defined as “[t]he use of any computer to cause a transfer of Money”. The Court held that the loss was not a “direct loss” that was “directly caused by the use of a computer” because “the mere sending/receipt of fraudulent emails did not constitute ‘the use of any computer to fraudulently cause a transfer.’”: Apache Corp. v. Great American Ins. Co., 662 Fed. Appx. 252 (5th Cir. 2016):
Although fraudulent emails were used to impersonate a vendor and dupe ATC into making a transfer of funds, such emails do not constitute the “use of any computer to fraudulently cause a transfer.” There was no infiltration or “hacking” of ATC’s computer system. The emails themselves did not directly cause the transfer of funds; rather, ATC authorized the transfer based upon the information received in the emails.
Further, the Court followed Pestmaster Servs., Inc. v. Travelers Casualty & Surety Co. of America, 656 Fed. Appx. 332 (9th Cir. 2016) which had held that “[b]ecause computers are used in almost every business transaction, reading this provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a ‘General Fraud’ Policy.”
By contrast, Medidata Solutions Inc. v. Federal Insurance Co., 15–CV–907 (SDNY July 21, 2017) is an example where the insured Medidata’s finance department had been issued emails from corporate management to personnel instructing them “to be prepared to assist with significant transactions on an urgent basis” because of the company’s business plans which included a possible acquisition. A fraudster posing as the company’s president sent a spoofed email (made to falsely appear to be an internal company email, displaying the president’s email address in the “From” line and a photo of the president) to an employee, Evans, advising her of a pending acquisition and that she would soon hear from a lawyer known to her about that. The fraudster then phoned Evans, posing as the lawyer and instructed her to process a wire funds transfer. Evans insisted that she would require an email from the president requesting the transfer and an authorization from the Vice-President (Chin) and the Director Of Revenue (Schwartz). Chin, Schwartz and Evans then received another spoofed email from the fraudster (again made to appear to be an internal email) posing as the president to the effect that he had spoken to Evans about the transfer and expected Chin and Schwartz to sign off on it. Chin and Schwartz approved the transfer on the company’s electronic accounting system and Evans instructed the bank to make the transfer. Medidata had a policy from Federal that provided Computer Fraud Coverage and Funds Transfer Coverage.
Computer Fraud Coverage covered “direct loss of Money, Securities or Property sustained by an Organization resulting from Computer Fraud committed by a Third Party.” “Computer Fraud” was defined as “the unlawful taking or the fraudulently induced transfer of Money, Securities or Property resulting from a Computer Violation.” A “Computer Violation” included both “the fraudulent: (a) entry of Data into ... a Computer System; [and] (b) change to Data elements or program logic of a Computer System, which is kept in machine readable format ... directed against an Organization.” The Court held that the loss was covered under Computer Fraud Coverage, it relied on Universal Am. Corp. v. Nat’l Union Fire Ins. Co., 25 N.Y.3d 675, 680, (NYCA, 2015) which held that such unambiguous policy language applied to unauthorized access to the insured’s computer system but not losses arising from fraudulent content submitted to authorized users. The fraud on Medidata was held to be the deceitful and dishonest access to the insured’s computer system contemplated in Universal.
Fraudulent Funds Transfer Coverage provided coverage for a “direct loss of money . . . by fraudulent instructions purportedly issued by” the insured. The Court rejected the insurer’s argument that there was no causal link between the spoofed emails and the loss because the employee also relied on a phone call and took other steps to validate the transfer instructions. The Court held Medidata’s claim to be covered:
. . . In this case, it is undisputed that a third party masked themselves as an authorized representative, and directed Medidata’s accounts payable employee to initiate the electronic bank transfer. It is also undisputed that the accounts payable personnel would not have initiated the wire transfer, but for, the third parties’ manipulation of the emails. The fact that the accounts payable employee willingly pressed the send button on the bank transfer does not transform the bank wire into a valid transaction. To the contrary, the validity of the wire transfer depended upon several high level employees’ knowledge and consent which was only obtained by trick. As the parties are well aware, larceny by trick is still larceny. Therefore, Medidata has demonstrated that the Funds Transfer Fraud clause covers the theft in 2014.
In our view, the facts in Medidata are distinguishable from those in Star Aqua, American Tooling and The Brick. The use of email to dupe the employees did not only incidentally involve an electronic communication. The emails involved more than the use of a similar but incorrect email address of the party purportedly instructing the transfer. It involved a manipulation of the company’s internal email system by altering the data displayed in the fraudulent emails. Either way, companies receiving requests to change payment instructions should take steps to verify such instructions from the authentic parties in question.