Privacy & Information Security Law Blog

On October 18, 2016, the United States Court of Appeals for the Fifth Circuit held in Apache Corp. v. Great American Ins. Co., No 15-20499 (5th Cir. Oct. 18, 2016), that a crime protection insurance policy does not cover loss resulting from a fraudulent email directing funds to be sent electronically to the imposter’s bank account because the scheme did not constitute “computer fraud” under the policy.

Background

An employee at Apache Corporation, an oil production company based in Houston, Texas, with worldwide operations, received a telephone call from an individual identifying himself as a representative of Petrofac, a vendor of Apache. The caller instructed the Apache employee to change the bank account to which payments to Petrofac were made. The employee requested that confirmation of the change request be provided on Petrofac’s letterhead.

Shortly thereafter, the fraudsters provided the Apache accounts-payable department with an email of the request on Petrofac letterhead. The letter also included a phony telephone number, which Apache personnel used to confirm the requested change. Apache then proceeded to make payment to the fraudulent account when it came time to pay Petrofac’s invoices. Within one month, Apache was notified that Petrofac had not received approximately $7 million in payments that had been sent to the fraudulent account. Apache recouped a portion of the payments from its bank and attempted to recover the balance from its insurer.

Apache was insured under a crime-protection insurance policy issued by Great American Insurance Company (“GAIC”). Apache submitted a claim to GAIC for reimbursement of the unrecovered funds under the policy’s computer-fraud coverage, which afforded coverage for loss “resulting directly from the use of any computer to fraudulently cause a transfer” of money or property to a person or place outside the company. GAIC denied coverage, claiming that the loss did not directly result from the use of a computer nor did the use of a computer cause the transfer of the funds. Apache filed suit in Texas state court and GAIC removed. The federal district court sided with Apache and held that the intervening steps of the phone call and approval of the change request by Apache’s supervisors did not alter the fact that the fraudsters used a computer to perpetrate the fraud. The district court also held that GAIC’s construction of the policy would effectively limit the policy to affording coverage only for computer hacking, thus rendering the policy “pointless.”

Read the full alert.