On August 12, 2022, the U.S. District Court for the District of Minnesota entered an order in favor of Travelers Casualty and Surety Company of America, dismissing the complaint filed by SJ Computers, LLC, a Minnesota-based computer store. The case should serve as a cautionary tale to businesses across the country, underscoring the critical need to closely read the terms of any cyber insurance policies.

SJ Computers found itself the victim of a business email compromise attack when an attacker gained access to a purchase manager’s email account and sent the company’s CEO purchase orders, purportedly from one of SJ Computers’ existing vendors, Electronic Recyclers International Direct – with the bank account information edited. The CEO, without verifying the new bank information, sent two wire transfers to satisfy the invoices. After the payments had cleared, SJ Computers discovered the fraud and subsequently attempted to seek coverage under its cyber insurance policy by claiming that the attack was computer fraud rather than social engineering fraud because of the increased limits of coverage.

While acknowledging that lawyers had only identified three similar cases across the country, the judge identified a key distinction from those cases in this matter. The policy at issue here covers both computer fraud and social engineering fraud and makes clear that the two are mutually exclusive categories. The Travelers’ policy defines computer fraud, which provides coverage up to $1 million, “as intentional, unauthorized, and fraudulent entry or change of data or computer instructions directly into a computer system.” Moreover, the policy states that entries or changes made by employees or authorized persons on the basis of fraudulent instructions is not covered. Instead, such actions constitute social engineering fraud (which is what Travelers agreed to cover SJ Computers under) and is defined in the policy as “the intentional misleading of an employee or authorized person by a natural person impersonating [vendors, clients, employees or authorized persons] through the use of a communication.” Unfortunately for SJ Computers, this provision only provides coverage up to $100,000.

Based on the policy language, the court held that the claim was covered under the social engineering fraud provision, rather than the computer fraud provision. In a comment that underscores the important role individuals play in protecting a company, the judge stated:

“SJ Computers did not suffer a penny of financial loss when the bad actor hit ‘send’ on his email messages. And SJ Computers would never have suffered a penny of financial loss if the CEO had not opened those email messages, or if the CEO had asked the purchasing manager about them, or if ERI Direct had answered its phone when the CEO called, or if ERI Direct had promptly returned the voicemail message left by the CEO, or if the CEO had waited to hear from ERI Direct before paying the invoices.”

All businesses with cyber insurance should carefully review their policies and consult with legal counsel and their brokers to fully understand the scope and limitations of what they are purchasing. In today’s world of ever changing ways in which computers and other technology are being utilized to carry out attacks on businesses by bad actors, the circumstances surrounding the attacks and the language in these policies becomes even more critical to ensure that organizations are properly insured for losses. Moreover, as occurred here, efforts to keep employees ever vigilant in their efforts to identify and act on any suspicious information they encounter is paramount to keeping an organization safe.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of John W. Kaveney John W. Kaveney

Partner, Healthcare and Litigation Departments

Mr. Kaveney focuses his practice in the area of healthcare law, representing a range of clients that includes for-profit and non-profit hospitals and health systems, academic medical centers, individual physicians and physician groups, ambulatory surgery centers, ancillary service…

Partner, Healthcare and Litigation Departments

Mr. Kaveney focuses his practice in the area of healthcare law, representing a range of clients that includes for-profit and non-profit hospitals and health systems, academic medical centers, individual physicians and physician groups, ambulatory surgery centers, ancillary service providers, medical billing companies, skilled nursing and rehabilitation facilities, behavioral health centers and pharmacies.

His practice in the healthcare field encompasses advising healthcare clients on corporate compliance matters, including the implementation of new, and the assessment of existing, corporate compliance programs. He also assists healthcare clients with compliance audits and investigations, as well as guiding clients through the self-disclosure and repayment processes. Finally, he provides general legal advice concerning compliance and regulatory matters under state and federal healthcare laws.

In the area of information privacy and data security, Mr. Kaveney advises healthcare clients on issues arising under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). This includes the implementation and assessment of privacy and security policies and procedures to ensure the proper protection and utilization of protected health information both by healthcare providers and the business associates with which they contract. In addition, he represents healthcare clients in investigating, reporting, and remediating information breaches and the liability such breaches create under various information privacy and security laws.

Additionally, Mr. Kaveney provides counsel on Medicaid and Medicare reimbursement matters before the Division of Medical Assistance and Health Services and the Provider Reimbursement Review Board, as well as assisting clients in civil litigation and with professional licensing and medical staffing concerns.

Contact information:

jkaveney@greenbaumlaw.com | 973.577.1796 | vCard | LinkedIn

For more information visit the Greenbaum, Rowe, Smith & Davis LLP website.