By Chris McKibbin and Daniel Silla
On August 12, 2022, the U.S. District Court for the District of Minnesota released its decision in SJ Computers, LLC v. Travelers Casualty and Surety Company of America. In finding that an alleged business email compromise loss did not fall within a crime policy’s Computer Fraud coverage, the Court provided instructive commentary regarding the policy’s direct loss requirement. The decision is notable in holding that the alleged hacking of an insured’s email system did not bring the loss within the Computer Fraud coverage grant, as the immediate cause of the loss was the insured’s CEO wiring the funds and the alleged hacking was merely an intermediate step in the scheme.
SJ Computers routinely ordered computer equipment from various vendors. In the normal course, the ordering process proceeded as follows: first, SJ Computers’ purchasing manager issued a purchase order to the vendor. The vendor then issued an invoice to SJ Computers for the cost of the equipment ordered. After that, the purchasing manager confirmed the accuracy of the invoice and forwarded it to SJ Computers’ CEO. Finally, after receiving the invoice from the purchasing manager, the CEO initiated a wire transfer payment to the vendor.
In March 2021, a fraudster emailed fraudulent invoices to the purchasing manager. The invoices were purportedly issued by ERI, one of SJ Computers’ legitimate vendors. The invoices directed SJ Computers to make payment by wire transfers to a bank account number that was different from the account that SJ Computers had on file for ERI.
After emailing the fraudulent invoices to the purchasing manager in the guise of ERI, the fraudster allegedly hacked into the purchasing manager’s email account and, now impersonating the purchasing manager, forwarded the invoices to SJ Computers’ CEO for payment. The CEO telephoned ERI about the apparent change of banking information and left a voicemail. ERI did not return the call prior to the deadline for payment specified in the fraudulent invoices. Having not heard back from ERI, the CEO proceeded to initiate two wire transfers totalling $593,555.
The Travelers Coverages
After the fraud came to light, SJ Computers submitted a proof of loss to Travelers seeking coverage solely under the policy’s Social Engineering Fraud (SEF) coverage, which carried a limit of $100,000. The SEF coverage provided indemnity for “direct loss … directly caused by Social Engineering Fraud.” “Social Engineering Fraud” was defined as:
the intentional misleading of an Employee or Authorized Person by a natural person impersonating:
(1) a Vendor, or that Vendor’s attorney;
(2) a Client, or that Client’s attorney;
(3) an Employee; or
(4) an Authorized Person,
through the use of a Communication.
SJ Computers subsequently revised its claim to seek coverage under the Computer Fraud coverage, which carried a limit of $1,000,000. That coverage indemnified “for the Insured’s direct loss … directly caused by Computer Fraud”, which was defined as “an intentional, unauthorized, and fraudulent entry or change of data or computer instructions directly into a Computer System…” The coverage provided that Computer Fraud did not include “such entry or change made by an Employee [or] Authorized Person … made in reliance upon any fraudulent … instruction”.
The policy also included Exclusion H, which provided that the policy:
… will not apply to loss resulting from forged, altered, or fraudulent … documents, or instructions used as source documentation to enter Electronic Data or send instructions, provided this does not apply to … the Social Engineering Fraud Insuring Agreement.
Travelers promptly paid the $100,000 limit of the SEF coverage. However, Travelers determined that the facts did not give rise to coverage under the Computer Fraud coverage, and that other policy provisions would have applied to exclude coverage for that aspect of the claim.
SJ Computers commenced an action seeking coverage under the Computer Fraud coverage. Travelers moved to dismiss under Fed. R. Civ. P. 12(b)(6) for failure to state a claim upon which relief can be granted (analogous to a rule 21.01(1)(b) motion in Ontario). Travelers was successful on all four of its primary coverage arguments, which the Court summarized as follows:
Travelers offers several reasons why SJ Computers’ loss is not covered under the computer-fraud agreement: First, the conduct in which the bad actor engaged was not computer fraud as that term is defined by the Policy. Second, even if the bad actor engaged in computer fraud, SJ Computers’ loss was not “directly caused by” that computer fraud. Third, Exclusion H of the Policy explicitly precludes computer-fraud coverage for SJ Computers’ loss. And finally, the conduct in which the bad actor engaged meets the definition of social-engineering fraud, and social-engineering fraud is explicitly excluded from coverage under the computer-fraud agreement. For the reasons that follow, the Court agrees with Travelers on every point.
We will focus on the second point, insofar as it is of more general relevance to other crime insurers.
The CEO was clearly an “Employee [or] Authorized Person” within the meaning of the carve-out to the Computer Fraud coverage. Thus, SJ Computers asserted that there were two distinct fraudulent acts, and sought to differentiate between the CEO’s authorized acts and the fraudster’s alleged hacking into the purchasing manager’s email account. SJ Computers contended that the alleged hacking constituted Computer Fraud, thereby triggering coverage.
The Court rejected this assertion:
SJ Computers works hard to avoid the plain language of the Policy. SJ Computers argues that it was actually the victim of two distinct fraudulent acts: (1) the bad actor hacking into SJ Computers’ email system and forwarding the fraudulent invoices from the purchasing manager’s email account to the CEO; and (2) the CEO acting on those fraudulent invoices and emails by initiating the wire transfers to the bad actor’s account. …
SJ Computers’ argument is creative but ultimately unavailing. … even if the bad actor’s hacking of the purchasing manager’s email account is viewed in isolation and deemed to be an act of computer fraud, that hacking did not “directly cause[ ]” a “direct loss” to SJ Computers, as is required by the computer-fraud insuring agreement.
The Court’s analysis of the direct loss requirement is instructive:
SJ Computers’ argument that, notwithstanding these Policy provisions, the company was actually the victim of computer fraud is premised on its position that one aspect of the fraudulent scheme — the bad actor’s using the purchasing manager’s email account to forward the fraudulent invoices to the CEO — should be viewed in isolation. But what is good for the goose is good for the gander. If that aspect of the fraudulent scheme is going to be viewed in isolation, then that aspect needs to be viewed in isolation for all purposes.
The bad actor’s use of the purchasing manager’s email account to forward the fraudulent invoices to the CEO — when viewed in isolation — did not “directly cause[ ]” a “direct loss” to SJ Computers. SJ Computers did not suffer a penny of financial loss when the bad actor hit “send” on his email messages. And SJ Computers would never have suffered a penny of financial loss if the CEO had not opened those email messages, or if the CEO had asked the purchasing manager about them, or if ERI Direct had answered its phone when the CEO called, or if ERI Direct had promptly returned the voice-mail message left by the CEO, or if the CEO had waited to hear from ERI Direct before paying the invoices. If the fraudulent scheme that victimized SJ Computers is going to be fragmented into pieces and each piece viewed in isolation, then what “directly caused” loss to SJ Computers was not the piece involving the bad actor’s use of the purchasing manager’s account to send the fake invoices, but rather the piece involving the CEO’s use of his computer to act on the fake invoices. That piece — the piece that did “directly cause[ ]” a “direct loss” to SJ Computers — was social-engineering fraud, not computer fraud, as even SJ Computers concedes.
That finding, in and of itself, requires dismissal of SJ Computers’ complaint. [citations omitted]
The Court implicitly adopted the “direct means direct” approach to causation, which requires that the loss follow immediately in time and space from the covered cause of loss, rather than merely being the proximate result thereof. The CEO’s actions constituted intervening acts which broke the chain of causation. The “direct means direct” approach has been adopted in numerous other decisions, such as CP Food (see our October 12, 2018 post); InComm (see our March 22, 2017 post); Hantz Financial Services (see our September 29, 2015 post); and Taylor & Lieberman (see our July 14, 2015 post).
SJ Computers represents another decision in a growing line of jurisprudence which holds that there is no coverage for vendor impersonation and other SEF losses under “traditional” commercial crime coverages such as Computer Fraud. The decision is particularly notable for its careful and nuanced analysis of the direct loss requirement. The Court held that, even if it accepted the insured’s assertion that there was an act that fell within the coverage grant (the alleged hacking of the purchasing manager’s email account), coverage was not triggered because the loss did not follow immediately in time and space from that act, but rather from a subsequent intervening event. The decision is of assistance to fidelity claims professionals in considering loss scenarios in which there is a chain of events between the conduct said to trigger coverage and the loss ultimately sustained.