(Article from Insurance Law Alert, July/August 2017)
For more information, please visit the Insurance Law Alert Resource Center.
As discussed in previous Alerts, courts have rejected policyholder attempts to obtain coverage for cyber-related losses under computer fraud and similar policy provisions. See Taylor & Lieberman v. Fed. Ins. Corp., 2017 WL 929211 (9th Cir. Mar. 9, 2017) (coverage unavailable under computer fraud provision because sending an email, without more, does not constitute an unauthorized “entry into” a computer system) (March 2017 Alert); Apache Corp. v. Great American Ins. Co., 2016 WL 6090901 (5th Cir. Oct. 18, 2016) (computer fraud provision does not cover claims arising out of the transfer of funds to criminal accounts because a fraudulent email was only one part of a chain of events that caused the loss, and thus the loss was not caused “directly” by computer use) (November 2016 Alert); Universal Am. Corp. v. Nat’l Union Fire Ins. Co. of Pittsburgh, PA, 25 N.Y.3d 675 (N.Y. 2015) (coverage for “fraudulent entry” of data is limited to losses caused by unauthorized access into the policyholder’s computer system and does not encompass losses caused by an authorized user’s submission of fraudulent information into the computer system) (July/August 2015 Alert).
In a decision issued last month, a New York federal district court distinguished these rulings and held that claims arising out of losses caused by a fraudulent wire transfer were covered by “computer fraud” and “funds transfer fraud” provisions. Medidata Solutions, Inc. v. Federal Ins. Co., 2017 WL 3268529 (S.D.N.Y. July 21, 2017).
Medidata, a cloud service provider, used Google’s Gmail platform for company emails. Medidata email addresses contained an employee’s first initial and last name followed by the domain name “mdsol.com.” When Google processed Medidata emails, it compared incoming email addresses with Medidata employee profiles in order to find a match. Once a match was found, Gmail displayed the sender’s full name, email address and picture in the “from” field.
In 2014, a Medidata employee (Alicia Evans) received an email purportedly sent from Medidata’s president advising her to follow any instructions received from an attorney named Michael Meyer in connection with a potential corporate acquisition. That same day, Evans received a call from a man who identified himself as Meyer and requested a wire transfer. Evans informed Meyer that she needed email confirmation for the transfer from Medidata’s president and approval from the vice-president and director of revenue. Evans thereafter made the requested wire transfer after receiving a group email confirming that the transfer should be made. It was later discovered that the emails were sent from an unknown source and altered to appear as if they were sent by Medidata’s president. Medidata sought coverage from Federal under provisions relating to computer fraud, funds transfer fraud and forgery. Federal denied coverage, and Medidata brought suit. The court ruled that the policy provided coverage for the wire transfer losses pursuant to the computer fraud and funds transfer fraud provisions.
The computer fraud provision covers loss arising from the fraudulent entry of data into a computer system or change to data elements of a computer system. The court held that the fraud committed upon Medidata fell within this language because the thief embedded a computer code in the spoofed emails to mask their true origin and thus violated the integrity of the computer system. The court distinguished Universal, which involved the inputting of fraudulent content by an authorized user. The court also distinguished Apache, in which the court denied coverage under a similarly-worded computer fraud provision on the basis that the loss was not caused directly by “computer use.” There, the court held that an email was only one step in a “muddy chain of events” that led to a fraudulent wire transfer, whereas here, the loss originated with the spoofed email. Finally, the court deemed Taylor & Lieberman, which also involved a fraudulent email, inapposite. Unlike the present case, that case involved an email sent from a client, which is not an unauthorized entry into a computer system.
The court also found coverage available under the funds transfer fraud provision. The court rejected Federal’s argument that this coverage was not implicated because the transfer did not occur “without Medidata’s knowledge or consent,” as required by the policy. The court reasoned that although Evans knowingly made the wire transfer on Medidata’s behalf, she did so due to fraud and trickery through the email manipulation.
Finally, the court ruled that the forgery provision did not trigger coverage because there was no alteration of a financial instrument. The court declined to rule on whether the spoofed emails containing Medidata’s president’s name constituted a forgery, explaining that even if they did, the absence of a financial instrument was fatal to coverage under the forgery provision.