After suffering from a phishing scam, Door Systems, Inc. (the "appellant"), sought coverage under a cyber-security insurance policy it obtained from CFC Underwriting Limited, Underwriters at Lloyd's, London, and Evolve Cyber Insurance Services, LLC. The parties disputed the scope of coverage, and the appellant filed a complaint against respondents alleging, among others, breach of contract. The trial court sustained a demurrer, concluding the second amended complaint (SAC) did not plead a "direct financial loss" sustained by appellant.
In Door Sys., Inc. v. CFC Underwriting Ltd., No. G062645, 2024 Cal. App. Unpub. LEXIS 3441 (June 3, 2024), the California Court of Appeal resolved the dispute.
On May 13, 2021, the appellant, a leading distributor of integrated fire doors and fire protection smoke curtains, filed a complaint against its cyber-security insurers, alleging causes of action for (1) breach of contract, (2) breach of the covenant of good faith and fair dealing, and (3) declaratory judgment—duty to indemnify. The trial court sustained a demurrer without leave to amend.
The complaint alleged that on January 20, 2021, someone impersonated appellant's president and sent electronic correspondence to "one of [appellant's] clients, X-Act Finish & Trim, Inc." At the time, X-Act owed appellant at least $395,000 for products ordered from appellant. The impersonator demanded $395,000 and provided wire directions for payment. X-Act complied but was later informed by appellant that the money had not been deposited into appellant's account. Subsequently, appellant and X-Act conducted an investigation and were able to recover $160,419.20, leaving a balance of $234,580 that appellant sought to recover from respondents.
The trial court sustained the demurrer to the SAC without leave to amend, ruling that the SAC failed to state facts sufficient to constitute a claim. The plaintiff failed to allege a loss sustained by the appellant. Instead, the appellant alleged X-Act paid the fraudster.
The allegation that the appellant could not collect the funds from X-Act because the "imposter rule" of the Uniform Commercial Code (UCC) was unfounded. A wire transfer is a "payment order." Thus, the imposter rule did not apply. The imposter rule would not prevent the appellant from recovering the lost funds from X-Act.
When the imposter later demanded payment of the invoiced amount, X-Act wired the monies to an account not controlled by the appellant. The appellant and X-Act later recovered a portion of the wired funds. Even if the transferred funds were specifically earmarked to pay X-Act's debt to the appellant, X-Act still had an obligation to pay its remaining debt to the appellant because money is fungible.
The California Court of Appeal concluded that the appellant did not suffer a direct financial loss from the phishing scam. Without a direct financial loss, coverage was not triggered. Thus, the trial court properly sustained the demurrer to the First Cause of Action for breach of contract.
Without a breach of contract, there was no breach of the covenant of good faith and fair dealing. The trial court properly sustained the demurrer to the Second Cause of Action.
The judgment was affirmed. Respondents were entitled to their costs on appeal.
An insurance policy, like the cyber-security policy involved here, promises to indemnify the insured in case of an insured against loss. Since only X-Act suffered a loss by paying the phisher and sent money it owed to the appellant to a criminal, the appellant incurred no loss, and it can still collect what it is owed from X-Act, who did not have a cyber-security policy.
© 2024 Barry Zalma, Esq., CFE
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.