Fraud on Computer System Is Peril Insured Against by Federal
Insurance against losses caused by computer fraud is a fairly new type of insurance. It is not necessarily well recognized or understood by the insurers that offer it and the businesses that buy it.
In Medidata Solutions Inc v. Federal Insurance Company, 17-2492-cv, United States Court of Appeals for The Second Circuit (July 6, 2018) an insurer contended a spoofing attempt [“spoofing” is “the practice of disguising a commercial e-mail to make the e-mail appear to come from an address from which it actually did not originate. Spoofing involves placing in the ‘From’ or ‘Reply-to’ lines, or in other portions of e-mail messages, an e-mail address other than the actual sender’s address, without the consent or authorization of the user of the e-mail address whose address is spoofed.” Medidata Sols., Inc. v. Fed. Ins. Co., 268 F. Supp. 3d 471, 477 n.2 (S.D.N.Y. 2017) (quoting Karvaly v. eBay, Inc., 245 F.R.D. 71, 91 n.34 (E.D.N.Y. 2007)).] was not insured against.
Federal Insurance Company appealed from an August 10, 2017 judgment entered by the District Court for the Southern District of New York (Carter, J.) granting summary judgment to Plaintiff-Appellant Medidata Solutions Inc. in this insurance coverage dispute, and awarding Medidata $5,841,787.37 in damages and interest.
An insurance contract is interpreted to give effect to the intent of the parties as expressed in the clear language of the contract. As with any contract, unambiguous provisions of an insurance contract must be given their plain and ordinary meaning. Generally, under New York law, if the terms of an insurance policy are doubtful or uncertain as to their meaning, any ambiguity must be resolved in favor of the insured and against the insurer.
Medidata brought suit, claiming that its losses from an email “spoofing” attack were covered by, inter alia, a computer fraud provision in its insurance policy with Federal Insurance. The provision covered losses stemming from any “entry of Data into” or “change to Data elements or program logic of” a computer system. Federal Insurance asserts that the spoofing attack was not covered, because the policy instead applies to only hacking-type intrusions.
The Second Circuit agreed with the district court that the plain and unambiguous language of the policy covers the losses incurred by Medidata. While Medidata concedes that no hacking occurred, the fraudsters nonetheless crafted a computer-based attack that manipulated Medidata’s email system, which the parties do not dispute constitutes a “computer system” within the meaning of the policy. The spoofing code enabled the fraudsters to send messages that inaccurately appeared, in all respects, to come from a high-ranking member of Medidata’s organization. Thus, the attack represented a fraudulent entry of data into the computer system, as the spoofing code was introduced into the email system.
The attack also made a change to a data element, as the email system’s appearance was altered by the spoofing code to misleadingly indicate the sender. Accordingly, Medidata’s losses were covered by the terms of the computer fraud provision.
Federal Insurance argues that Universal Am. Corp. v. Nat’l Union Fire Ins. Co. of Pittsburgh, Pa., 25 N.Y.3d 675 (Ct. App. 2015), requires a different outcome. However, in the Second Circuit’s view, Universal in fact supports Medidata’s claim. Universal dealt with a medical claim fraud, where the perpetrators submitted false claims for services that were never rendered. The Court of Appeals found that such a fraud was not covered by a similar computer fraud provision, because the fraud was not on the “computer system qua computer system,” and did not entail a “violation of the integrity of the computer system through deceitful and dishonest access.” Rather, the fraud at issue there only incidentally involved the use of computers, because the company processed its claims using computers (as opposed to on paper).
By contrast, the fraud against Medidata clearly implicates the “computer system qua computer system,” since Medidata’s email system itself was compromised. Further, the Second Circuit concluded that the spoofing attack quite clearly amounted to a “violation of the integrity of the computer system through deceitful and dishonest access,” since the fraudsters were able to alter the appearance of their emails so as to falsely indicate that the emails were sent by a high-ranking member of the company.
Federal Insurance further argues that Medidata did not sustain a “direct loss” as a result of the spoofing attack, within the meaning of the policy. The spoofed emails directed Medidata employees to transfer funds in accordance with an acquisition, and the employees made the transfer that same day. Medidata is correct that New York courts generally equate the phrase “direct loss” to proximate cause.
It was clear to the Second Circuit that the spoofing attack was the proximate cause of Medidata’s losses.
The chain of events was initiated by the spoofed emails and unfolded rapidly following their receipt. While it is true that the Medidata employees themselves had to take action to effectuate the transfer, the Second Circuit did not see their actions as sufficient to sever the causal relationship between the spoofing attack and the losses incurred. The employees were acting, they believed, at the behest of a high-ranking member of Medidata.
Having concluded that Medidata’s losses were covered under the computer fraud provision the judgment of the district court was affirmed.
The argument that the policy only covered “hacking” failed because a “spoofing attack” is a means of hacking a computer system. It did, in fact, change the e-mail system and caused more than $5 million in damages. Federal should have paid the claim and changed its policy for future claims to exclude spoofing attacks.
© 2018 – Barry Zalma
This article, and all of the blog posts on this site, digest and summarize cases published by courts of the various states and the United States. The court decisions have been modified from the actual language of the court decisions, were condensed for ease of reading, and convey the opinions of the author regarding each case.
Barry Zalma, Esq., CFE, now limits his practice to service as an insurance consultant specializing in insurance coverage, insurance claims handling, insurance bad faith and insurance fraud almost equally for insurers and policyholders. He also serves as an arbitrator or mediator for insurance related disputes. He practiced law in California for more than 44 years as an insurance coverage and claims handling lawyer and more than 50 years in the insurance business. He is available at http://www.zalma.com and firstname.lastname@example.org.
Mr. Zalma is the first recipient of the first annual Claims Magazine/ACE Legend Award.
Books from Full Court Press
Full Court Press continues to publish expert secondary content. This time it’s a new collection of ew insurance law treatises from consultant, expert witness, arbitrator, and mediator Barry Zalma.
Barry Zalma practiced law in California for more than 44 years as an insurance coverage and claims-handling lawyer, and has spent more than 50 years in the insurance business. We welcome his deskbooks as the first published under our Full Court Press imprint. Three titles are available in ePub and MOBI format, as well as on the Fastcase legal research platform.
Insurance Law Deskbook: Learn the insurance basics that are essential to every civil practitioner. The Insurance Law Deskbook is intended to help law students, practitioners, insurance lawyers, professional claims personnel, insured persons, and anyone else involved in insurance. The book, published for the first time under Full Court Press, includes the full texts or digests of insurance-related decisions of the U.S. Supreme Court, the U.S. District Courts of Appeal, state appellate courts, and foreign courts that have molded the American insurance law, as well as vital explanatory chapters, historical context, form letters, and more.
California Insurance Law Deskbook: California has long led the way when it comes to insurance jurisprudence in the United States, and few know more about California insurance law than Barry Zalma. The California Insurance Law Deskbook is intended to help law students, practitioners, insurance lawyers, professional claims personnel, insured persons, and anyone else involved in insurance. Similar to Barry Zalma’s general Insurance Law Deskbook, this title focuses on the state where the author has long resided and practiced as an expert in California law. The book, published for the first time under Full Court Press, includes the full texts or digests of insurance-related decisions of the U.S. Supreme Court, the U.S. District Courts of Appeal, and California appellate courts, as well as vital explanatory chapters and historical context.
Insurance Bad Faith and Punitive Damages Deskbook: Understand the relationship between insurance, the tort of bad faith, and why punitive damages are awarded to punish insurers. Previously, a person suing an insurance company in the United States could only recover contract damages, but when the tort of bad faith was created by the courts contract law was enormously affected, allowing insureds to sue insurers for both contract and tort damages, including punitive damages. Read a thoughtful analysis of how punitive damages apply in the United States to insurance bad faith suits, and why some states allow judges and juries to award punitive damages against insurers in civil litigation.
An annual subscription to secondary content on the Fastcase platform includes new editions and updates published by the author as they are rolled out, so you can rest assured that your research is up to date. Go to fastcase.com for more detail and how to use the material on-line as part of your legal or insurance research or as stand-alone e-books. Details on the three new e-books are available at https://www.fastcase.com/product-category/fcp/ Subscribers to fastcase.com can search the three books as they do case law.
An annual subscription to secondary content on the Fastcase platform includes new editions and updates published by the author as they are rolled out, so you can rest assured that your research is up to date. Go to fastcase.com for more detail and how to use the material on-line as part of your legal or insurance research or as stand-alone e-books.
Mr. Zalma’s books available as Kindle books or paperbacks at Amazon.com can be reached at http://zalma.com/zalma-books/
Mr. Zalma’s reports can be found on Tumbler at https://www.tumblr.com/search/bzalma on Facebook at https://www.facebook.com/barry.zalma and you can follow him on Twitter at https://twitter.com/bzalma
The author and publisher disclaim any liability, loss, or risk incurred as a consequence, directly or indirectly, of the use and application of any of the contents of this blog. The information provided is not a substitute for the advice of a competent insurance, legal, or other professional. The Information provided at this site should not be relied on as legal advice. Legal advice cannot be given without full consideration of all relevant information relating to an individual situation.