"Computer Fraud” Provision of Crime Protection Insurance Policy: Insured’s Loss Did Not Result Directly from the Use of Any Computer
By: Diana Faust
The United States Court of Appeals for the Fifth Circuit very recently considered the interpretation of a Computer Fraud provision in a crime-protection insurance policy. In Apache Corporation v. Great American Insurance Company, the court made an Erie prediction as to the provision’s interpretation by Texas courts. Applying Texas law, as well as considering the interpretation of similar provisions made by other jurisdictions, the court held that the insured’s loss was not a covered occurrence.
Apache Corporation’s loss arose from its having been defrauded by criminals, in part by their use of an email. As a result of the fraud and a flawed follow-up investigation by Apache, it made authorized payments of legitimate invoices from its vendor to the criminals’ bank account rather than to the vendor’s account. Great American denied coverage for Apache’s loss under its Computer Fraud provision of Apache’s crime protection insurance policy.
The Computer Fraud provision stated:
We will pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises:
a. to a person (other than a messenger) outside those premises; or
b. to a place outside those premises.
Apache is an oil production company with its principal place of business in Houston, but it operates internationally. The criminals achieved the fraud through a series of actions beginning with a telephone call to an Apache employee in Scotland. The caller identified herself as a representative of Petrofac, a vendor of Apache, and instructed Apache to change the bank-account information for its payments to Petrofac. The Apache employee replied that the change-request could not be processed without a formal request on Petrofac letterhead.
A week later, Apache’s accounts-payable department received an email from a “petrofacltd.com” address. But, Petrofac’s authentic email domain name is “petrofac.com”; the criminals created “petrofacltd.com” to send the fraudulent email. The email advised that Petrofac’s accounts had changed, that a new account took immediate effect, and that all future payments must be made into the new account. The email referenced an attachment containing a signed letter on Petrofac letterhead, providing both old-bank-account information and the new-bank-account number, with instructions to “use the new account with immediate effect.”
In response, an Apache employee called the telephone number provided on the letterhead to verify the request and concluded the call confirmed the authenticity of the change-request; next, a different Apache employee approved and implemented the change. A week later, Apache was transferring funds for payment of Petrofac’s invoices to the new bank account.
Within one month, however, Apache received notification Petrofac had not received approximately $7 million Apache had transferred to the new (fraudulent) account. After an investigation determined the criminals were likely based in Latvia, Apache recouped a substantial portion of the funds. Apache contended, however, it suffered a loss, before the $1 million policy deductible, of approximately $2.4 million.
Apache submitted a claim to Great American, who denied coverage because the loss did not result directly from the use of a computer nor did the use of a computer cause the transfer of funds. Great American asserted that the loss was not a covered occurrence because the email did not “cause a transfer” and that coverage under the Computer Fraud provision is “unambiguously limited” to losses from “hacking and other incidents of unauthorized computer use.”
Great American argued that Apache’s transfer of funds to the fraudulent bank account resulted from other events. First, before the email, the telephone call directed Apache to change the account information. And, after the email, the telephone call by Apache to the criminals confirmed the change-request. The confirmation was followed by the Apache supervisor’s review and approval of the emailed request, Petrofac’s submission of invoices, the review and approval of them by Apache employees, and Apache’s authorized and intentional transfer of funds, even though to the fraudulent bank account. Great American relied on Texas’ rules for policy interpretation and the Supreme Court of Texas’ emphasis on the “importance of uniformity when identical insurance provisions will necessarily be interpreted in various jurisdictions.”
Apache contended the plain meaning of the computer-fraud language covered its loss, and maintained any ambiguity in the terms should be resolved in favor of the insured’s reasonable interpretation, even if the insurer’s interpretation is more reasonable. Apache argued that because the language of the provision says nothing about “hacking,” it only needed to show that “any computer was used to fraudulently cause the transfer of funds.”
In reviewing the district court’s grant of summary judgment in Apache’s favor, the Fifth Circuit conducted what it labelled a “detailed—albeit numbing” analysis of the interpretations of similar policy provisions performed in other jurisdictions. Among them, the Ninth Circuit interpreted very similar policy language to require an “unauthorized transfer of funds.” And, an Indiana federal district court held no coverage based on the use of a facsimile for purchase orders, postdated checks, and bank guarantees in change for original prepaid mobile telephone cards. In all, the Fifth Circuit concluded there exists cross-jurisdictional uniformity in declining to extend coverage when the fraudulent transfer was the result of other events and not directly by the computer use.
The Fifth Circuit explained that the “computer use” at issue was an email to Apache with instructions to change a vendor’s payment information and make “all future payments” to it. The email, with a letter on purported vendor letterhead followed the initial telephone call from the criminals and was sent pursuant to Apache’s directive to send it the request on the vendor’s letterhead. Once received, Apache’s employee called to confirm the instructions by calling the number on that letterhead, rather than some independently-provided telephone contact for the vendor (such as pre-existing contact information). The Court reasoned that the account changes would never have been made if Apache had performed a more thorough investigation. Moreover, Apache changed the account information and the fraudulent transfers were initiated by Apache to pay legitimate invoices.
While the email was part of the scheme, the court explained that it was merely incidental to the occurrence of the authorized transfer of money. The court emphasized:
To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would . . . convert the computer-fraud provision to one for general fraud.
The court also took judicial notice that, when the policy was issued in 2012, electronic communications were, as they are now, ubiquitous, and even the line between “computer” and “telephone” was already blurred. In holding that no coverage was afforded through the provision, the court acknowledged that “few—if any—fraudulent schemes would not involve some form of computer-facilitated communication.”
Also important were the undisputed facts that Apache invited the computer-use at issue, and then failed to investigate accurately the new, but fraudulent, information provided to it.
Thus, in viewing the multi-step process utilized by the scheme, the court concluded that the transfers were made not because of fraudulent information contained in the email, but because Apache elected to pay legitimate invoices to the wrong bank account. The invoices, rather than the email, authorized the transfers of money, such that Apache’s loss did not result directly from the use of any computer to fraudulently cause the transfer of that money.
The court vacated the summary judgment in favor of Apache, and rendered judgment in favor of Great American.
 Apache Corp v. Great Am. Ins. Co., No. 15-20499, ___ Fed. Appx. ___, 2016 WL 6090901 (5th Cir. Oct. 18, 2016).
 Erie R.R. v. Tompkins, 304 U.S. 64 (1938)
 Apache Corp., 2016 WL 6090901, *1.
 Id., at *2.
 Id., at *1.
 Id., at *2, *3.
 Id., at *3.
 Id. (citing McGinnes Indus. Maint. Corp. v. Phoenix Ins. Co., 477 S.W.3d 786, 794 (Tex. 2015)).
 Id., at *3.
 Id. (citing Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., No. 14-56294, ___ Fed. Appx. ___, 2016 WL 4056068, at *1 (9th Cir. July 29, 2016), aff’g Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am. (Pestmaster I), No. CV 13-5039-JFW, 2014 WL 3844627 (C.D. Cal. July 17, 2014) (unpublished)).
 Id. (citing Brightpoint, Inc. v. Zurich Am. Ins. Co., No. 1:04-CV-2085-SEB-JPG, 2006 WL 693377, at *7 (S.D. Ind. Mar. 10, 2006) (unpublished)).
 Id., at *6.
 Id., *6.
 Id. (emphasis added).
 Id., *7.