HNRK Coverage Corner
On July 6, 2018, the Second Circuit issued a decision in Medidata Solutions Inc. v. Federal Ins. Co., 17-2492-cv, holding that a computer fraud insurance policy covered losses resulting from an email “spoofing” attack. As the Court explains, “spoofing” is “the practice of disguising a commercial e-mail to make the e-mail appear to come from an address from which it actually did not originate. Spoofing involves placing in the ‘From’ or ‘Reply-to’ lines, or in other portions of e-mail messages, an e-mail address other than the actual sender’s address, without the consent or authorization of the user of the e-mail address whose address is spoofed.”
The policy at issue in Medidata Solutions covered losses resulting from any “entry of Data into” or “change to Data elements or program logic of” a computer system. The insurer argued that the policy did not cover loss from the “spoofing” attack and instead applied only to “hacking-type intrusions” into the insured’s computer system. The Second Circuit disagreed and affirmed the district court’s decision granting summary judgment to the insured, explaining:
While Medidata concedes that no hacking occurred, the fraudsters nonetheless crafted a computer-based attack that manipulated Medidata’s email system, which the parties do not dispute constitutes a “computer system” within the meaning of the policy. The spoofing code enabled the fraudsters to send message that inaccurately appeared, in all respects, to come from a high-ranking member of Medidata’s organization. Thus the attack represented a fraudulent entry of data into the computer system, as the spoofing code was introduced into the email system. The attack also made a change to a data element, as the email system’s appearance was altered by the spoofing code to misleadingly indicate the sender. Accordingly, Medidata’s losses were covered by the terms of the computer fraud provision.
The Second Circuit also rejected the insurer’s argument that the insured had not suffered a “direct loss” as a result of the spoofing attack, explaining:
The spoofed emails directed Medidata employees to transfer funds in accordance with an acquisition, and the employees made the transfer that same day. Medidata is correct that New York courts generally equate the phrase “direct loss” to proximate cause. It is clear to us that the spoofing attack was the proximate cause of Medidata’s losses. The chain of events was initiated by the spoofed emails, and unfolded rapidly following their receipt. While it is true that the Medidata employees themselves had to take action to effectuate the transfer, we do not see their actions as sufficient to sever the causal relationship between the spoofing attack and the losses incurred. The employees were acting, they believed, at the behest of a high-ranking member of Medidata. And New York law does not have so strict a rule about intervening actors as Federal Insurance argues.
Given the ubiquity of computer systems, cybercrime coverage is an important part of a company’s insurance portfolio. As this case demonstrates, the courts continue to grapple with which types of computer-related frauds qualify for coverage under the standard policies.
- Partner
Bradley Nash represents policyholders in insurance disputes and other parties in complex commercial litigation in state and federal courts in New York and across the country. Brad focuses his practice on insurance recovery for ...
Search Blog
Recent Posts
- Ohio Supreme Court Rules Computer Software Cannot Be Subject To “Physical Loss” Or “Physical Damage” Under Insured’s Property Insurance Policy
- Criminal Acts Exclusion Bars Coverage Even Though Insured Not Charged With, or Convicted of, a Crime
- Insurer Not Permitted to Recoup Defense Costs Absent Express Reservation of the Right to Do So
- Liability Insurer May Not Deny Defense Coverage Based On Extrinsic Evidence “Bound Up With the Merits of the Underlying Case”
- Second Circuit Rules That Lower-Tier Excess Policies Were Exhausted by Below-Limits Settlement with Insured
- Does Contra Proferentem Apply to the “Sophisticated Insured”?
- Sexual Misconduct Exclusion Bars Coverage for Negligence Supervision Claim
- Delaware Supreme Court Rejects “Fundamentally Identical” Standard for Interpreting Related Claims Provision
- New York Court of Appeals Rules That Disgorgement Payment to SEC Did Not Constitute an Uninsured Penalty
- “Intentional Nonperformance” of Contractual Obligations Does Not Trigger Policy’s “Willful Acts”
Popular Categories
- Insurance Coverage
- Policy Exclusions
- Duty to Defend
- Cyber Coverage
- CGL Policies
- Additional Insured Endorsement
- D&O Policies
- Business Interruption Coverage
- Excess Insurance
- Construction
- Bad Faith Claims Handling
- COVID-19
- Occurrence/Accident
- Indemnification and Advancement
- Damages
- Rules of Interpretation
- Related Claims
- Duty to Cooperate
- Advertising Injury
- Covered Loss
- Personal and Advertising Injury
- Insurance Brokers
- Confict of Laws
- Discovery/Disclosure
- Appraisal
- Attorney Fees
- Assignment of Claims
- Disability discrimination
- Implied Covenant of Good Faith and Fair Dealing
- Notice
- Privilege/Work Product
- Priority of Coverage
- Intellectual Property
- Contracts
- E&O Policies
- Professional Malpractice
- Rescission
- Intervention/Joinder
- Subrogation
- Settlements
- General Business Law
- Unfair Claims Settlement Practices
Archives
- March 2023
- January 2023
- December 2022
- September 2022
- May 2022
- April 2022
- March 2022
- November 2021
- June 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- October 2019
- September 2019
- August 2019
- July 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- December 2018
- November 2018
- October 2018
- September 2018
- August 2018
- July 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018