Court Ruling that Fraud Is Covered under a Commercial Crime Policy Is Likely An Anomaly

 

July 16, 2018

 

The United States Court of Appeals for the Second Circuit decided that an insured was entitled to recover in a suit claiming that its losses from an email spoofing attack were covered by a computer fraud provision in its commercial crime policy because of the unambiguous policy language. The case is Medidata Sols. Inc. v. Fed. Ins. Co., No. 17-2492-cv, 2018 U.S. App. LEXIS 18376 (2nd Cir. July 6, 2018).

 

The insured, Medidata Solutions, Inc. (Medidata) became the victims of an email spoofing attack which resulted in a multimillion dollar loss. In 2014 Medidata notified its finance department of a potential acquisition in the near future, and warned the finance personnel that they should be prepared to assist with significant transactions urgently. Later, an employee in accounts payable received an email that appeared to be from the president of Medidata, informing her that she would soon be contacted by an attorney. Later that day the attorney called the employee requesting a large wire transfer. The employee explained to the attorney that executive-level employees needed to approve such a transfer. Soon later, those executives received an email that also appeared to be from Medidata's president, requesting the necessary approval. The approval was granted, and the wire transfer was completed. The emails were fake, the fraudsters had gained entry to the company's email system and were able to mask the thief's true email address through insertion and computer code modification. The “attorney” was an imposter. The fraudsters soon requested a second wire transfer, sparking suspicion in the executives. Medidata learned it had been defrauded.

 

Medidata had a commercial crime policy issued by Federal Insurance Company (Federal) which contained computer fraud coverage applicable to “direct loss” of money “resulting from” fraud committed by a third-party. The policy defined “Computer Fraud” as the “unlawful taking or the fraudulent induced transfer of Money. . . resulting from a Computer Violation,” a term which was defined as “the fraudulent: (a) entry of Data into a . . . Computer System and (b) change to Data elements or program logic of a Computer System”.

 

The district court determined that because the language was so specific, the ”Computer Fraud” coverage part of the policy was satisfied because the fraudsters intruded into Medidata's email system to disguise the true identity of the emailer. The district court determined that the loss was proximately caused by the fraudulent emails.

 

Federal argued that the policy only covered explicit hacking. The Second Circuit affirmed the lower court's decision, and focused on the nature of the attack, how the fraudsters changed Medidata's email system, thus rejecting Federal's argument. The court determined that Medidata suffered a “direct loss” because the email spoof was the proximate cause of the monetary loss.

 

Editor's Note: This was a non-precedential ruling, driven by the particular facts of this situation. Several courts have found that there is no coverage for these schemes under the commercial crime policy. The thing that set this case apart from the other cases is the way the fraudster pretended to be the president of the company, and not a familiar vendor or other known work contact. There have been cases of fraudsters closely simulating the email address of a known contact of the victim, requesting money through an invoice. The courts deciding these cases generally decide in favor of the insurer, the difference being that it is much easier to verify an internal invoice request than one that comes directly from a third party. The type of fraud in this case is not likely to be repeated against Medidata.