HNRK Coverage Corner

On July 6, 2018, the Second Circuit issued a decision in Medidata Solutions Inc. v. Federal Ins. Co., 17-2492-cv, holding that a computer fraud insurance policy covered losses resulting from an email “spoofing” attack.  As the Court explains, “spoofing” is “the practice of disguising a commercial e-mail to make the e-mail appear to come from an address from which it actually did not originate. Spoofing involves placing in the ‘From’ or ‘Reply-to’ lines, or in other portions of e-mail messages, an e-mail address other than the actual sender’s address, without the consent or authorization of the user of the e-mail address whose address is spoofed.”

The policy at issue in Medidata Solutions covered losses resulting from any “entry of Data into” or “change to Data elements or program logic of” a computer system. The insurer argued that the policy did not cover loss from the “spoofing” attack and instead applied only to “hacking-type intrusions” into the insured’s computer system.  The Second Circuit disagreed and affirmed the district court’s decision granting summary judgment to the insured, explaining:

While Medidata concedes that no hacking occurred, the fraudsters nonetheless crafted a computer-based attack that manipulated Medidata’s email system, which the parties do not dispute constitutes a “computer system” within the meaning of the policy. The spoofing code enabled the fraudsters to send message that inaccurately appeared, in all respects, to come from a high-ranking member of Medidata’s organization. Thus the attack represented a fraudulent entry of data into the computer system, as the spoofing code was introduced into the email system. The attack also made a change to a data element, as the email system’s appearance was altered by the spoofing code to misleadingly indicate the sender. Accordingly, Medidata’s losses were covered by the terms of the computer fraud provision.

The Second Circuit also rejected the insurer’s argument that the insured had not suffered a “direct loss” as a result of the spoofing attack, explaining:

The spoofed emails directed Medidata employees to transfer funds in accordance with an acquisition, and the employees made the transfer that same day. Medidata is correct that New York courts generally equate the phrase “direct loss” to proximate cause. It is clear to us that the spoofing attack was the proximate cause of Medidata’s losses. The chain of events was initiated by the spoofed emails, and unfolded rapidly following their receipt. While it is true that the Medidata employees themselves had to take action to effectuate the transfer, we do not see their actions as sufficient to sever the causal relationship between the spoofing attack and the losses incurred. The employees were acting, they believed, at the behest of a high-ranking member of Medidata. And New York law does not have so strict a rule about intervening actors as Federal Insurance argues.

Given the ubiquity of computer systems, cybercrime coverage is an important part of a company’s insurance portfolio. As this case demonstrates, the courts continue to grapple with which types of computer-related frauds qualify for coverage under the standard policies.