Corporate policyholders often assume that their computer fraud insurance will cover so-called social engineering thefts. Reasonably. Fraudsters commit these crimes by using computers to trick innocent employees into transferring corporate funds to what they believe to be legitimate bank accounts, only to later discover that the accounts are controlled by criminals who have stolen the silver. Although most people consider this to be computer fraud, crime insurers have resisted covering such thefts. And some courts have sided with insurers. Until recently, insurers could designate the Ninth Circuit Court of Appeals as one such court. On January 26, the Ninth Circuit finally set the record straight Ernst and Haas Management Company, Inc. v. Hiscox, Inc., 23 F.4th 1195 (9th Cir. 2022), rejecting an earlier unreported decision and finding cover for social engineering theft under California law. The move gives policyholders a boost in their crime coverage claims for social engineering theft losses and removes a cudgel from the hands of insurers.

Ernst and Haas involved a garden variety social engineering program. The policyholder’s accounts payable clerk received an email purportedly from her boss instructing her to make a payment. The employee did not realize that the email was fake and had been sent by a fraudster. She wired the requested funds to the bank account identified in an invoice attached to the email. The process repeated itself once before she realized on the third attempt that her boss hadn’t sent the previous emails. The insured’s computer system was not hacked. The emails were simply forged messages sent by the fraudster.

Hiscox, the policyholder’s crime insurer, declined coverage. Several insurance agreements potentially covered the loss, but we are interested here in the “Computer Fraud” insurance agreement of the Hiscox policy. The “computer fraud” insurance agreement required that the loss “result[] directly from the use of any computer to fraudulently cause a transfer of this property” to a person other than the policyholder.

As previously written by Patrick Law here, courts have disagreed on the meaning of the phrase “directly resulting”, or other similar formulations, in the context of computer fraud. Compare Pestmaster Servs., Inc. c. Travelers Case. & On. Co. of Am., 656 Fed. App’x. 332 (9th Cir. 2016) (no direct loss without hacking) (unpublished), and Apache Corp. vs. Great Am. Ins. Co.662 F. App’x 252 (5th Cir. 2016) (unpublished) (no direct loss where fraudulent emails caused insured to transfer money), and Am universal. Corp. vs. Nat’l Union Fire Ins. Co. of Pittsburgh, Pennsylvania.25 NY3d 675 (NY 2015) (no direct loss without hacking), with Medidata Sols., Inc. v. Fed. Ins. Co., 268 F. Supp. 3d 471 (SDNY 2017) (direct loss from spoofed emails).

Hiscox denied coverage, relying on the narrowly interpreting “directly arising” case line. It argues that the theft did not result “immediately” or “directly” from the use of a computer and that the transfer was “authorized” because a party – the policyholder’s employee – deliberately executed the transfer after receiving the fraudulent emails. Because there had been no “hacking” or unauthorized access, the district court agreed, granting Hiscox’s motion to dismiss and relying on the unpublished Ninth Circuit decision. Pest master decision.

In a reported decision, the Ninth Circuit reversed and ruled that Pest master was both factually distinguishable and legally erroneous. The Ninth Circuit concluded that Pest master stood out because the theft there was committed by someone who legitimately received the insured’s funds and then stole them, rather than the typical variety of social engineering. On the other hand, the first beneficiary of the insured’s funds in Ernst and Haas was the fraudster.

The Ninth Circuit then dismissed the Pest master the court’s reasoning, destroying the arguments crime insurers have made to justify denials of coverage repeatedly over the past decade. First, the Ninth Circuit noted that:

Relying on Pest master to reach [its] conclusion, the district court approved an erroneous circular premise – that [the employee] “authorized” a transfer of $200,000, curing any prior fraud, when she initiated a transfer of $200,000 based on the fraud. This reasoning – that this fraud became “authorized” precisely when it succeeded – cannot be the correct reading of the contract.

In other words, the involuntary transfer of funds from an employee to a fraudster is not “authorized” simply because the employee transferred the funds. No one in the company “authorized” the theft of the funds, and they couldn’t have done it.

Second, the Ninth Circuit rejected Hiscox’s “directly resulting” argument, finding that the loss resulted directly from the fraudulent email because the policyholder “immediately lost his funds when those funds were transferred at [the fraudster] as indicated by the fraudulent e-mail. There was no intermediate event[.]”

Ernst and Haas is an important decision for policyholders because insurers can no longer push Pest master in the Ninth Circuit and argue that computer fraud coverage only applies in the event of a hack. Although the language of the policy may vary, Ernst and Haas removes a significant barrier to Ninth Circuit coverage.