Although the law firm managed to recover around $800,000, it made a claim for its net loss under a computer fraud rider to its policy with Trisura. But the insurer refused to pay out, claiming that the incident was not covered because the transfer of funds itself was not fraudulent.
In addition, the insurer noted that Dentons had turned down the opportunity to add a social engineering fraud rider offered by Trisura, and claimed other exclusions in the policy applied.
That prompted the law firm to apply for a declaration that the insurer is in breach of its policy and has a duty to pay up. Brown’s decision came when Trisura moved to convert the application to an action, and Dentons responded by narrowing its application to call for an advisory opinion on the interpretation of the computer fraud rider. Her Dec. 11 ruling went in favour of Trisura.
“Determining the advisory question, at this juncture is not, in all circumstances, an expeditious or efficient use of judicial time and resources,” the judge wrote, noting that an action would deliver a full factual matrix, allowing the court to make a more comprehensive determination of the issues.
Nina Bombier, a partner at Lenczner Slaght Royce Smith Griffin LLP who acted for Dentons, says the court missed an opportunity to flesh out Canada’s extremely limited caselaw on coverage in the context of these types of fraud.
“In our view, it would have been more efficient to get an initial interpretation of the computer fraud rider, because if it isn’t broad enough to cover what happened here, then everything else ends,” she says. “There is a bit of caselaw around this issue in the U.S. which cuts both ways, so it would have been helpful to get some law here. It’s an important issue, because with cyber security issues, the fraudsters are getting more and more creative all the time.”
In the 2017 Alberta case of The Brick Warehouse L.P. v. Chubb Insurance Company of Canada, the retailer was denied coverage under its crime policy after falling for a similar scam, but Bombier insists the breadth of the language in Dentons’ policy means her clients should be covered.
Chris McKibbin, a partner at Blaney McMurtry LLP who acted for Trisura, declined an opportunity to comment.
In a statement to Law Times, Dentons spokesperson Neetisha Seenundun said the firm has a training regime in place to deal with phishing attacks and cybersecurity.
“The training is updated and repeated annually. Participation is mandatory by all Dentons partners and employees,” she wrote, noting that the content has been “adjusted to highlight the hallmarks of this kind of fraud.”
Seenundun says no firm policies were broken during the transaction, explaining that scammers were able to obtain details about the timing of the real estate deal at the heart of the case after breaching the computer systems of a third party, and then impersonating its representatives.
“We have not been targeted by this scheme on any other occasion, although it is public knowledge that other law firms have been, as the Law Society of B.C. has issued alerts regarding this fraud to its members,” she added.
According to Brown’s decision, Dentons acted for a client in the sale of a property which closed on Dec. 30, 2016. Around $2.5 million of the proceeds was earmarked to pay off part of a mortgage held by a third party, whose bank details were provided to the law firm for a transfer to occur on the next business day, Jan. 3 2017.
However, on the day of the transfer, Brown’s decision says emails purportedly from the mortgage holder asked for the funds to be sent instead to an international account, due to an audit going on at its Canadian bank provider. After requesting and apparently receiving letters of authorization, Dentons wired the money to a Hong Kong bank account, only to discover days later that the real mortgage holder was still waiting on the funds.
Jason Green of Hexigent Consulting, a digital investigation and cyber security company geared towards law firms, says the case sounds all-too familiar.
“I wish I could say this was unique, but it’s not. We see it in multiple industries, where it looks like legitimate emails have been received at the last minute from CEOs who are travelling and otherwise unreachable,” he says.
“Once the money has been sent, it’s very hard to trace, because you’re dealing with law enforcement in several jurisdictions.”
Michael Lesage, a Toronto insurance lawyer uninvolved in the case, says he will be following its progress closely.
“It’s going to come down to the specific language of the policies, both in terms of coverage and exclusions,” he says.
“This is certainly an emerging area of law, and that will likely lead to numerous coverage disputes in the future.”