To paraphrase the film noir classic Asphalt Jungle, cyber-crime is a left-handed form of human endeavor.

The District Court for the Southern District of New York has ruled in Medidata v. Federal Insurance Company,1 that a company duped via e-mail into wiring sums of money overseas by an unknown actor was covered under the company’s computer fraud policy, rejecting arguments that the coverage was limited only to hacking into policyholder’s computers.

Medidata provides cloud-based services to scientists conducting services in clinical trials. In September 2014, an employee in Medidata’s finance department received an e-mail purportedly sent from Medidata’s president regarding a wire transfer of funds for an urgent acquisition. The employee believed the message was legitimate because it contained the president’s name, e-mail address, and picture, and also copied a fake attorney. The message was instead sent by a criminal using an altered e-mail account.

On the same day, the employee received a phone call from the fake attorney demanding a wire transfer. The employee told the attorney she would need an e-mail from Medidata’s president, vice president and Director of Revenue authorizing the transaction. The employee and officers then received a group e-mail purportedly from the president approving the payment. The employee transferred about $4.8 million to a bank account provided by the attorney to criminals in China.

After Medidata learned it was spoofed,2 it unsuccessfully tried to recover the funds. Medidata also tendered a claim for coverage to Federal.

The computer fraud provision in “Federal Executive Protection” policy affords coverage for the “direct loss of money … resulting from Computer Fraud committed by a third party.” Computer Fraud is defined as “the unlawful taking or the fraudulently induced transfer of money … resulting from a computer violation.” The term “Computer Violation” included the fraudulent entry or changing of data in the policyholder’s computer system.

Federal denied the claim, arguing (a) the policy’s computer fraud coverage did not apply because there was no fraudulent entry of data into Medidata’s computer system; (b) no coverage is provided under the funds transfer fraud clause because the wire transfer had been authorized by Medidata employees; and (c) no forgery coverage because the e-mail did not contain and actual signature and did not qualify as financial instruments. Coverage was also denied because, per the insurer, there would have been no loss if Medidata’s employees did not act on the e-mails. Medidata sued and both parties moved for summary judgment.

In a detailed opinion, the district court held that even though Medidata’s computers were not directly hacked by a third party, coverage was still triggered because the thief sent spoofed e-mails armed with a computer code to alter e-mails, making them appear as though they came from Medidata’s president. The court also said coverage was triggered because the fraud caused Medidata to transfer funds from its own bank accounts.

Notably, the district court rejected the Fifth Circuit’s analysis in Apache Corp. v. Great American Insurance Company, which also dealt with an e-mail based fraud scheme and a similar computer fraud provision.3

In 2013, Apache, a Texas oil production company, lost millions after it was duped via fraudulent e-mail into changing an on-line account it used to pay one of its vendors. The Apache court held that “computer fraud” provisions did not cover the loss when an employee authorizes fraudulent transfers to an outside bank account because the criminal e-mail was merely incidental to the authorized transfer of money. In other words, there is no coverage when the loss does not result directly from the use of a computer or the use of a computer does not cause the transfer of funds.

The district court rejected the rationale of Apache, stating: “To the extent that the facts of this case fit within Apache, the Court finds its causation analysis unpersuasive. The Medidata employees only initiated the transfer as a direct cause of the thief sending spoof e-mails posing as Medidata’s president.”

The debate over whether and when victims of cyber-crimes are covered under computer fraud and similar policy provisions remains contentious and unsettled. Future cases will depend on the specific policy language, underlying events, and losses. For now, the Medidata ruling is grist for the policyholders’ mill.
1 Medidata Solutions Inc. v. Federal Ins. Co., case number 1:15-cv-00907 (S.D. N.Y. July 21, 2017).
2 Spoofing has been defined as the practice of disguising a commercial e-mail to make the e-mail appear to come from an address from which it actually did not originate. Spoofing involves placing in the ‘From’ or ‘Reply-to’ lines, or in other portions of the e-mail messages, an e-mail address other than the actual sender’s address, without the consent or authorization of the user of the e-mail address whose address is spoofed. Karvaly v. eBay, Inc., 245 F.R.D. 71, 91 (E.D.N.Y. 2007).
3 Apache Corp. v. Great Am. Ins. Co., 662 Fed. Appx. 252 (5th Cir. 2016).