Ride the Lightning

Court Rebuffs Insurance Company That Denied Email Spoofing Coverage Under Computer Fraud Clause

March 21, 2019

Hat tip to Dave Ries for putting me onto this case: Medidata Sols., Inc. v. Fed. Ins. Co.
 
The facts: On September 16, 2014, an employee in Medidata Sols., Inc.’s finance department received an email purportedly sent from Medidata’s president stating that Medidata was close to finalizing an acquisition, and that an attorney named Michael Meyer would contact the employee. The email advised the employee that the acquisition was strictly confidential and instructed her to devote her full attention to Meyer’s demands. On that same day, the employee received a phone call from a man who held himself out to be Meyer and demanded that the employee process a wire transfer for him. The employee explained that she needed an email from Medidata’s president requesting the wire transfer and approval from Medidata’s Vice President and Director of Revenue.

Thereafter, the employee, the Vice President and the Director of Revenue received a group email purportedly sent from Medidata’s president stating: “I’m currently undergoing a financial operation in which I need you to process and approve a payment on my behalf. I already spoke with Alicia, she will file the wire and I would need you two to sign off.” The email contained the president of Medidata’s email address in the “From” field and a picture next to his name. In response, the employee initiated a wire transfer for $4,770,226.00, which the Vice President and Director of Revenue approved. The money was then wired to a bank account that was provided by Meyer. Medidata later realized that the company had been defrauded when Medidata’s president was asked about the transfer and he indicated that he had not requested the transfer.

Medidata submitted a claim for the loss under its insurance policy issued by the Defendant Federal Insurance Company (“Federal”). The policy included a Computer Fraud Coverage provision, which covered “direct loss of Money, Securities or Property sustained by an Organization resulting from Computer Fraud committed by a Third Party.” The policy defined “Computer Fraud” as “the unlawful taking or the fraudulently induced transfer of Money, Securities or Property resulting from a Computer Violation.” In turn, “Computer Violation” included both “the fraudulent: (a) entry of Data into . . . a Computer System;
[and] (b) change to Data elements or program logic of a Computer System.”

Despite this language, Federal denied coverage of the claim. Thereafter, Medidata filed a coverage action against Federal in the United States District Court for the Southern District of New York. The trial court ultimately concluded that the losses were covered under the policy and granted Medidata’s motion for summary judgment.

On appeal, the Second Circuit rejected Federal’s argument that the spoofing attack was not covered and affirmed the lower court’s ruling. In particular, the Court held that “the spoofing code enabled the fraudsters to send messages that inaccurately appeared, in all respects, to come from a high-ranking member of Medidata’s organization. Thus the attack represented a fraudulent entry of data into the computer system, as the spoofing code was introduced into the email system. The attack also made a change to a data element, as the email system’s appearance was altered by the spoofing code to misleadingly indicate the sender.”

The Court further concluded that spoofing attack “clearly amounted to a violation of the integrity of the computer system through deceitful and dishonest access, since the fraudsters were able to alter the appearance of their emails so as to falsely indicate that the emails were sent by a high-ranking member of the company.” On this basis, the Court concluded that Medidata’s losses were covered by the terms of the computer fraud provision.  Furthermore, the Court rejected Federal’s argument that Medidata did not sustain a “direct loss” as a result of the spoofing attack, within the meaning of the policy. Specifically, the Court concluded that “[t]he chain of events was initiated by the spoofed emails, and unfolded rapidly following their receipt. While it is true that the Medidata employees themselves had to take action to effectuate the transfer, we do not see their actions as sufficient to sever the causal relationship between the spoofing attack and the losses incurred. The employees were acting, they believed, at the behest of a high-ranking member of Medidata.”

Accordingly, the Court affirmed the entry of summary judgment in favor of Medidata.

This case highlights the need for all organizations, including law firms, to establish fraud prevention policies, such as dual authentication of all instructions to transfer funds. Before wiring money to anyone, always verify – by phone call, not email – the authority to make the payment and the destination of the funds. To supplement fraud prevention policies, it is equally important to have insurance with limits sufficient to make good a reasonable range of losses that could occur. To ensure access to that protection, it’s vital to understand that the language in your policy covers and does not cover. Firm policies and procedures to prevent computer fraud should be designed with the language of the firm’s insurance policy in mind.

Source: HINSHAW The Layers' Lawyer Newsletter, March 2019.

E-mail:    Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson