ABA Banking Journal - July/August 2017 - 20
> LEGAL BRIEFS
Who Pays When
Humans Get Hacked?
BY DAWN CAUSEY, THOMAS PINDER
AND ANDREW DOERSAM
IMAGINE THIS: a seasoned teller at your bank receives a phone call from
a customer requesting to change the account information for a wire transfer.
Believing the call to be legitimate, the teller processes the change and re-routes
the funds. You find out later that the teller in this case was the victim of a social
engineering scam-the message was from a fraudster, the funds are gone and the
bank is left holding the bag.
If you think your bank is covered under
its computer fraud insurance policy in
this scenario, not so fast. Recent case
law has shown that courts are deciding
against this type of coverage.
In Apache Corp. v. Great American
Insurance Co., a scammer posing as
a vendor made a call to an Apache
accounting department employee
advising that it was changing bank
account information. The scammer
sent an email advising Apache of
new account details for the vendor.
After receiving the email, Apache
paid $7 million to the scammer.
Apache made a claim under its crime
protection policy covering computer
fraud, but was denied coverage
because the loss did not result directly
from the use of a computer.
The Fifth Circuit agreed with the
insurer, ruling that losses arising from
social engineering scams are not
covered by computer fraud provisions
of commercial crime insurance policies.
The Fifth Circuit concluded that the
email was "merely incidental to the
occurrence of the authorized transfer of
money" and too generalized to trigger
the computer-fraud provision.
Consider a similar situation. In Aqua
Star (USA) Corp. v. Travelers Casualty
ABA BANKING JOURNAL | JULY/AUGUST 2017
& Surety Co., a hacker sent fraudulent
emails to an Aqua Star employee
directing the employee to change
bank account information for a vendor
for future wire transfers. The Aqua
Star employee made the changes as
directed and the hacker defrauded the
company by $713,890.
Aqua Star purchased crime insurance
that required the insurer to pay for
losses directly caused by computer
fraud, but excluded "loss resulting
directly or indirectly from the input of
Electronic Data by a natural person
having the authority to enter the
Insured Computer System." The district
court determined that Aqua Star's loss
was not covered by the policy because
the Aqua Star employee who changed
the bank account information had the
authority to do so.
In another instance, InComm, a debit
card processing company, allowed
cardholders to purchase credits-
otherwise known as "chits"-to load
on a debit card. The dispute arose
when hackers launched a sophisticated
identify theft scam that caused a coding
error in InComm's system. The system
vulnerability allowed cardholders to
redeem their chits more than once,
resulting in more than $11.4 million in
unauthorized charges to InComm.
Great American denied coverage on
the ground that the policy did not
cover redemptions that were made
over the phone, and lo and behold,
the district court agreed. The court
ruled the computer fraud provision
did not apply because the actual
fraud was committed using a phone.
The court explained that expanding
coverage to include losses only
because a computer was used would
"strain the ordinary understanding of
It is important to note that InComm's
computer fraud insurance policy
was identical to Apache's policy.
The courts in Apache and InComm
determined there was no "immediate"
relationship between the alleged
conduct and the claimed losses.
What's more, the courts reasoned that
interpreting computer fraud coverage
to cover every loss that involves a
computer and fraud would in essence
create a "general fraud policy."
Unfortunately, a social engineering
scheme targeting employees involved
with a computer may fall into a gap in
insurance coverage. The good news
is that carriers are offering a tailored
social engineering endorsement that
covers the type of incidents discussed
above. So, even as banks strengthen
their network security, scammers will
continue to try and hack humans.
Make sure you are covered.
DAWN CAUSEY is general counsel at ABA,
where THOMAS PINDER is SVP for litigation and
ANDREW DOERSAM is a paralegal.