As businesses continue to increase their reliance on technology, they are bound to face the inevitable risks associated with online transactions and other cyber exposures. This, in turn, emphasizes the importance of having the proper insurance policies and compliance methods in place to prevent or, at least, mitigate losses that ensue from these risks. In this context, many insurance policies require that there be a “direct” loss for there to be coverage, which has spawned numerous lawsuits about what the word “direct” means. The latest court to weigh in has sided with the insured and interpreted that term broadly to essentially mean proximate causation.
In City of Unalaska v. National Union Fire Insurance Company, an employee received an email from a fraudster, purporting to be a vendor, requesting a change to its payment instructions for invoices. 2022 WL 826501, at *1 (D. Alaska Mar. 18, 2022). The employee assumed that the request was legitimate and updated the bank account information and later initiated ACH payments for several invoices. The payments ultimately went to the fraudster’s bank account. Id. The insured submitted a claim to its insurer, who only accepted partial coverage under an Impersonation Fraud Coverage endorsement subject to a $100,000 sublimit, and refused to pay the remaining amount of the insured’s claim under the computer fraud insuring agreement of the policy. Id. at *2.
The insurer argued that the insured was not entitled to computer fraud coverage under a crime policy because “incidental” use of an email to perpetuate a fraud does not constitute “computer fraud” and the insured’s loss did not “result[ ] directly from the Fraudster’s emails” but was “temporally remote and involved a chain of intervening and independent steps and decisions that did not involve the fraudster.” Id. at *3. The court held that the plain language of the computer fraud insuring agreement makes it clear that there is coverage for a “loss of money resulting directly from a fraudster’s use of a computer – sending an email impersonating the City’s vendor – to fraudulently cause a transfer of funds from the City to the fraudster’s bank account,” and that a reasonable insured would expect coverage under the computer fraud insuring agreement. Id. at *7.
As a result, the court denied the insurer’s “direct means direct” argument, which would suggest that the loss would have to be “without deviation or interruption” and that “the Fraudster’s use of a computer … [would have to] directly bring about the funds transfer.” Id. at *4. Further, the court also found that the computer fraud insuring agreement does not require more than proximate causation because “though the word ‘directly’ may connote immediacy when read in isolation, a reasonable insured would consider the phrase ‘resulting directly from’ to convey the concept of proximate cause.” Id. at *8.
Cited within the Unalaska opinion is the similar case of Ernst and Haas Management Company, Inc. v. Hiscox Inc., 2022 WL 223965 (9th Cir. Mar. 7, 2022). There, the Ninth Circuit reversed the district court’s decision finding that the district court engaged in an “improperly narrow reading of the contractual language” when finding that “a direct loss is limited to unauthorized computer use, like hacking.” Ernst and Haas Mgmt. Co., Inc. v. Hiscox, Inc., 23 F.4th 1195, 1200 (9th Cir. 2022). Therefore, the Ninth Circuit held that the insured’s loss was directly caused by the fraudulent transfer of funds when the employee transferred them (there was no intervening event), and the computer fraud insuring agreement could cover the insured’s alleged loss. Id. at 1202-1203.
The broad application of the “direct” language under these coverages is an important, recurring issue that many insureds confront when they have a computer fraud loss. The City of Unalaska case emphasizes the potential confusion and uncertainty regarding the causation requirement for “directly” language that is found in many policies. The ruling represents a trend by many courts who interpret the computer fraud coverage broadly and have rejected the “direct means direct” approach advocated by many insurers.