Cyber insurance growing pains: 6th Circuit overturns email phishing ruling

The ruling will likely impact how cyber insurance policies are crafted in the future.

In July, the U.S. Court of Appeals for the Sixth Circuit (courthouse pictured above) overturned a lower court ruling that exempted phishing scam losses from coverage. 

With its July 2017 ruling in Medidata Solutions v. Federal Insurance, the U.S. District Court for the Southern District of New York became the first federal court to rule that losses due to phishing scams were covered under a cyber insurance computer fraud policy.

Related: Evolving cyberinsurance coverage for phishing attacks

The Medidata ruling stood apart from other rulings on similar cases in district courts in the  Fifth, Sixth and Ninth circuits. In those cases, courts found that such policies did not cover situations where employees are tricked by cybercriminals into transferring funds to false accounts.

Travelers contended loss didn’t fall under computer fraud policy

Since then, however, the Sixth Circuit has reserved course. This July, the U.S. Court of Appeals for the Sixth Circuit overturned a lower court ruling in American Tooling Center v. Travelers Casualty & Surety that exempted phishing scam losses from coverage. The ruling by the appeals court will likely impact how cyber insurance policies are crafted in the future, and underscores how the nascent cyber insurance industry is still finding its footing in the market.

The overturned case was first brought by tool and dye manufacturer American Tooling Center, Inc. (ATC)  in U.S. District Court for the Eastern District of Michigan. In 2015, an ATC employee was tricked by a cybercriminal’s fraudulent emails into digitally transferring funds, which was meant to go to a vendor, into the criminal’s account.

Related: Crime insurance may cover cyber fraud

American Tooling Center Inc. filed a claim to recover some of the fraudulently wired funds from its cyber insurer, Travelers Casualty & Surety Co. But Travelers contended that such a loss did not fall under its computer fraud policy, which only covered losses “directly caused by the use of a computer.” It argued that ATC’s particular incident was caused by a tricked authorized user and not the fraudulent use of a computer.

No definitive language in policy

The Michigan district court agreed, citing precedent in similar Fifth and Ninth Circuit cases. Joshua Bevitz, a partner at Newmeyer & Dillion, said the court took up the argument “that the email wasn’t the direct cause of the loss, and since computers are used in a lot of business transitions, if you interpret this policy to cover that, it would turn the computer fraud policy into general fraud policy.”

The appeals court, however, disagreed, noting that there was no definitive language in Travelers’ computer fraud policy excluding coverage for situations where authorized employees were tricked by phishing scams into transferring funds to cybercriminals.

“Travelers’ attempt to limit the definition of ‘computer fraud’ to hacking and similar behaviors in which a nefarious party somehow gains access to and/or controls the insured’s computer is not well-founded,” the court wrote in its opinion. “If Travelers had wished to limit the definition of computer fraud to such criminal behavior it could have done so.”

Exclusions didn’t exempt covering loss

What’s more, the appeals court also ruled that the exclusions the cyber insurance policy did have still did not exempt Travelers from covering the loss because of how the policy defined certain terms.

One such exclusion stated the insurance policy “will not apply to loss or damages resulting directly or indirectly from the input of electronic data by a natural person having the authority to enter the insured’s computer system.”

Another said the policy “will not apply to loss resulting directly or indirectly from forged, altered or fraudulent documents or written instruments used as source documentation in the preparation of electronic data.”

But because the policy defined “electronic data” in a way to specifically not mean “instructions or directions to a computer system,” the appeals court said the policy exclusions did not apply to the current situation.

Need to be more specific

Bevitz noted that because of the appeal court’s ruling, “If they haven’t already, cyber insurers are going to be more specific with things they’re not intending to cover, and more specific with what premiums will be needed to provided that coverage.”

Still, he added that such a ruling should not have been a surprise to Travelers. “It’s always the way it goes in the insurance industry. They write a policy and they try to be as clear as possible, and then you can’t predict all sort of events that take place.”

This is particularly the case with fairly new types of insurance such as cyber insurance. “The cyber insurance industry is really the Wild West right now because they just recently started writing these polices, and they are going through the growing pains of writing language that specifically addresses specific events.

Legal arguments may be picked up around the country

To be sure, the Sixth Circuit’s ruling will not likely have an effect on how other appeals courts around the country interpret the nuances of cyber insurance policies. Bevitz noted that circuit courts “are interpreting different state law” and different policies when ruling on cyber insurance cases.

What’s more, because much of their determination pulls from their interpretations of various state insurance laws, “this is an issue that the Supreme Court is never going to decide.”

But while cyber insurance rulings will only apply narrowly within a certain jurisdiction, the legal arguments that circuit courts apply may be picked up by any court around the country. For cyber insurers, this means crafting policies that heed every courts’ interpretation, lest they find themselves paying for more than they expected.

Related: Why phishing prevention should be a cyber insurance condition

Rhys Dipshan (rdipshan@alm.com) is a New York-based legal tech reporter covering everything from in-house technology disruption to privacy trends, blockchain, AI, cybersecurity, and ghosts-in-the-machine.