In a much anticipated decision, on July 6, 2018 the Second Circuit, applying New York law, affirmed a district court ruling that the computer fraud provisions of a commercial crime coverage section covered the losses Medidata incurred when the company’s employees transferred funds in response to a spoofed email. The appellate court’s opinion could prove valuable for other policyholders seeking to establish that their crime policies provide coverage for losses incurred as a result of social engineering fraud (also known as payment instruction fraud). The Second Circuit’s July 6, 2018 opinion can be found here.
Medidata Solutions, Inc. provides cloud-based services to research scientists. It maintains its email through the Gmail platform. The company’s email appears with the company’s domain name in the email address; if an email address matches that of a Medidata employee, the sender’s full name, email address, and picture appear in the email.
In September 2014, Medidata advised its finance department that its business plans included a possible acquisition. On September 16, 2014, an accounts payable clerk at Medidata received an email purportedly sent by Medidata’s President. The email contained the president’s name, email address and picture in the “From” field. The email stated that the company was finalizing an acquisition and that an attorney named Michael Meyer would contact the clerk. The same day, the clerk received a phone call from a man identifying himself as Meyer, who provided payment instructions. A second email purportedly from the President confirmed the payment authorization. In response, the clerk logged into the company’s bank account and initiated a wire transfer according to the payment instructions. At the clerk’s request, two officers from the company logged into the bank account and authorized the $4.77 million wire transfer.
After a subsequent funds transfer request rang alarm bells, the company determined that the first transfer request had been fraudulent. On investigation, the company determined that the fraud was achieved by entry into Medidata’s email system resulting in spoofed emails armed with a computer code that masked the thief’s true identity and made it appear as if the emails were from the company’s President. The thief’s computer code also changed data from the true email address to Medidata’s president to achieve the email spoof.
The company contacted the FBI and submitted a claim to its commercial crime insurer. The insurer denied coverage and the company filed a lawsuit against the insurer. The parties filed cross-motions for summary judgment.
The Relevant Policy Language
The Policy’s “Computer Fraud Coverage” section protects against the “direct loss of Money, Securities or Property sustained by an Organization resulting from Computer Fraud committed by a Third Party. The Policy defined “Computer Fraud” as “The unlawful taking or the fraudulently induced transfer of Money, Securities or Property resulting from a Computer Violation.” The policy defines a “Computer Violation as both “the fraudulent (a) entry of Data into … a Computer System; [and] (b)change to Data elements or program logic of a Computer System, which is kept in machine readable format … directed against an Organization.”
The District Court Ruling
In his July 21, 2017 order, Southern District of New York Judge Andrew L. Carter, Jr., applying New York law, concluded that both the Computer Fraud coverage section and the Funds Transfer Fraud coverage section provided coverage for Medidata’s loss.
In concluding that the Computer Fraud coverage applied, Judge Carter rejected the insurer’s argument that the coverage section did not apply because the emails did not require access to Medidata’s computer system, a manipulation of those computers, or the input of fraudulent information. Judge Carter concluded that while Medidata’s computers weren’t directly hacked, the Computer Fraud coverage section’s requirements were still met because the scammer used a computer code to alter a series of email messages to make them appear as though they originated from the company’s president. The insurer appealed.
The Second Circuit’s Opinion
In a brief July 6, 2018 Summary Order, a three-judge panel of the Second Circuit affirmed the district court’s ruling.
In its appeal, the insurer had argued that the spoofing attack on Medidata was not covered because the policy applies to only hacking-type intrusions. The appellate court rejected this argument, agreeing with the district court that “the plain and unambiguous language of the policy covers the losses incurred by Mediadata here.”
Though there was no hacking of Medidata’s systems, the fraudsters effectuated a computer-based attack on the company’s email system, “which the parties do not dispute constitutes a ‘computer system’ within the meaning of the policy.” The attack “represented a fraudulent entry of data into the computer system, as the spoofing code was introduced into the email system” and also there was a “change to a data element” as “the spoofing code altered the email system’s appearance to misleadingly indicate the sender.”
The court rejected case precedent that the insurer urged argued for a contrary conclusion; the appellate court found that, by contrast to the cases the insurer cited, here “the fraud clearly implicates the ‘computer system qua the computer system,’ since Mediadata’s email system itself was compromised.” The attack amounted to a “violation of the integrity of the computer system through deceitful and dishonest access.”
Finally, the appellate court rejected the insurer’s argument that Medidata did not sustain a “direct loss” as required under the policy. The Medidata transferred the funds the same day as they were directed to do so by the spoofed emails. “It is clear to us that the spoofing attack was the proximate cause of Medidata’s losses,” as the chain of events was initiated by the spoofed emails, and unfolded rapidly following their receipt.” Though the employees had to take action to effectuate the transfer, “we do not see their actions as sufficient to sever the causal relationship between the spoofing attack and the losses incurred.”
In many of the cases in which courts have been asked to determine whether or not the computer fraud provisions of a commercial crime policy covers losses arising from social engineering fraud, the courts have drawn a distinction between losses where the thief hacks into the insured’s computer system and where the insured voluntarily transfers the funds. In many instances, courts making this distinction have concluded that the insurance policies do not cover losses arising from social engineering fraud.
Other courts faced with these issues conclude that these kinds of losses are not covered because the fraudulent payment instruction is not a direct cause of the loss, because of the intervening step of the duped employee’s actions to transfer the funds. For example, just days after the district court’s holding in the Medidata case, a judge held that a crime policy’s computer fraud section did not apply to social engineering fraud. As discussed here, Eastern District of Michigan Judge John Corbett O’Meara concluded, based on the specific policy language at issue, that the computer fraud coverage only applied when the fraud directly caused the loss, and that because there had been intervening steps between the computer fraud and the transfer of funds, the coverage did not apply.
The significance of the Second Circuit’s ruling here is two-fold; first, the Court concluded that the computer fraud section applied even though there had been no hacking; and second, the Court concluded that the loss of funds from the wire transfer was a “direct loss” notwithstanding the actions of the company employees in completing the transfer.
These conclusions from an influential appellate court could be very helpful for policyholders seeking to establish insurance coverage for social engineering fraud losses. With the benefit of this holding, policyholders will be aided in arguing that coverage is not precluded merely because there was no hack; and they can argue that they sustained a “direct loss” even if an employee voluntarily pressed the send button on the funds transfer. The policyholders can argue that the employee’s involvement does not transform the wire transfer into a valid transaction. Larceny by trick is still larceny.
While this case should provide a significant boost to policyholder seeking to establish coverage for their losses, the insurers undoubtedly will seek to seize on various aspects of this case to try to argue that it does not apply or should not control. First of all, though the Second Circuit is an important appellate court, its decisions do not control in other Circuits (or for that matter, in any state court). Insurers in other circuits may still try to raise and rely on the arguments the Second Circuit rejected. Along the same lines, the Second Circuit ruled based on New York law. Insurers may still try to raise the same arguments in cases to which other states’ laws apply.
The insurers will also try to argue that the very particular features of the fraud here limit the applicability of this decision in other contexts. Both at the district court and at the appellate level, the courts were significantly influenced by the evidence showing that the fraudsters had accessed and fraudulently manipulated the company’s email system. Not every instance of social engineering fraud is based on these kinds of computer system manipulation. For example, in some instances, the fraudulent instruction appears in an email that is made to appear legitimate through the way the email itself appears, but no system manipulation is involved. In these kinds of cases, the insurers will still try to argue that the prerequisites for computer fraud coverage have not been established.
The Second Circuit’s holding that the lost funds represented a “direct loss” from the fraudulent activity may prove to be the more important of the court’s holding. Insurers frequently base their denial of coverage for these kinds of losses on the argument that because of the intervening action of the duped employee, the fraud was only an indirect cause of the loss, not a direct cause. The appellate court’s rejection of that argument here could be very helpful to policyholders in other disputes about coverage for social engineering fraud losses.
While this decision is clearly beneficial to policyholders, it does not represent a conclusive determination that the computer fraud coverage sections will always provide coverage for social engineering fraud losses. As noted above, there are a variety of factors that may determine whether or not there is coverage for a particular loss, even in jurisdictions to which the Second Circuit’s decision is directly attributable. But though it has limitations, it is still a significant ruling for policyholders.
One thing that concerns me about this holding is that it might encourage some buyers to conclude that they are adequately protected by their existing crime policy for the possibility of a social engineering fraud loss, and so they don’t need to purchase the coverage extension that many crime insurers now offer for this type of loss. Though the Second Circuit’s holding in Medidata is favorable and may help some policyholders in coverage disputes, it is still at best premature to conclude that the unendorsed policy provides coverage for these kinds of losses. At least until coverage under the traditional policy provisions is much more conclusively established, the social engineering fraud coverage extension should continue to be fully discussed and considered.