On July 8, 2016, the U.S. District Court for the Western District of Washington released its decision in Aqua Star (USA) Corp. v. Travelers Casualty and Surety Company of America. The decision offers guidance to fidelity insurers with respect to the application of the “authorized entry” exclusion found in the base wording of many commercial crime policies (sometimes referred to as the “authorized access” exclusion), and illustrates how this exclusion may operate in the context of a social engineering fraud loss.
The insured, Aqua Star (USA) Corp. (“Aqua Star”), is a seafood importer that had a pre-existing relationship with a legitimate vendor, Zhanjiang Longwei Aquatic Products Industry Co. Ltd. (“Longwei”). In the summer of 2013, Longwei’s computer system was hacked. The hacker apparently monitored email exchanges between an Aqua Star employee and a Longwei employee before intercepting those email exchanges and using “spoof” email domains to send fraudulent emails to the Aqua Star employee. In the spoofed emails, the hacker directed the Aqua Star employee to change the bank account information Aqua Star had on record for Longwei for future wire transfer payments.
The Aqua Star employee inserted the revised banking information into Aqua Star’s computer system. This revised information was then used to create Wire Confirmation Detail instructions that were transmitted to Aqua Star’s bank, the Bank of America. As a result, $713,890 was wired to the hacker’s account before the fraud came to light.
The Travelers Coverage
Aqua Star maintained a Wrap+ Crime Policy with Travelers. The policy covered Aqua Star for its “direct loss of, or direct loss from damage to, Money, Securities, and Other Property directly caused by Computer Fraud”, as defined. Travelers relied on Exclusion G to the policy, which provided that the policy:
will not apply to loss resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System.
As a general observation, this type of exclusion is intended to encompass (among other things) social engineering fraud losses. At present, social engineering fraud coverage is typically added to commercial crime policies by endorsement, with the endorsement providing that the exclusion in the base wording does not apply in respect of coverage afforded by the endorsement. The intent is to reinforce that only social engineering fraud coverage, and not the “traditional” computer or funds transfer fraud coverages, responds to social engineering fraud losses.
It is not clear from the Court’s decision whether Aqua Star also maintained social engineering fraud coverage.
On the parties’ cross-motions for summary judgment, the Court confined itself to the question of whether Exclusion G applied to the loss, and did not opine on whether the loss fell prima facie within coverage. The Court held that, on its face, Exclusion G clearly applied to the facts. The “revised” banking details were information, which fell within the meaning of “Electronic Data”. The employee in question was a natural person and had the authority to enter banking details into Aqua Star’s computer system. As a result, the exclusion applied.
Aqua Star advanced two substantive arguments in an effort to avoid the application of the exclusion. First, Aqua Star asserted that the exclusion did not apply because, in order to initiate the wire transfers, an Aqua Star employee had to enter data into the computer system of a third party (i.e., its bank, the Bank of America). The Court rejected this contention, observing that:
Although entering data into a third party’s computer system may have been the final step that led to Aqua Star’s loss, necessary intermediate steps prior to the transfer involved entering Electronic Data into Aqua Star’s own Computer System. Aqua Star does not explain why the involvement of a third party computer system would render Exclusion G inapplicable.
Second, Aqua Star contended that Exclusion G was actually intended to preclude coverage where a fraud is perpetrated by an authorized user of an insured’s computer system, such as an employee or legitimate customer. The Court did not accept this argument either, but did note that:
the clear language of the policy does not limit the exclusion to fraud perpetrated by an authorized user, although … it certainly could apply in that situation [as well].
As a result, Exclusion G applied to the loss.
In providing a detailed analysis of Exclusion G to the Travelers Wrap+ policy, Aqua Star reflects the intended boundary between social engineering fraud coverage and “traditional” computer fraud and funds transfer fraud coverages. Courts have generally interpreted the computer fraud coverage as being intended to cover loss due to unauthorized hacking by third parties (see, for example, Pestmaster, which we discussed in our January 6, 2015 post), not employees’ authorized entries of data that are induced by external fraud.
To address this perceived gap, many insurers have introduced social engineering fraud endorsements to respond to the latter scenario. The “authorized entry” exclusion reinforces insurers’ intent that the two coverages respond to different loss scenarios. In our view, it is appropriate to keep this context in mind in assessing both the applicability of “authorized entry” exclusions and the dividing line between social engineering fraud coverage and other coverages.