News
Second Circuit Rules: A “Spoofing” Attack on Insured’s Email System Is a Covered “Computer Violation”
July 11, 2018
Share to:
The U.S. Court of Appeals for the Second Circuit struck the final blow to an insurer’s attempt to narrowly construe a policy provision insuring against computer crimes in <em><a href="http://blog.wcmlaw.com/wp-content/uploads/2018/07/Medidata-Solutions-Inc-v-Federal-Insurance-Company.pdf">Medidata Solutions Inc v Federal Insurance Company</a></em>.
Judge Carter for the Court of Appeals recently upheld a S.D.N.Y. ruling that Federal Insurance owed coverage to its insured, Medidata Soultions, Inc., under its policy Computer Fraud Insuring Clause. In so holding, the Second Circuit, like the District Court before it, refused to countenance Federal’s argument that the policy definition for “Computer Violation” covered instances of hacking only, and not spoofing.
Medidata’s policy with Federal insured it against any “direct loss… resulting from Computer Fraud committed by a Third Party.” A Computer Fraud was defined to result from a “Computer Violation,” which, in turn, was defined as the fraudulent entry, change or deletion of data from a computer system.
In 2014, Medidata fell victim to a sophisticated spoofing attack in which unknown (and never apprehended) criminals manipulated computer code so that apparently genuine emails from a Medidata executive were sent to other Medidata employees. The recipients of the emails, believing that they were following the instructions of their boss with respect to Medidata’s acquisition of another company, transferred $4.7 million into the fraudster’s account.
Federal insurance denied coverage for the loss, claiming that spoofed emails do not fall within the policy definition of a “Computer Violation,” because a spoofing attack is not a covered “hacking.” The S.D.N.Y. disagreed, finding that the unambiguous policy language plainly covered the spoofing attack at issue, because the fraudsters manipulated and changed the company email system with the spoofing code used to create the emails. Medidata was awarded $5,841,767 by the district court, representing their total losses plus interest.
On appeal, Federal argued that the S.D.N.Y. decision created an overbroad precedent for computer fraud insurance coverage by allowing it “to cover all transfers that involve both a computer and fraud at some point in the transaction.” Federal also unsuccessfully argued that Medidata’s loss was not “direct” (and therefore not covered) because Medidata employees transferred the funds themselves. The Second Circuit affirmed the S.D.N.Y.’s reasoning that the manipulation of email coding was a clearly covered Computer Violation, and also held that the employee’s unwitting transfer of millions of dollars to the criminals was part of the spoofing attack, and not an intervening event.
This decision provides further assurance to companies in New York that their computer fraud coverage insures against many variations of computer attacks and fraud.
Thanks to Vivian Turetsky for her contribution to this post.