(Article from Insurance Law Alert, November 2016)
For more information, please visit the Insurance Law Alert Resource Center. The Fifth Circuit ruled that a computer fraud provision does not grant coverage for claims arising out the transfer of funds to criminal accounts because a fraudulent email was only one part of a chain of events that caused the loss. Apache Corp. v. Great American Ins. Co., 2016 WL 6090901 (5th Cir. Oct. 18, 2016).
Apache, an oil production company, received a telephone call from a person identifying herself as a Petrofac representative (a vendor for Apache). The caller instructed Apache to change bank account information for future payments. The Apache employee replied that the change could not be processed without a formal request on Petrofac letterhead. Thereafter, Apache received an email from an email address created by criminals to closely resemble Petrofac’s actual email address. The email attached a letter confirming the request to change the bank account on fraudulently-created letterhead. Apache called the telephone number provided in the letter to confirm the change and then approved the change. After nearly $7 million was paid to the new bank account, Apache discovered that the phone call and email came from criminals. Apache sought coverage from Great American, which denied coverage on the ground that the loss did not “result[ ] directly from the use of a computer,” as required by the policy. A Texas district court disagreed and ruled in favor of Apache. The Fifth Circuit reversed.
Addressing this matter of first impression under Texas law, the Fifth Circuit ruled that the computer fraud provision did not cover Apache’s claims because the loss resulted from a series of events and was not “directly” caused by computer use. In particular, the court explained that there was no coverage obligation because the wire transfers resulted from the criminals’ initial phone call, the subsequent phone call to the fraudulent phone number, and Apache’s insufficient internal controls for account changes. The court stated:
The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money. To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process, would . . . convert the computer-fraud provision to one for general fraud.
As the Fifth Circuit noted, courts in other jurisdictions have concluded that computer fraud provisions have limited application and apply to claims arising directly out of use of a computer (such as hacking) and not claims that merely involve use of a computer at some point in the transaction.