One of the more vexing threats in the current business environment is the rise of “social engineering fraud” or “payment instruction fraud.” In these schemes scammers using official-seeming email communications induce company employees to transfer company funds to the imposters’ account. Among the many issues involved when these kinds of scams occur is the question of insurance coverage for the loss. In many instances, insurers take the position that because the schemes do not involve a “hacking” of the company’s systems and because the actual funds transfers are voluntary, the loss of funds is not covered under commercial crime policies.
However, in a July 21, 2017 decision (here), Southern District of New York Judge Andrew L. Carter, Jr., applying New York law, held that Mediadata Solutions Inc.’s commercial crime policy covered the company’s loss of $4.77 million transferred in response to an email instruction that falsely appeared to be from the company’s President. The court’s decision raises and addressed a number of interesting issues, as discussed below.
Mediadata Solutions, Inc. provides cloud-based services to research scientists. It maintains it email through the Gmail platform. The company’s email appears with the company’s domain name in the email address; if an email address matches that of a Mediadata employee, the sender’s full name, email address, and picture appear in the email.
In September 2014, Mediadata advised its finance department that its business plans included a possible acquisition. On September 16, 2014, an accounts payable clerk at Mediadata received an email purportedly sent by Mediadata’s President. The email contained the president’s name, email address and picture in the “From” field. The email stated that the company was finalizing an acquisition and that an attorney named Michael Meyer would contact the clerk. The same day, the clerk received a phone call from a man identifying himself as Meyer, who provided payment instructions. A second email purportedly from the President confirmed the payment authorization. In response, the clerk logged into the company’s bank account and initiated a wire transfer according to the payment instructions. At the clerk’s request, two officers from the company logged into the bank account and authorized the $4.77 million wire transfer.
After a subsequent funds transfer request rang alarm bells, the company determined that the first transfer request had been fraudulent. On investigation, the company determined that the fraud was achieved by entry into Mediadata’s email system with spoofed emails armed with a computer code that masked the thief’s true identity and made it appear as if the emails were from the company’s President. The thief’s computer code also changed data from the true email address to Mediadata’s president to achieve the email spoof.
The company contacted the FBI and submitted a claim to its commercial crime insurer. The insurer denied coverage and the company filed a lawsuit against the insurer. The parties filed cross-motions for summary judgment.
The Relevant Policy Language
The Policy’s “Computer Fraud Coverage” section protects against the “direct loss of Money, Securities or Property sustained by an Organization resulting from Computer Fraud committed by a Third Party. The Policy defined “Computer Fraud” as “The unlawful taking or the fraudulently induced transfer of Money, Securities or Property resulting from a Computer Violation.” The policy defines a “Computer Violation as both “the fraudulent (a) entry of Data into … a Computer System; [and] (b)change to Data elements or program logic of a Computer System, which is kept in machine readable format … directed against an Organization.”
The Policy’s “Funds Transfer Fraud” coverage protects against “direct loss of Money or Securities sustained by an Organization resulting from Funds Transfer Fraud committed by a Third Party.” The Policy defines “Funds Transfer Fraud” as “fraudulent electronic … instructions…purportedly issued by an Organization and issued to a financial institution directing such institution to transfer, pay or deliver Money and Securities … without such Organization’s knowledge or consent.”
Finally the policy’s Forgery coverage protects against “direct loss sustained by an Organization resulting from forgery of alteration of a Financial Instrument committed by a Third Party.”
The July 21, 2017 Order
In his July 21, 2017 order, Judge Carter concluded that both the Computer Fraud coverage section and the Funds Transfer Fraud coverage section provided coverage for Mediadata’s loss. However, he also concluded that the Forgery section did not provide coverage.
In concluding that the Computer Fraud coverage applied, Judge Carter rejected the insurer’s argument that the coverage section did not apply because the emails did not require access to Mediadata’s computer system, a manipulation of those computers, or the input of fraudulent information. Judge Carter concluded that while Medidata’s computers weren’t directly hacked, the Computer Fraud coverage section’s requirements were still met because the scammer used a computer code to alter a series of email messages to make them appear as though they originated from the company’s president.
Judge Carter also referred to a 2015 decision by the New York Court of Appeals in Universal American Corp. v. National Union Fire Insurance Co., in which the appellate court, interpreting similar policy language, had said that intent of the provision is “to provide coverage for a violation of the integrity of the computer system through deceitful and dishonest access.” The fraud on Mediadata, Judge Carter said, “falls within the kind of ‘deceitful and dishonest access’ imagined by the New York Court of Appeals.”
Judge Carter rejected as “unpersuasive” the insurer’s argument that the Computer Fraud Section did not apply because there was no direct nexus between the spoofed emails and the fraudulent wire transfer because the email itself did not effect the transfer. He found that the Mediadata employees “only initiated the transfer as a direct cause of the thief sending spoof emails posing as Mediadata’s president.”
In concluding that the Funds Transfer Fraud coverage section also “unambiguously” applied to provide coverage, Judge Carter rejected the insurer’s argument that the coverage did not apply because the wire transfer was voluntary and made with Mediadata’s knowledge and consent.
In reaching this conclusion with respect to the Funds Transfer Fraud coverage, Judge Carter noted that “it is undisputed that a third party masked themselves as an authorized representative, and directed Mediadata’s accounts payable employee to initiate the electronic bank transfer.” It is also undisputed, Judge Carter noted, that “the accounts payable personnel would not have initiated the wire transfer, but for, the third parties’ manipulation of the emails.” The fact that the employee “willingly pressed the send button on the bank transfer does not transform the bank wire into a valid transaction.” To the contrary, Judge Carter said, “the validity of the wire transfer depended upon several high level employees’ knowledge and consent which was only obtained by trick.” Larceny by trick “is still larceny.” Accordingly, Judge Carter concluded, the company had demonstrated that the Funds Transfer Fraud coverage covers the theft.
Finally, Judge Carter concluded that the Forgery coverage section did not apply to provide coverage because the presence of occurrence of forgery alone is not sufficient to establish coverage; the forgery must also be made to a “Financial Instrument” in order for the coverage to apply. Because the loss did not result from the forgery or alteration of a “Financial Instrument,” Judge Carter concluded the forgery coverage does not apply.
As I have noted in prior posts discussed the question of insurance coverage for payment instruction fraud (most recently here), courts interpreting crime policies often have drawn a distinction between losses where a thief hacks the insured’s computer system and losses where the insured voluntarily transfers funds.
The significance of Judge Carter’s ruling is his determination that the coverage applies even though there had been no hacking of Mediadata’s computer system and no entry or change of data to Mediadata’s computer system; Judge Carter expressly noted that “hacking is one of many methods a thief can use.” He noted further that the New York Court of Appeal’s ruling in the Universal case can be read as “finding coverage for fraud where the perpetrator violates the integrity of a computer system through unauthorized access.” Because the fraud fell within the kind of “deceitful and dishonest access” to which the Court of Appeals had said the section applies, the policy’s coverage applied.
Judge Carter’s ruling is also significant in that he concluded that the policy coverage applied even though the wire transfer instruction itself had been voluntary. The accounts payable personnel, he said, would not have initiated the wire transfer instruction “but for the third parties’ manipulation of the emails.” The fact that the employee willingly pressed the send button on the funds transfer does not transform the bank wire into a valid transaction. Larceny by trick is still larceny.
In other words, policyholders who have suffered losses as a result of payment instruction fraud now have a substantial case on which they can seek to rely in attempting to argue that the their commercial crime policies provide coverage.
However, as a district court opinion, the decision at most provides only persuasive rather than precedential authority. Also, Judge Carter’s opinion relied heavily on New York law and New York case precedent. Other courts may conclude that his reasoning is inapplicable or less persuasive where other jurisdiction’s laws apply.
In addition, the insurer may appeal. The insurer likely would argue on appeal, and insurers will likely continue to argue in other cases, that the kind of “unauthorized access” on which Judge Carter relied in concluding that the policy’s Computer Fraud Coverage applied is not sufficient to meet the policy’s requirement for “entry of data” or “change to data elements or program logic” in order to show that a “Computer Violation” has taken place. The insurer also will likely contend that, notwithstanding the third-party fraudster’s manipulation of the company’s personnel, the voluntary initiation of a wire transfer instruction does not meet the requirement to establish coverage that the instruction must be “purportedly issued by an Organization” and “without the Organization’s knowledge or consent.”
As many readers undoubtedly are aware, in recent times many carriers have offered optional extended coverage for social engineering fraud. These various coverage extensions, all of which have their limits, are offered on the suggestion that the standard commercial crime policy coverage provisions do not apply to these kinds of payment instruction fraud losses. The question arises, in light of Judge Carter’s rulings in this case, as to whether these kinds of extensions are necessary or even relevant if, as Judge Carter concluded, the policy’s standard coverage provisions provide coverage for these kinds of losses.
There probably is a lot more that could be said on this topic, but for now, I have to say it is far too early to conclude that the coverage for these kinds of losses has been established. Judge Carter’s decision represents the ruling of only one court, under a specific set of facts and under the interpretation of the law of one jurisdiction. Other courts have ruled to the contrary in other cases. While policyholders that have suffered a loss of this type will seek to rely on Judge Carter’s decision, that is a long way from saying that coverage for these kinds of losses under the standard provisions of the commercial crime policy have been conclusively established.
In other words, it is at best premature to conclude that the discussion about the social engineering fraud coverage extension is no longer relevant because the unendorsed policy provides the coverage. To the contrary, at least until the coverage under the traditional policy provisions is much more conclusively established, the social engineering fraud coverage extension should continue to be fully discussed and considered.
In the meantime, it will be very interesting to see whether the insurer in this case appeals Judge Carter’s decision. It will also be very interesting to see what other courts make of Judge Carter’s decision in this case.