Over the last several days, I have published several posts discussing important insurance developments relating to social engineering fraud, sometimes called payment instruction fraud. In the following guest post, Peter S. Selvin of the TroyGould PC law firm takes a detailed look at one of these recent decisions, the July 2017 decision in the Southern District of New York involving Medidata (discussed here), and compares it to the subsequent American Tooling Center decision out of the Eastern District of Michigan (discussed here). A version of this article previously appeared in the San Francisco Daily Journal. I would like to thank Peter for his willingness to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors in topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Peter’s article.
Consider the following two scenarios resulting in identical losses, but potentially two entirely different insurance coverage outcomes:
In the first instance, a thief hacks, or gains unauthorized entry, into an insured’s computer system and causes that computer system to execute a bank transfer to the thief’s offshore account.
In the second instance, a thief utilizes a process called “spoofing,” in which an authentic looking, but fraudulent, email is created to trick the insured into wiring funds to the thief’s offshore account. The “spoofing” process in essence tricks the insured’s email server into recognizing the fraudulent email as one that actually originated from the insured’s client or other trusted source.
Computer fraud policies often provide coverage in the first scenario because in that instance the thief had actually obtained access to the insured’s computer and had “used” that computer, in the words of typical policy language, “to fraudulently cause a transfer of  property from inside [the insured’s premises] to … a person outside those premises.”
By contrast, in the second scenario, the courts have been generally unreceptive to finding coverage because an insured’s acting on, or treating as genuine, a fraudulent email directing the payment of funds has not been thought to be the equivalent of the “use of a computer” in a manner that fraudulently “caused” a transfer of money or other property. As stated by one court, “[t]o interpret the computer-fraud provision as reaching any fraudulent scheme in which [a computer] communication was part of the process would … convert the computer-fraud provision to one for general fraud.” Apache Corp. v. Great Am. Ins. Co., 662 Fed. Appx. 252, 258 (5th Cir. 2016); see also Taylor & Lieberman v. Federal Insurance Company, 2017 WL 929211 (9th Cir. 2017).
A recent case decided by the U.S. District Court for the Southern District of New York, however, creates greater opportunities for policyholders to secure coverage in connection with the second scenario. In Medidata Solutions, Inc. v. Federal Insurance Company, CV-00907 (S.D.N.Y. July 21, 2017), the court ruled that a “spoofing” incident, which resulted in an insured wiring money overseas, was covered under the insured’s computer fraud policy even though the thief had not gained access to or directly used the insured’s computer system.
In Medidata, the insured, a company that provided cloud-based services to scientists conducting clinical research, used Google’s Gmail platform for company emails. In context of the company’s possible acquisition, the company’s finance department received an email purportedly from the company’s president stating that an attorney named Michael Meyer would be contacting the finance department. The email message purportedly from the company’s president contained the president’s name, email address and picture in the “From” field, but it was a fraudulent “spoof.”
On the same day, the company’s finance department received a phone call from a man who held himself out to be Meyer, who demanded that a wire transfer be processed for him. The company’s finance department advised that it needed further authorization to process Meyer’s request in the form of a further email from the company’s president requesting the wire transfer. The finance department thereupon received an email from the company’s president which, as before, contained the president’s email address in the “From” field and a picture next to his name.
Based on this subsequent, authentically appearing email, the finance department wired approximately $4.7 million to a bank account that was provided by Meyer. To state the predictable, the man purporting to be Meyer was a thief and the company’s $4.7 million was lost.
Medidata had an “Executive Protection” policy which included a coverage section for computer fraud. Like many such policies, the operative policy language required “the fraudulent (a) entry of Data into … a Computer System; [and] (b) change to Data elements or program logic of a Computer System.” Invoking this language, Medidata’s insurer denied coverage for the loss because there had been no “fraudulent entry of Data into Medidata’s computer system.” In addition, the insurer argued that the subject emails containing the false information were sent to “an inbox which was open to receive emails from any member of the public” and thus entry of the fictitious emails “was authorized.”
The District Court disagreed. As Medidata successfully argued, the address in the “From” field of the spoofed emails constituted “data” which was entered by the thief posing as Medidata’s president. The thief accomplished this by entering computer code into the fraudulent email which caused Gmail to “change” the hacker’s email address to that of Medidata’s president.
Indeed, the court in Medidata noted that direct hacking into an insured’s computer is only “one of many methods a thief can use” and that the fraud perpetrated on Medidata was “achieved by entry into Medidata’s email system with spoofed emails armed with a computer code that masked the thief’s true identity. The thief’s computer code also changed data from the true email address to Medidata’s president’s address to achieve the email spoof.” For this reason, the court concluded that Medidata’s losses were a direct cause of a computer violation and granted summary judgment to Medidata against its carrier.
While it is believed that the Medidata decision is the first which extends the concept of computer “use” or “violation” to the practice of “spoofing,” it may not necessarily be the last word on the subject.
Thus, just a few days after the Medidata decision was issued, the District Court for the Eastern District of Michigan took a different approach.
In American Tooling Center vs. Travelers Casualty and Surety Company, CV-12108-JCO, the granted summary judgment to the insurer that issued a computer fraud policy to American Tooling. The scenario in play in the American Tooling case was similar to what occurred in Medidata: in American Tooling, the company wired funds to a fraudster’s account in reliance on a fraudulent email that it believed was from an established vendor. Predictably, the email was an instance of “spoofing” – the email fraudulently impersonated the company’s vendor and led the company to mistakenly wire $800,000 to the fraudster’s account.
In granting summary judgment to the insurer, the Court in American Tooling relied on the language in the insuring clause which required that the company suffer “direct loss” that was “directly caused” by the “use” of any computer. In this regard, the Court noted that “[a]lthough fraudulent emails were used to impersonate a vendor and dupe ATC into making a transfer of funds, such emails do not constitute the use of any computer to fraudulent cause a transfer. There was no infiltration or “hacking” of ATC’s computer system.”
The Medidata and American Tooling cases illustrate that there is a sharp split among courts about whether “spoofing” is covered under the insuring clause of a computer fraud policy. Until that split is more definitively resolved, policyholders will look to the Medidata case as providing some useful precedent for obtaining coverage for losses in this context.
Peter S. Selvin is a member of TroyGould, PC where he practices in the areas of civil litigation and insurance coverage and recovery.