Coverage for Phishing Loss Precluded by Voluntary Parting Exclusion; Forgery Coverage Not Triggered

February 26, 2020
Insights for Insurers: Cyber Coverage

An insurer recently secured a ruling that it had no obligation to cover a loss incurred as a result of an email phishing scam. In Midlothian Enterprises, Inc. v. Owners Insurance Company, No. 3:19-cv-51 (E.D. Va. Feb. 20, 2020) (Virginia law), a Midlothian employee had complied with an email request, purportedly from the company president, to wire more than $400,000 from Midlothian's bank account to a bank account in Alabama. Several days later, Midlothian discovered the email was fraudulent. Midlothian tendered a claim for coverage of the loss to Owners Insurance Company. When Owners denied coverage, Midlothian instituted a coverage action, alleging both breach of contract and bad faith claims.

The Owners crime policy provided coverage for theft of money and securities, but excluded coverage for "[l]oss resulting from your, or anyone acting on your express or implied authority, being induced by a dishonest act to voluntarily part with title to or possession of any property." The court had no trouble deciding that the exclusion unambiguously precluded coverage. The court rejected the insured's attempt to "create ambiguities" in the exclusion by highlighting terms "with more than one meaning or interpretations that conclude in different results in the interpretation of the exclusion." The court stated: "The fact that a word or phrase has more than one dictionary definition . . . does not make a provision ambiguous."

The court also rejected the insured's argument that a victim of fraud can never act voluntarily, and that the exclusion does not apply where the instruction to make payment is fraudulent: "The fact that another individual pretended to authorize the transaction does not negate the voluntariness of the transfer … ." Consequently, "[a]llowing coverage of a fraudulently authorized transaction despite an exclusion based on ‘any dishonest act' would unreasonably limit the exclusion and render the provision meaningless." (Emphasis in original)

The court also rejected the insurer's assertion that the claim fell within the policy's coverage for losses involving forgeries of "Covered Instruments." Under the policy, "Covered Instruments" meant checks, drafts, promissory notes, or similar written promises, orders, or directions to pay a sum certain in money. The insured contended that the fraudulent email constituted an order or direction to pay money within the meaning of the policy, while the insurer argued that the order or direction at issue must be similar to a check, draft, or promissory note. The court agreed with the insurer, stating: "Simply put, an email from a business owner telling an employee to wire money to a bank account does not have the same form or legal effect as a check, draft, or promissory note. Thus it does not constitute a "covered instrument" under the explicit terms of the endorsement."

Finally, the court ruled that, because there was no coverage under the Owner's policy, Owners did not act in bad faith by denying coverage for Midlothian's claim.