Second Circuit’s Decision Upholding Social Engineering Fraud Coverage Likely a Paper Tiger
In a case closely monitored by the insurance industry, the Second Circuit upheld in a non-precedential summary order a New York federal district court’s summary judgment finding coverage under the computer fraud coverage of a commercial crime policy. Medidata Solutions, Inc. v. Fed. Ins. Co., No. 17-2492, 2018 WL 3339245 (2d Cir. 2018). Although the policyholders are apt to tout the decision as a seismic victory, the atypical policy language and factual circumstances should greatly limit its persuasive value.
As background, the insured, Medidata Solutions, Inc. (Medidata), fell prey to an email spoofing attack resulting in a multimillion dollar loss. Notably, in 2014, Medidata notified its finance department of a possible acquisition in the near future and stated finance personnel should be prepared to assist with significant transactions on an urgent basis. The fraud was perpetrated when an employee in accounts payable received an email purportedly from Medidata’s president concerning an acquisition and notifying her that she would soon be contacted by an attorney. To send this spoofed email, the fraudsters had gained entry into Medidata’s email system and were able through insertion and modification of computer code to mask the thief’s true email address. Later that day, the “attorney” called the employee requesting a wire transfer. After the employee explained to the “attorney” that certain executive-level individuals needed to approve the wire transfer, those executives received an email purportedly from Medidata’s president requesting approval. The wire transfer was subsequently completed. However, when the fraudsters requested a second transfer, one of the executives grew suspicious of the “Reply To” email field. Medidata then learned it had been duped by fraudsters.
The subject commercial crime policy issued by Federal Insurance Company (Federal) contained computer fraud coverage applicable to “direct loss” of money “resulting from” fraud committed by a third-party. Also significant, the policy defined a “Computer Fraud” as the “[u]nlawful taking or the fraudulent induced transfer of Money . . . resulting from a Computer Violation.” In turn, a Computer Violation was defined as “the fraudulent: (a) entry of Data into a . . . Computer System; and (b) change to Data elements or program logic of a Computer System . . . .” Pursuant to this specific language, the district court found the “Computer Fraud” coverage part of the policy satisfied because the fraud was achieved by intrusion into Medidata’s email system in order to mask the thief’s true identity. Accordingly, the district court reasoned the loss was proximately caused by the spoofed emails.
In affirming the lower court, the Second Circuit focused on the nature of the attack, which involved the making of changes to Medidata’s email system allowing the fraudsters to impersonate Medidata’s president. In so holding, the Second Circuit rejected Federal’s argument that policy only covered explicit hacking or “brute force” scenarios. In addition, the court determined Medidata suffered a “direct loss” because the spoofing part of the scheme was the proximate cause of the resultant loss.
In addition to being a non-precedential ruling, the particular facts should substantially curtail the decision’s influence. Indeed, several courts analyzing coverage for fraudulent email fraud schemes have determined such schemes are not covered under commercial crime policies. See Interactive Comm’cns Int’l, Inc. v. Great Am. Ins. Co., No. 17-11712, 2018 WL 2149769 (11th Cir. May 10, 2018); Aqua Star (USA) Corp. v. Travelers Cas. & Surety Co. of Am., 719 F. App’x 701 (9th Cir. Apr. 17, 2018); Taylor & Lieberman v. Fed. Ins. Co., No. 16-6102, 2017 WL 929211 (9th Cir. Mar. 9, 2017); Pestmaster Servs., Inc. v. Travelers Cas. & Surety Co. of Am., 656 Fed. Appx. 332 (9th Cir. 2016); Apache Corp. v. Great Am. Ins. Co., 662 Fed, Appx. 252 (5th Cir. 2016); American Tooling Ctr., Inc. v. Travelers Cas. & Surety Co. of Am., No. 16-12108, 2017 WL 3263356 (E.D. Mich. Aug. 1, 2017). Those cases generally involved situations where a fraudster requests payments by posing as a trusted vendor, for example, by closely mimicking the vendor’s email address. As a result, the insured authorizes the payments, although they are later determined to be the product of fraud. It bears noting that these attacks can be significant. Indeed, it was reported last year that Google and Facebook were defrauded out of $100 million by an impostor posing as an Asian supplier. Medidata is distinguishable from the usual case because the fraudsters actually entered computer code into the insured’s own email system to effectuate the spoofing, as opposed to composing a new email address of a third party with close similarities to the true one. The nature of the scheme in Medidata, in which the fraudster hacked into the insured’s email system to spoof the president’s email, is disfavored relative to spoofing a vendor’s email system. The type of scheme perpetrated in Medidata is riskier because the likelihood of detection is much greater since it is easier to verify a funds transfer request made by your own company’s executive than such request by a third party and because the actual hacking itself presents another detection point. By contrast, simply sending fraudulent invoices under a spoofed email address of a vendor does not provide the same opportunities for detection. Thus, Medidata involves a key nuance distinguishing it from other email fraud schemes, one not likely to be repeated often in the future.
Moreover, the policy language at issue in Medidata is atypical for two reasons: first is its “Data element or program logic” requirement and second is the “direct loss” language in contrast to the “directly caused by Computer Fraud” language in many policies. Courts should find these differences significant, especially since they have already found the “directly caused by Computer Fraud” to require more than proximate cause between the email scheme and the financial loss. This nuance should also prove significant.
At bottom, the nuances of Medidata should render it an anomaly as opposed to guiding precedent.