Cyber Law Blog
December 17, 2019

Eleventh Circuit Affirms Coverage for $1.7M Fraudulent Instruction Loss

BY: Jason Taylor

In Principle Solutions Group, LLC v. Ironshore Indemnity, Inc., 2019 WL 6691509 (Dec. 9, 2019), the Eleventh Circuit Court of Appeals was asked to decide whether a loss of more than $1.7 million to scammers was covered under a commercial crime insurance policy issued by Ironshore. The loss stemmed from a sophisticated email phishing scheme in which a scammer posing as an executive of Principle Solutions Group, LLC, persuaded an employee to wire money to a foreign bank account. The fraudulent email referenced a company acquisition and instructed the controller to “treat the matter with the utmost discretion.” The email also instructed the controller to work with another attorney to ensure that the wire go out that day. The employee then logged into the company’s online account to enable the approval function and to verify the capability to wire internationally in different forms of currency. She instructed another Principle employee to create the wire, approved the transfer, and then provided verification to the financial institution’s fraud prevention unit to release the wire.

After Principle discovered the fraud and determined that it could not recover the funds, it sought coverage under the “fraudulent instruction” provision of its crime policy with Ironshore Indemnity, Inc. The policy covered “[l]oss resulting directly from a fraudulent instruction directing a financial institution to debit [Principle’s] transfer account and transfer, pay or deliver money or securities from that account.” Ironshore denied coverage asserting that fraudulent email did not “direct[] a financial institution to debit [Principle’s] transfer account” because it only told the employee to await instructions from an attorney. Ironshore also argued that the asserted loss did not “result[] directly from” a fraudulent instruction because the “attorney” conveyed necessary details to the employee after the initial email and the financial institution held the transaction until it was approved by the Principle employee, both of which were intervening events between the instruction and the loss. Principle filed a declaratory complaint against Ironshore seeking payment under the policy and alleging that Ironshore had acted in bad faith.

The parties filed competing motions for summary judgment. The district court concluded that the policy provision was ambiguous, and held that Georgia’s rule requiring construction of insurance policies in favor of policyholders required it to grant partial summary judgment to Principle on its coverage claim. The district court reasoned that Principle could only act through its officers and employees, and if an employee interaction between the fraud and the loss was enough to allow Ironshore to be relieved from paying under the provision at issue, the provision would be rendered “almost pointless” and would result in illusory coverage. On the other hand, the district court acknowledged that Ironshore’s interpretation, which would require a direct link between the injury and its cause, was also reasonable. In such cases where there are two reasonable interpretations of the policy language, the court must construe the policy in the light most favorable to the insured and provide coverage.

The U.S. Court of Appeals for the Eleventh Circuit affirmed the district court’s ruling, albeit on different grounds. The Eleventh Circuit found that the email purporting to be from the Principle executive, which informed the employee of the need to wire money and told her to await further instructions from the “attorney,” qualified as a fraudulent instruction. It was, after all, a “fraudulently issued” “electronic . . . instruction” that “purport[ed] to have been issued by an employee . . . without [Principle’s] or the employee’s knowledge or consent.” The Appeals Court rejected Ironshore’s argument that the email did not “direct” Principle to pay money out of its accounts, as the coverage provision required, but rather only instructed the employee to work with a third-party “attorney” to wire funds later in the day. According to the Appeals Court, the email could not be construed as doing anything but “directing a financial institution to debit [Principle’s] transfer account and transfer . . . money . . . from that account.” The email told the employee “I will need you to make the initial wire as soon as possible, for which you have my full approval to execute.”

Further, even if it is assumed that the email needed additional details before it could fairly construe it as “directing” a wire transfer, the Eleventh Circuit reasoned that the later email from the “attorney” identified the amount of the wire transfer, the recipient bank, and the purported beneficiary of the transfer. That email, according to the Appeals Court, remedied any possible lack of detail. In rejecting Ironshore’s initial argument, the Appeals Court held that reading the emails together left no doubt that they were part of the same fraudulent instruction, and there was nothing in the policy language warranting the assumption that the two emails could not be part of the same fraudulent instruction.

Ironshore also argued that Principle’s losses did not “result directly from” a fraudulent instruction because the loss depended on the employee’s conversations with the “attorney” and its financial institution to release the wire, which occurred after the fraudulent email told the employee to wire money. In other words, the link between the email and loss was not “immediate” or was otherwise interrupted by one or more intervening causes.

The Eleventh Circuit reasoned that the ordinary meaning of the phrase “resulting directly from” required proximate causation between a covered event and a loss, not necessarily an “immediate” link. According to the Appeals Court, neither of the two “causes” that Ironshore asserted intervened between the initial fraudulent email and Principle’s loss—the employee’s communications with the attorney or the financial institution’s involvement—severed the causal chain. Both were foreseeable consequences of the email. For example, the email told the employee that an attorney would contact her and provide further details on the wire request. And although the bank’s involvement was not inevitable, it was certainly foreseeable. The scammers attempted to circumvent the bank’s fraud-prevention process through a series of phone calls and emails to fabricate the precise information that the financial institution required to release the wire. In other words, not only did the scammers foresee that a fraud prevention service might get involved, they put a system in place to circumvent that risk. Therefore, the loss resulted directly from a fraudulent instruction as required under the policy.

The Eleventh Circuit decision also included a dissent. The dissent disagreed with the majority’s conclusion that the fraudulent email unambiguously directed a “financial institution” to transfer funds. Furthermore, the dissent argued that the bank’s intervention presented a jury question for whether Principle’s loss was proximately caused by the email, and therefore, created a fact question that the district court impermissibly removed from the jury’s consideration.