THE CHILDRENS PLACE, INC. v. GREAT AMERICAN INSURANCE COMPANY, No. 2:2018cv11963 - Document 16 (D.N.J. 2019)

Court Description: OPINION. Signed by Judge Esther Salas on 4/25/2019. (sm)
Download PDF
THE CHILDRENS PLACE, INC. v. GREAT AMERICAN INSURANCE COMPANY Doc. 16 Not for Publication UNITED STATES DISTRICT COURT DISTRICT OF NEW JERSEY THE CHILDRENS PLACE, INC., Plaintiff, v. GREAT AMERICAN INSURANCE COMPANY, Defendant. : : : : : : : : : : : Civil Action No. 18-11963 (ES) (JAD) OPINION SALAS, DISTRICT JUDGE Before the Court is Great American Insurance Company’s (“Defendant’s” or “GAIC’s”) motion to dismiss The Children Place, Inc.’s (“Plaintiff’s” or “TCP’s”), Complaint (D.E. No. 1 (“Compl.”)) under Federal Rule of Civil Procedure 12(b)(6). (D.E. No. 4). The Court decides the motion without oral argument. See D.N.J. Civ. R. 78.1(b). For the following reasons, Defendant’s motion is DENIED-in-part and GRANTED-in-part. I. Background A. Factual Background The Court will “set out facts as they appear in the Complaint . . . .” See Bistrian v. Levi, 696 F.3d 352, 358 n.1 (3d Cir. 2012). “On July 24, 2017, TCP learned that two payments totaling $967,714.29 were made to an unauthorized third party (the ‘Hacker’) instead of TCP’s vendor, Thailand-based Universal Apparel Co., Ltd. (‘Universal’).” (Compl. ¶ 6). Plaintiff alleges that the unauthorized payments occurred as follows. The Hacker, “through the direct use of a computer, falsified email domain names to appear virtually identical to those of individuals working at Universal;” “accessed and Dockets.Justia.com infiltrated Universal’s web email service[;] and intercepted emails sent between Universal and TCP.” (Id. ¶¶ 7–8). In addition, the Hacker “through the use of a computer, was also able to intercept TCP’s Vendor Setup Form, which includes payment instructions, and send it to Universal, making it appear to come from TCP. Universal completed the form and returned it to the Hacker, believing it to be from TCP.” (Id. ¶ 10). “The Hacker then altered the payment instructions on the Vendor Setup Form to include directions to pay a bank account associated with the Hacker, SITI UMIROH.” (Id. ¶ 11). The Hacker thus “changed the contact information for Universal on th[at] Vendor Setup Form” and “sent the forged Vendor Setup Form to TCP.” (Id.). Finally, the Hacker “intercepted Universal’s letterhead” and sent a letter to TCP on that letterhead dated June 13, 2017, stating that “that SITI UMIROH, the beneficiary on the Vendor Setup Form, was a branch of Universal and that Universal changed its bank account information due to an audit.” (Id. ¶ 12). “The forged letter . . . direct[ed] TCP to pay Universal using a new bank account number [and] was then emailed to TCP . . . .” (Id.). In sum, then, the Hacker “intercepted an email conversation between TCP and Universal;” “inserted itself into the conversation;” “requested a change of bank information;” and fraudulently “direct[ed] TCP to pay Universal using [the] new bank account number.” (See id. ¶¶ 9 & 12). “The Hacker’s fraud[] . . . took place over a 6-week period . . . .” (Id. ¶ 15). “On July 14, 2017, TCP made a $498,753.58 payment to . . . the altered bank account operated by the Hacker.” (Id. ¶ 13). And “[o]n July 17, 2017, TCP made a second payment to the same account in the amount of $468,960.71.” (Id. ¶ 14). Plaintiff alleges that “[t]he Hacker’s fraudulent emails . . . caused TCP to transfer th[at] money to the Hacker.” (Id. ¶ 15). “TCP was unable to recover any of the funds transferred, resulting in a loss of $967,714.29” (the “Loss”) and other damages. (Id. ¶ 16). -2- B. Parties’ Agreement “At the time of the transfers, TCP was insured by a Crime Protection Policy, including coverage for computer-related crime and social engineering schemes, issued by GAIC . . . with an effective period of March 1, 2017 to March 1, 2018 (the ‘Policy’).” (Id. ¶ 17).1 In relevant part, the Policy provides coverage for (i) “Computer Fraud;” (ii) “Forgery or Alteration;” and (iii) “Fraudulently Induced Transfers.” (See generally id. ¶¶ 19–24). The Policy defines “Computer Fraud” as loss resulting directly from the use of any computer to impersonate you, or your authorized officer or employee, to gain direct access to your computer system, or to the computer system of your financial institution, and thereby fraudulently cause the transfer of money, securities or other property from your premises or banking premises to a person, entity, place or account outside your control. (See id. ¶ 21; D.E. No. 1-1 at 10). (“You” and “your” refer to TCP. (See D.E. No. 1-1 at 9).) The Policy defines “Forgery or Alteration” as “loss resulting directly from forgery or alteration of checks, drafts, promissory notes, or similar written promises, orders, or directions to pay a sum certain in money that are . . . made or drawn by or drawn upon you . . . . ” (D.E. No. 11 at 9; see also Compl. ¶ 19). And the Policy defines “Fraudulently Induced Transfers:” A transfer resulting from a payment order transmitted from you to a financial institution, or a check drawn by you, made in good faith reliance upon an electronic, telefacsimilie, telephone or written instruction received by you from a person purporting to be an Employee, your customer, a Vendor or an Owner establishing or changing the method, destination or account for payments to such Employee, customer, Vendor or Owner that was in fact transmitted to you by someone impersonating the Employee, customer, Vendor The Policy is appended as “Exhibit A” to the Complaint. (D.E. No. 1-1). The Court may consider it as “a document integral to or explicitly relied upon in the [C]omplaint.” See, e.g., Sunshine v. Reassure Am. Life Ins. Co., 515 F. App’x 140, 143 (3d Cir. 2013) (emphasis deleted). And the Court will cite it by reference to its CM/ECF pagination in the upper-righthand corner. 1 -3- or Owner without your knowledge or consent and without the knowledge or consent of the Employee, customer, Vendor or Owner. (Compl. ¶ 23; D.E. No. 1-1 at 47). But the Policy also provides, in relevant part, a “condition precedent” for coverage for “Fraudulently Induced Transfers:” that before forwarding [a] payment order to a financial institution or issuing [a] check, you verified the authenticity and accuracy of the [payment] instruction received . . . , including routing numbers and account numbers by calling, at a predetermined telephone number, the [person] who purportedly transmitted the instruction to you. (Compl. ¶ 24; D.E. No. 1-1 at 48). Plaintiff submitted the Loss “to GAIC for coverage under [those provisions of] the Policy.” (See Compl. ¶ 25). But “[o]n May 25, 2018, GAIC denied coverage.” (Id. ¶ 26). C. Instant Complaint On July 23, 2018, Plaintiff’s filed the Complaint. (D.E. No. 1). The Complaint brings two claims: declaratory relief (see Compl. ¶¶ 27–30) and breach of contract (see id. ¶¶ 31–37) with respect to each basis for coverage listed above (see id. ¶¶ 57 & 65). Defendant moved to dismiss, contending that the loss described by Plaintiff is not covered under the Policy’s coverage for “Computer Fraud;” the loss described by Plaintiff is not covered under the Policy’s coverage for “Forgery or Alteration;” and Plaintiff “failed to comply with a condition precedent” under the Policy’s coverage for “Fraudulently Induced Transfers.” (See generally D.E. No. 4-1 (“Def. Br.”)). Plaintiff disputes all of those points. (See generally D.E. No. 6 (“Pl. Br.”) at 1). In part, the Court agrees: Plaintiff has stated claims for declaratory relief and breach of contract under the Policy’s “Computer Fraud” coverage, but not under the Policy’s “Forgery or Alteration” and “Fraudulently Induced Transfers” coverage. The Court will discuss each in turn. -4- II. Legal Standard: Federal Rule of Civil Procedure 12(b)(6) Federal Rule of Civil Procedure 8(a)(2) requires that a complaint contain a “short and plain statement of the claim showing that the pleader is entitled to relief.” But in order to survive a motion to dismiss pursuant to Federal Rule of Civil Procedure 12(b)(6), the complaint must contain “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). “A claim has facial plausibility when the pleaded factual content allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Twombly, 550 U.S. at 556). But a complaint’s “[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements,” Iqbal, 556 U.S. at 678, cannot “nudge[] [a plaintiff’s] claims across the line from conceivable to plausible,” Twombly, 550 U.S. at 570. In evaluating a motion to dismiss, the Court is “required to accept as true all allegations in the complaint and all reasonable inferences that can be drawn from them after construing them in the light most favorable to the nonmovant.” See, e.g., McDermott v. Clondalkin Grp., Inc., 649 F. App’x 263, 266 (3d Cir. 2016). And “[w]hen presenting a Rule 12(b)(6) motion, the defendant bears the burden to show that the plaintiff has not stated a claim.” Davis v. Wells Fargo, 824 F.3d 333, 349 (3d Cir. 2016). III. Analysis A. “Computer Fraud” As just observed, Defendant “bears the burden to show that [P]laintiff has not stated a claim.” See id. Defendant offers “at least two reasons” as to why the Loss is not covered under the Policy’s coverage for “Computer Fraud” and hence that Plaintiff has not stated a claim. (See Def. Br. at 11–14; see also D.E. No. 8 (“Def. Reply”) at 12–15). Those two reasons are: -5- • “First, although the complaint alleges that the [Hacker] accessed Universal’s email system, it does not allege facts to show that the [Hacker] ‘gain[ed] direct access’ to a computer system that belonged to TCP or its financial institution.” (Def. Br. at 12). • “Second, even if the Court finds that the [Hacker] directly accessed TCP’s email system, TCP’s loss would not be covered because the [Hacker] did not ‘thereby fraudulently cause the transfer of money . . . from [TCP’s] premises or banking premises to a person, entity, place or account outside [TCP’s] control.’” (Id. at 13). But neither of these reasons persuades the Court that Plaintiff has not stated a claim on the basis that the Loss is not covered under the Policy’s coverage for “Computer Fraud.” First, as Defendant suggested above, “Computer Fraud” is defined in relevant part to include “the use of any computer . . . to gain direct access to [TCP’s] computer system . . . .” (See Compl. ¶ 21; D.E. No. 1-1 at 10). Here, Plaintiffs allege: “The Hacker, through the use of a computer, . . . accessed and infiltrated Universal’s web email service;” “intercepted emails sent between Universal and TCP;” and “inserted itself into [TCP’s email] conversation.” (Compl. ¶¶ 8–9). Plaintiffs also suggests that when “the Hacker redirected [email] messages to go to him,” he “effectively gained access to TCP’s email system” because “an email system that does not send the messages to the intended recipient is no longer under the control of the sender.” (Id. ¶ 39). Defendant asserts that these allegations “do[] not mean the [Hacker] actually accessed TCP’s email system.” (Def. Br. at 12–13 (emphasis added)). But Defendant does not cite any legal authority in support of that proposition (see id.);2 and the Court is persuaded by Plaintiff’s legal authority to In its reply, Defendant cites cases in support of the proposition that “the mere sending of an email” is not the kind of “direct access” required by the Policy’s definition of “Computer Fraud.” (See Def. Reply at 13–14 (citing, e.g., Taylor & Lieberman v. Fed. Ins. Co., 681 F. App’x 627, 629 (9th Cir. 2017)). Here, however, the Complaint does not allege that the Hacker engaged in “the mere sending of an email;” the Complaint, to reiterate, alleges that “[t]he Hacker, through the use of a computer, . . . accessed and infiltrated Universal’s web email service;” “intercepted 2 -6- the contrary (see Pl. Br. at 5–7 (citing Medidata Sols., Inc. v. Fed. Ins. Co., 268 F. Supp. 3d 471, 478 (S.D.N.Y. 2017); Medidata Sols Inc. v. Fed. Ins. Co., 729 F. App’x 117, 118 (2d Cir. 2018)).3 Furthermore, any factual issue as to whether the Hacker “actually” accessed TCP’s email system through its “infiltrat[ion],” “intercept[ion],” and “insert[ion]” (see Compl. ¶¶ 8–9) cannot be resolved against Plaintiff on a motion to dismiss. See Morganroth & Morganroth v. Norris, McLaughlin & Marcus, P.C., 331 F.3d 406, 416 (3d Cir. 2003) (recognizing that “factual questions” could not “be resolved on a 12(b)(6) motion to dismiss”); Scherer Design Grp., LLC v. Ahead Eng’g LLC, No. 18-2835, 2019 WL 937176, at *2 (3d Cir. Feb. 25, 2019) (suggesting that a question of computer access is properly the subject of expert testimony). Second, Defendant argues that the Complaint does not plausibly allege satisfaction of the causation requirement in the Policy’s “Computer Fraud” coverage. (See Def. Br. at 13; D.E. No. 1-1 at 10 (requiring that the Hacker’s activities have “fraudulently cause[d] the transfer of money”)). Defendant asserts that the Hacker’s activities “were not the cause of the actual funds transfers.” (Def. Reply at 15; see also Def. Br. at 13–14). But, “at the motion to dismiss stage, the. . . Court [i]s obliged to accept [Plaintiff]’s factual allegations as true and to draw reasonable inferences regarding causation in her favor.” See, e.g., Conard v. Penn. State Police, 902 F.3d 178, 184 (3d Cir. 2018). Here, Plaintiffs allege that “TCP’s employees transferred [the Loss] to emails sent between Universal and TCP;” and “inserted itself into [TCP’s email] conversation.” (See Compl. ¶¶ 8–9 (emphases added)). In Medidata, the defendant had argued that a hack was not “Computer Fraud” under the insurance policy in that case because the hacker’s spoofed emails “did not require access to Medidata’s computer system.” See 268 F. Supp. 3d at 476. The court rejected that argument and concluded that “the fraud on Medidata was achieved by entry into Medidata’s email system with spoofed emails armed with a computer code that masked the thief’s true identity.” Id. at 478. The Court of Appeals affirmed. Mediadata,729 F. App’x 117. Although Mediadata is neither binding nor directly on point, the Court finds it persuasive. See, e.g., United States v. Schoolcraft, 879 F.2d 64, 73 (3d Cir. 1989) (“While these decisions are not binding us, we find their reasoning persuasive.”). 3 -7- the Hacker as a direct result of the Hacker’s access to TCP and Universal’s emails, the forged letter, and altered Vendor Setup Form.” (Compl. ¶ 40; see also Pl. Br. at 8 (“TCP suffered a direct loss because its employees only initiated and approved the transfers as a direct result of the hacker posing as Universal’s employees sending the emails.”). These “allegations do not lack plausibility.” See, e.g., Conard, 902 F.3d at 184. And further questions as to the “cause of the loss . . . should be left for a jury” or summary judgment. See, e.g., Jefferson Bank v. Progressive Cas. Ins. Co., 965 F.2d 1274, 1285 (3d Cir. 1992); Dougherty v. Allstate Prop. & Cas. Ins. Co., 681 F. App’x 112, 114–16 (3d Cir. 2017) (discussing a question of causation under an insurance policy on summary judgment); Regents of Mercersburg Coll. v. Republic Franklin Ins. Co., 458 F.3d 159, 162 (3d Cir. 2006) (recognizing that a question of causation under an insurance policy required “extensive factual and expert discovery”). Defendant’s proposed conclusion—that the Hacker’s activities “were not the cause of the actual funds transfers” (see Def. Reply at 15; Def. Br. at 13–14)—is “premature at the motion to dismiss stage.” See, e.g., Conard, 902 F.3d at 184.4 B. “Forgery or Alteration” Defendant contends that Plaintiff has failed to state a claim under the Policy’s coverage for “Forgery or Alteration” in part because “the Vendor Setup Form and the letter that it received on Universal’s letterhead . . . do not promise, order, or direct the payment of ‘a sum certain.’” (See Def. Br. at 11). The Court agrees. The Policy defines “Forgery or Alteration” as “loss resulting directly from forgery or alteration of checks, drafts, promissory notes, or similar written promises, orders, or directions to pay a sum certain in money that are . . . made or drawn by or drawn upon you . . . . ” (D.E. No. 1- 4 For the above reasons, the Court presently need not resolve the apparent tension in cases the parties cite on this point for persuasive authority. (See, e.g., Pl. Br. at 9–10 (citing American Tooling Ctr., Inc. v. Travelers Cas. and Sur. Co. of Am., 895 F. 3d 455 (6th Cir. 2018)); Def. Reply at 14–15 (citing Apache Corp. v. Great Am. Ins. Co., 662 F. App’x 252 (5th Cir. 2016)). -8- 1 at 9; see also Compl. ¶ 19). The Complaint asserts that the Vendor Setup Form and “June 13, 2017 letter, forging Universal’s signature” are “similar written . . . directions to pay a sum certain in money” under the Policy. (See Compl. ¶¶ 31–32; see also Pl. Br. at 12–18). But neither of these documents references “a sum certain in money.”5 And to the extent Plaintiff contends that nondescript “falsified email communications” (see Compl. ¶ 33) or “various emails relating to outstanding invoices” (Pl. Br. at 17 (emphasis added) (emphasis deleted)) are “similar written . . . directions to pay a sum certain in money,” Plaintiff does not specifically identify the emails, and so the Court cannot interpret whether they are “similar” to “checks, drafts, promissory notes” as required by the Policy. (See D.E. No. 1-1 at 9 (emphasis added)); see also Taylor & Lieberman v. Fed. Ins. Co., 681 F. App’x 627, 628 (9th Cir. 2017) (ruling that certain fraudulent “emails instructing [a party] to wire money were not . . . like checks, drafts, or the like” (emphasis added)). Accordingly, Plaintiff has not stated a claim for declaratory relief or breach of contract under the Policy’s coverage for “Forgery or Alteration.” See, e.g., Sandvik, Inc. v. Cont’l Ins. Co., 724 F. Supp. 303, 309 (D.N.J. 1989) (“Consideration concerning the requested declaratory judgment cannot be undertaken without determining whether the [relevant] events . . . trigger coverage under the [insurance] polic[y].”). C. “Fraudulently Induced Transfers” Defendant contends that Plaintiff has failed to state a claim under the Policy’s coverage for “Fraudulently Induced Transfers” because “TCP failed to comply with the condition precedent by not attempting to call Universal at a predetermined number to verify, inter alia, the routing and account numbers for the two payments at issue.” (Def. Br. at 6). The Court agrees. The Court may consider these documents as “integral to or explicitly relied upon in the [C]omplaint.” See, e.g., Sunshine, 515 F. App’x at 143 (emphasis deleted); (see Compl. ¶¶ 31–32). Defendant has appended the documents to its motion to dismiss. (D.E. No. 4-2 Exs. 1-A & 1-B). And Plaintiff has not challenged their authenticity. (See Pl. Br. at 12–18). 5 -9- As noted above, the Policy contains a “condition precedent” for coverage for “Fraudulently Induced Transfers:” “that before forwarding the payment order to a financial institution . . . , [TCP] verif[y] the authenticity and accuracy of the [payment] instruction received.” (Compl. ¶¶ 22–24; D.E. No. 1-1 at 48). The Complaint does not allege that Plaintiff complied with this condition precedent; instead, Plaintiff contends that “application of the verification requirement would result in illusory coverage and cannot be given effect.” (See, e.g., Compl. ¶ 52). But Plaintiff’s argument in support of this proposition depends on an untenable assumption: that the condition precedent “requir[es] that TCP successfully verify . . . the authenticity and accuracy of [a payment] instruction.” (Pl. Br. at 19). As Plaintiff itself recognizes, however, such an interpretation “is absurd” and would “render coverage illusory.” (See Pl. Br. at 19). The Court must “decline to construe [the Policy] in a manner that makes promises in the coverage section illusory.” See, e.g., Customized Distrib. Servs. v. Zurich Ins. Co., 862 A.2d 560, 568 (N.J. Super. App. Div. 2004) (citing Russell v. Princeton Labs., Inc., 231 A.2d 800 (N.J. 1967)).6 Hence the Court will adopt the alternative interpretation of the condition precedent identified by both parties: “that TCP . . . attempt to verify the authenticity and accuracy of the [payment] instruction.” (See Pl. Br. at 19; Def. Reply at 2–3); see also RAIT P’ship, L.P. v. Hudson Specialty Ins. Co., No. A-5251-14T4, 2017 WL 1398836, at *4 (N.J. Super. Ct. App. Div. Apr. 19, 2017) (rejecting an interpretation of an insurance policy that “would lead to [an] absurd result”). IV. Conclusion For the foregoing reasons, the Court DENIES-in-part and GRANTS-in-part Defendant’s motion to dismiss. If Plaintiff wishes to amend the Complaint with respect to coverage for “There is no dispute that New Jersey law governs the contract claims herein.” See, e.g., Sheet Metal Workers Int’l Ass’n Local Union No. 27, AFL-CIO v. E.P. Donnelly, Inc., 737 F.3d 879, 900 n.22 (3d Cir. 2013). 6 - 10 - “Forgery or Alteration” or “Fraudulently Induced Transfers,” Plaintiff is granted leave to amend within thirty days of this Opinion. An appropriate order will accompany this Opinion. s/Esther Salas Esther Salas, U.S.D.J. - 11 -