Phishing Scam Does Not Implicate Forgery Coverage, Court Requests Further Briefing for Computer Fraud Coverage
This week, in Crown Bank JJR Holding Company v. Great American Insurance Company, 2020 U.S. Dist. LEXIS 23136 (D.N.J. Feb. 11, 2020), the New Jersey federal court held that loss from mis-wiring bank funds as a result of a phishing scam did not implicate forgery coverage under a Financial Institution Bond, but left open the possibility that computer fraud coverage under a crime policy might be implicated.
The insured, Crown Bank JJR Holding Company, allowed customers to submit wire transfer requests by phone or email; however, such requests were to be verified by bank personnel through signature authentication and a separate phone call based on contact information filed in the bank’s records. Crown Bank, 2020 U.S. Dist. LEXIS 23136 at *2. The chairman of the bank and his wife, who also was a director of the bank (the Rodrigueses), held numerous personal and business accounts at Crown Bank. Id. at *3. Between April 3 and April 19, 2012, Crown Bank received 13 wire transfer requests via email, purportedly from Mrs. Rodrigues, but were in fact not from her. Id. Each request came via the email address “firstname.lastname@example.org,” which spoofed Mrs. Rodrigues’s actual email address by adding a second lower case “i.” Id.
Crown Bank processed 12 of the requests, following the same pattern:
… the individual impersonating Mrs. Rodrigues would request a wire transfer to a bank in Singapore via email, and a Crown Bank employee, either Jorge Fernandes or Liliana Santos, would request the information necessary to complete the wire transfer and then send a completed wire transfer authorization form to the person purporting to be Mrs. Rodrigues via email. This person then returned the completed form to either Fernandes or Santos, including a signature allegedly from Mrs. Rodrigues that matched the signature that Crown Bank had in its records. Fernandes or Santos then printed the PDF document and confirmed the signature matched the signature in the Bank's records. Despite indicating on the wire transfer forms that they did so, neither Fernandes nor Santos ever made a telephone call to the number in their records to confirm that the request did indeed come from Mrs. Rodrigues.
Id. at *4 (internal citations and footnotes omitted). In total, Crown Bank wired a little over $2.7 million from the Rodrigueses’ personal and professional accounts. Id. at *5.
Crown Bank sought coverage under the forgery or alteration insuring agreement of its Financial Institution Bond. The insuring agreement provided coverage for “(D) Loss resulting directly from the Insured having, in good faith, paid or transferred any Property in reliance on any Written, Original … (4) Withdrawal Order … [or] (6) Instruction or advice purportedly signed by a customer of the Insured or by a banking institution,” which:
(a) bears a handwritten signature of any maker, drawer or endorser which is Forgery; or (b) is altered, but only to the extent the Forgery or alternation causes the loss.
Actual physical possession of the items listed in (1) through (6) above by the Insured is a condition precedent to the Insured's having relied on the items.
Id. at *9-10. Importantly, the policy defined “Original” as “the first rendering or archetype and does not include photocopies or electronic transmissions, even if received and printed.” Id. at *10.
The parties disputed whether Crown Bank ever had actual, physical possession of the “Original” wire transfer forms to satisfy the coverage’s insuring agreement. The Bank argued that the .pdf executed forms constituted “Original” wire transfer forms. The court disagreed, as the definition for “Original” excluded “electronic transmissions, even if received and printed.” Id. at *11 (emphasis added). The court explained:
Regardless of any ambiguity concerning whether a PDF may qualify as an "Original" without an electronic transmission, where a PDF (or any electronic file format) is transmitted electronically, it cannot qualify as an "Original" as defined in the FIB.
Id. Thus, the court determined that the phishing scam did not implicate forgery coverage.
For similar reasons, the court held that the scam did not implicate coverage under an endorsement for unauthorized signatures. The endorsement amended the insuring agreement for forgery and alteration by adding the following paragraph:
Loss resulting directly from the Insured having accepted, paid or cashed any check or withdrawal order made or drawn on a customer's account which bears the signature or endorsement of one other than the person whose name and signature is on file with the Insured as a signatory on such account, shall be deemed to be a Forgery under this Insuring Clause. It shall be a condition precedent to the Insured's right of recovery under this Coverage that the Insured shall have on the file signature of all persons who are signatories on such account.
Id. at *13-14.
Crown Bank argued that the endorsement provided coverage because Mrs. Rodrigues executed an affidavit of forgery stating that she did not sign the wire transfer forms, and therefore, "the signature on the Forged Wire Forms was of someone other than Mrs. Rodrigues's 'whose name and signature is on file'." Id. at *14. The court rejected the argument, reasoning that the bank had “repeatedly conceded that each of the wire transfer forms bore ‘Mrs. Rodrigues's signature’”; therefore “[a]s Mrs. Rodrigues is an authorized signatory, this loss is squarely outside the plain text of the Rider.” Id. at *14-15. Admittedly, and without further context, the court’s expressed reasoning appears to be a bit of a head-scratcher. In any event, the court further noted that because coverage under the endorsement depended upon satisfying the insuring agreement for forgery coverage, which required possession of an “Original” wire transfer instruction, and because the bank had none, there still could be no coverage.
As discussed above, Insuring Agreement (D) requires that the Bank have possession of a Written, Original document as a condition precedent of coverage. Because the Rider's plain text states that it does not vary any term or limitation of the FIB, it has no effect on the requirement that the Bank retain possession of a Written, Original document before seeking coverage under Insuring Agreement (D). For the reasons stated [above], the Bank does not have possession of a Written, Original of the wire transfer forms, and therefore there is no coverage even under its own interpretation of the Rider.
Id. at *15-16.
Finally, whether the underlying events implicated “computer fraud” coverage under the bank’s crime policy remains an open question. The crime policy’s Computer Systems Fraud Insuring Agreement (CSFIA) covered “Loss resulting directly from a fraudulent (1) entry of Electronic Data or Computer Program into, or (2) change of Electronic Data or Computer Program within any Computer System operated by the Insured, whether owned or leased; or any Computer System identified in the application for this policy; or a Computer System first used by the insured during the policy period, as provided by General Agreement A,” provided the entry or change causes:
(ii) an account of the Insured, or of its customer, to be added, deleted, debited or credited, or
. . .
In this Insuring Agreement, Fraudulent Entry or change shall include such entry or change made by an employee of the Insured acting in good faith …
. . .
(b) on an instruction transmitted by Tested telex or similar means of Tested communication identified in the application for this policy purportedly sent by a customer, financial institution or automated clearing house.
Id. at *16-17.
The bank maintained the computer fraud coverage applied because the fraudulent entry or change in data resulted from the emailed wire requests, which the bank contended were instructions “transmitted by Tested telex or similar means of Tested communication identified” in the policy’s application. Id. The policy defined “Tested” as “a method of authenticating the contents of a communication by placing a valid test key on it which has been agreed upon by the Insured and a customer, automated clearing house, or another financial institution for the purpose of protecting the integrity of the communication in the ordinary course of business.” Id. at * 17.
The bank argued that the definition for “Tested” was ambiguous, and that therefore the court should afford coverage for the emailed wire requests. However, because neither party apparently provided a construction of the CSFIA insuring agreement, let alone a reasonable one, the court denied the parties’ motions as they related to the coverage part without prejudice and requested further briefing.
What this case means
Just a casual reading of the decision triggers a preliminary question unrelated to coverage: how could bank employees disregard a clear and critical procedural step of verifying the authenticity of a wire transfer, especially in the context of wiring $2.7 million of effectively your boss’s money? For insurers (including underwriters), these underlying facts illustrate that even if an insured has protective procedures in place, there is no guarantee that those procedures will be followed. A possible solution to further reduce the probability and severity of exposure for such events could be to include verification procedures as a condition precedent to coverage. While one court has held that an insurer cannot fault the insured for not uncovering a fraud, another has enforced the failure to adhere to multi-factor requirements when specifically included as a condition precedent. Compare Cincinnati Ins. Co. v. Norfolk Trucking Ctr., Inc., 2019 U.S. Dist. LEXIS 220076 (E.D. Va. Dec. 20, 2019) (holding without more, cannot fault insured for not discovering fraud) with Children’s Place, Inc. v. Great Am. Ins. Co., 2019 U.S. Dist. LEXIS 70109 (D.N.J. Apr. 25, 2019) (enforcing requirement that insured telephone customer to verify wire transfer as condition precedent for coverage under Fraudulently Induced Transfers agreement).
It will be insightful to see how the parties interpret the definition for “Tested” under the CSFIA coverage, and how the court will decide the issue. I have my thoughts. Whether the Crown Bank court will follow the lead started by the New Jersey federal court’s decision in Children’s Place remains to be seen.
If you have questions or would like additional information, contact Joshua A. Mooney (email@example.com; 215.864.6345) or another member of the Cyber Law and Data Protection Group.