The federal district court granted in part, denied in part, the insurer's motion to dismiss a claim for computer fraud submitted under the insurer's crime protection policy. Childrens Place, Inc. v. Great Am. Ins. Co., 2019 U.S. Dist. LEXIS 70109 (D. N. J. April 25, 2019).
On July 24, 2017, The Children Place Inc. (TCP) learned that two payments totaling $967,714 were made to an unauthorized third party (the Hacker) instead of TCP's vendor, Thailand-based Universal Apparel Co., Ltd. (Universal). The Hacker intercepted an email conversation between TCP and Universal, inserted itself into the conversation, requested a change of bank information, and fraudulently directed TCP to pay Universal using the new bank account number set up by the Hacker. The Hacker's fraud took place over a six week period. TCP was unable to recover any of the funds transferred.
TCP was insured under the crime protection policy that included coverage for computer-related crime and social engineering schemes. The insurer denied coverage and suit was filed.
The insurer moved to dismiss. The court first found that TCP had sufficiently stated a claim for computer fraud under the policy. "Computer fraud" included "the use of any computer . . . to gain direct access to [TCP's] computer system." TCP alleged, "The Hacker, through the use of a computer . . . accessed and infiltrated Universal's web email service . . . and inserted itself into TCP's email conversation." The insurer contended that these allegations did not mean the Hacker actually accessed TCP's email system. But any factual issue as to whether the Hacker actually accessed TCP's email system could not be decided on a motion to dismiss.
The insurer also argued there was no causation alleged because the complaint did not claim that the Hacker's activities fraudulently caused the transfer of money. At the motion to dismiss stage, however, the court was obligated to accept the plaintiff's factual allegations as true. Here, TCP alleged that its "employees transferred the Loss to the Hacker as a direct result of the Hacker's access to TCP and Universal's emails." Questions as to the cause of the loss were left for a jury or for summary judgment.
The court agreed with the insurer, however, that TCP had not adequately pled "forgery or alteration" under the policy. The policy defined forgery or alteration as "loss resulting directly from forgery or alteration of checks, drafts, promissory notes, or similar written promises . .. . to pay a sum certain in money that are . . . made or drawn upon you." TCP argued that a letter forging Universal's signature was a written direction to pay a sum certain in money under the policy. But the letter did not reference "a sum certain in money." Accordingly, TCP did not state a claim for declaratory relief or breach of contract under the policy's coverage for "forgery or alteration."
Nor did TCP adequately state a claim for "fraudulently induced transfers." TCP failed to comply with the policy's requirement that it call Universal before forwarding the payment. The complaint did not allege that this condition precedent was satisfied. Instead, TCP contended that "application of the verification requirement would result in illusory coverage and cannot be given effect." The court disagreed. The policy did not require that TCP successfully verify the authenticity and accuracy of a payment instruction, only that it attempt to convey the transfer.
Therefore, the motion to dismiss was granted in part and denied in part. TCP was given leave to amend its complaint with respect to its claims for forgery or alteration and fraudulently induced transfers.
