In a world where technology is constantly changing, thieves keep finding new and better ways to defraud companies. In Medidata Solutions, Inc. v. Federal Insurance Co., No. 15-CV-907 (ALC), — F. Supp. 3d — (S.D.N.Y. July 21, 2017), the United States District Court for the Southern District of New York addressed the availability of computer fraud coverage for losses resulting from one such scheme. In the process, the court gave an expansive reading to the policy’s computer fraud coverage provision and distinguished its ruling from the New York Court of Appeals’ recent decision in Universal Am. Corp. v. Nat’l Union Fire Ins. Co. of Pittsburgh, PA, 37 N.E.3d 78 (N.Y. 2015), and other decisions.
Medidata illustrates the importance of ensuring that businesses have computer fraud coverage, establish and update regularly processes to thwart fraud, and train employees on both those processes and the latest fraudulent schemes.
The fraudulent scheme involving Medidata Solutions worked as follows: An accounts payable employee received an email message purportedly sent from the company’s president stating that Medidata was close to finalizing an acquisition, an attorney named Michael Meyer would contact her, and the acquisition was confidential before instructing her to devote her attention to Mr. Meyer’s request. The email contained the President’s name, email address, and picture in the “From” field.
Later that day a man holding himself out to be Mr. Meyer called the employee and asked her to process a wire transfer. The employee told “Mr. Meyer” that she would need a request from the company’s president and approval from a company vice president and a company director to accomplish the transfer. Shortly thereafter, the employee received the requested email, again purportedly from the company’s president, instructing her to process the request and copying the vice president and director and instructing them to approve it. All did as requested. Two days later “Mr. Meyer” tried again, but the vice president became suspicious because of a strange address in the “Reply To” field and halted the transaction.
Medidata made an insurance claim for its loss from the completed wire transfer, which its insurer Federal Insurance Company denied. Medidata had a $5 million “Federal Executive Protection” policy that included “Computer Fraud Coverage.” The Computer Fraud Coverage protected the organization from “direct loss … resulting from Computer Fraud committed by a Third Party.” The policy defined “Computer Fraud” as “the unlawful taking or the fraudulently induced transfer of Money, Securities or Property resulting from a Computer Violation.” The policy in turn defined “Computer Violation” as “the fraudulent: (a) entry of Data into … a Computer System; [and] (b) change to Data elements or program logic of a Computer System, which is kept in machine readable format … directed against an Organization.” Finally, the policy defined “Data” to include any representation of information” and “Computer System” as “a computer and all input, output, processing, storage, off-line media library and communication facilities which are connected to such computer, provided that such computer and facilities are: (a) owned and operated by an Organization; (b) leased and operated by an Organization; or (c) tilized by an Organization.”
The district court granted summary judgment for Medidata Solutions and against Federal Insurance. In doing so, the district court rejected Federal Insurance’s argument that the insurance claim was properly denied because the emails did not require access to Medidata’s computer system, a manipulation of those computers, or input of fraudulent information. The court instead found that the email spoofing scheme here was unambiguously covered because it involved the fraudulent entry of data into a computer system through manipulation of an SMTP email envelope to make it appear that the email (through Google) was from a person within Medidata even if that person did not hack into Medidata’s computer system to do it.
The district court distinguished the fraudulent scheme in this case with the fraudulent scheme addressed by the New York Court of Appeals in Universal where the insured was attempting to collect for false claims submitted electronically and then paid out through the insured’s computer system. The district court concluded that Universal did not stand for the proposition that computer hacking was the only type of conduct for which computer fraud coverage was available despite the court’s use of hacking as an example of a type of conduct covered.
The district court also distinguished the Fifth Circuit’s decision in Apache Corp. v. Great Am. Ins. Co., 662 F. Appx. 252 (5th Cir. 2016), because the thieves in that case were invited in through that insured’s vendor payment system, while Medidata employees did not invite the spoofed emails and only facilitated the wire transfer as a result of the uninvited spoofing. The district court found Apache unpersuasive to the extent the facts in Medidata fit within it.
The district court also held that Medidata Solutions should not have been denied “Funds Transfer Fraud Coverage” because the employee did not act knowingly in facilitating the fraud. “Larceny by trick,” according to the court, “is still larceny.” Finally, the district court held that “Forgery Coverage” was properly denied because there was no forgery or alteration of a financial instrument as required by the policy.
As important as it is for a business to stay one step ahead of thieves who exploit technology to defraud through effective policies, procedures, and training, it is equally important that a business maintain comprehensive computer fraud coverage to protect itself against losses resulting from tricksters who thwart the most secure of computer systems and that insurers who sell such policies be held to the promises, as the Medidata court seems to make clear.