Last month, the 11th Circuit ruled that a commercial crime insurance policy must indemnify a technology consulting firm that was duped out of $1.7 million in an email phishing scam.
Principle Solutions Group, Inc. was an information technology & services company that provided IT staffing and consulting. It merged with Eliassen Group in September of 2017. Before the merger, Principle was the victim of a business email compromise scam.
Business Email Compromise
On the morning of July 8, 2015, at 9:10 a.m., Loann Lien, the controller for Principle, received an email purporting to be from Josh Nazarian, a managing director of Principle. The email informed Lien that Principle had been secretly working on a “key acquisition” and asked her to wire money “in line with the terms agreed ... as soon as possible.”
As for the details of the wire transfer, the email told Lien to give her “full attention” to “attorney Mark Leach,” who would provide further information. Because the purported deal was not public, Lien was to “treat [the] matter with the upmost discretion and deal solely with” Leach. Lien responded to Nazarian’s purported email that she would give her “total attention” to Leach.
Lien received an email five minutes later from someone purporting to be Leach, a partner at the London-based law firm Bird & Bird. After Lien confirmed that Principle could wire the money, Leach sent Lien remittance details for a bank in China. Leach later reiterated to Lien over the phone that Nazarian approved the wire transfer.
Lien worked with another Principle employee to create and approve the transfer, but Wells Fargo's fraud prevention service asked for verification that the wire transfer was legitimate. Lien then confirmed with Leach that Nazarian had approved the transaction. Lien relayed this information to Wells Fargo, which released the funds.
About two hours after Lien received the first email, Principle wired more than $1.7 million to the scammers.
Lien discovered that the request was fraudulent a day later when she spoke with Nazarian, who told her that he was not even in the office that day. Nazarian promptly called Wells Fargo to report the fraud, but neither Principle nor law enforcement could recover the funds.
$1.7 Million gone!
This Is Why Principle Bought Insurance?
Principle sought coverage for the loss under its insurance policy with Ironshore. The policy covered “[l]oss resulting directly from a fraudulent instruction directing a financial institution to debit [Principle’s] transfer account and transfer, pay or deliver money or securities from that account.”
Ironshore denied coverage. It asserted that Nazarian’s purported email did not “direct[ ] a financial institution to debit [Principle’s] transfer account” because it only told Lien to await instructions from Leach.
Ironshore also argued that the asserted loss did not “result[ ] directly from” a fraudulent instruction because Leach conveyed necessary details to Lien after the initial email and Wells Fargo held the transaction, both of which were intervening events between the instruction and the loss.
Principle filed a complaint against Ironshore in Georgia state court seeking payment under the policy. Ironshore removed the case to federal court based on diversity jurisdiction.
The parties filed competing motions for summary judgment. Although the district court concluded that the policy provision was ambiguous, it held that Georgia’s rule requiring construction of insurance policies in favor of policyholders required it to grant partial summary judgment to Principle on its coverage claim. In other words, Ironshore would have to pay for the loss.
Ironshore appealed to the 11th Circuit.
Ironshore argued that it was justified in denying coverage because: (1) no communication between the scammers and Lien triggered the fraudulent-instruction provision, and (2) the loss did not “result  directly from” any alleged fraudulent instruction.
The 11th Circuit disagreed with the first argument. The Court decided that the "fraudulent instruction" from the scammer purporting to be Nazarian unambiguously falls within the coverage provision.
The Court also disagreed with Ironshore on the argument that the loss did not "result directly from" the fraudulent instruction. The Court explained that Nazarian’s purported email told Lien that Leach would contact her and provide further details on the wire request. And although Wells Fargo’s involvement was not inevitable, it was certainly foreseeable. The email proactively sought to avoid third-party interference by requiring Lien to “deal solely” with Leach. Because of this instruction, the scammers could circumvent Wells Fargo’s fraud-prevention process; through a series of phone calls and emails between Leach and Lien, they fabricated the precise information that Wells Fargo required to release the hold.
Hence, the two “causes” that Ironshore asserts intervened between Nazarian’s purported email and Principle’s loss (Lien’s communications with Leach and Wells Fargo’s involvement) did not sever the causal chain. Both were foreseeable consequences of the email.
Ultimately, the 11th Circuit ruled that Principle can recover under its commercial-crime policy, even though the company’s controller had to override a fraud-prevention hold to effectuate the wire transfer.
This case is cited as Principle Solutions Group, LCC v. Ironshore Indemnity, Inc. United States Court of Appeals, Eleventh Circuit, No. 17-11703
~ Florida Cyber Lawyer, Robert Stines, Esq., CIPP