Editor’s Note: The following article by Nicholas M. Insua was published as part of the Insurance Law Section Newsletter Vol. 24, No. 2, which is distributed to members of the Insurance Law Section. To learn more about joining a section of the New Jersey State Bar Association, email us at [email protected].
This article focuses on the decision of the United States Court of Appeals for the Second Circuit, Medidata Sols., Inc. v. Fed. Ins. Co.,1 in which the court found coverage for a policyholder that suffered losses caused by phishing attacks under the computer fraud provisions in its crime insurance policies.
In Medidata, an employee in the accounts payable department received an email from a Gmail account purportedly belonging to the company’s president, which requested a transfer of funds for an acquisition. However, the message was actually sent by a thief, and was altered with a ‘spoofed’ computer code that caused it to display the president’s picture and email address, and was copied to a fake attorney. After corresponding with the fake attorney by email and phone and receiving the approval of real corporate officers, the employee transferred nearly $4.8 million to a bank account in China. The fraud was discovered before the employee followed through on a request for an additional transfer of more than $4.8 million when the president was notified, but the initial transfer was not recovered and the thief has not been identified.
The policy at issue covered “direct loss of money, securities or property” due to computer fraud or funds transfer fraud committed by a third party. It defined computer fraud to encompass the fraudulent entry of data into or the changing of data in the policyholder’s computer system. Further, “funds transfer fraud” included transfers carried out based on “fraudulent instructions.”
The District Court Ruling
Although the computers were not directly hacked by a third party, the district court held that the requirements of the computer fraud provision were still met because the unknown fraudster used a computer code to alter a series of email messages to make them appear as though they originated from the company’s president. Further, the funds transfer fraud provision separately provided coverage for the loss. As the court stated, “[t]he fact that the accounts payable employee willingly pressed the send button on the bank transfer does not transform the bank wire into a valid transaction.” The court continued, stating “[t]o the contrary, the validity of the wire transfer depended upon several high level employees’ knowledge and consent which was only obtained by trick.”
In its briefs filed with the Second Circuit, the insurance company, Federal, argued that its policy required a direct, unauthorized change to the policyholder’s systems, which did not occur in this case. Thus, there should be no coverage. Federal also contended that the district court’s decision was erroneous because the email was not the direct cause of the loss, but was instead followed by the phone call, and that the transfer itself required the approval and actions of three different employees. In addition, Federal asserted that the policy’s funds transfer coverage was intended to protect against third parties sending fake transfer requests to banks, not actual requests by authorized employees. In response, the policyholder countered that the district court’s decision properly recognized the nuanced approach taken by cyber criminals in this “high-tech age.”
Second Circuit Ruling
The Second Circuit explained that the “plain and unambiguous language of the policy covers the losses incurred by Medidata....” First, the court held that a “computer violation” occurred when the fraudster manipulated Medidata’s email system, which was considered a part of the “computer system” within the meaning of the policy. The court reasoned that the code the fraudster used to alter the appearance of the email messages “represented a fraudulent entry of data into the computer system, as the spoofing code was introduced into the email system.” The court also stated that the phishing attack changed a data element of the computer system because it altered the appearance of email messages. Thus, the court concluded that the cyber attack fell squarely within the terms of the computer fraud provision.
The court also held that Medidata suffered a direct loss that was caused by the phishing attack. In doing so, the court rejected Federal’s argument that because Medidata employees were the ones that started the transfer, the perpetrator did not directly cause the loss. Applying New York law, the court stated that “direct loss” has the same meaning as proximate cause. The court then concluded that, “[w]hile... the Medidata employees themselves had to take action to effectuate the transfer, we do not see their actions as sufficient to sever the causal relationship between the [phishing] attack and the losses incurred. The employees were acting, they believed, at the behest of a high-ranking member of Medidata.” Because the court held that the computer fraud provision was applicable, it did not consider whether Medidata’s loss was insured under any other provisions of the policy, such as the funds transfer fraud provision or the forgery provision.
By arguing that the actions of an employee victim of a phishing scam negated coverage, the insurance company in Medidata was essentially attacking the weakest link, much like the scammer who sent the phishing email. Insurance companies have attacked policyholders who seek coverage by asserting that employees of the policyholder defeated coverage by initiating a transfer of funds.
By holding that fraudulent instructions from a scammer are covered as fraudulent whether sent to the policyholder or to a bank, the decision recognizes the sophistication and reality of phishing scams, and that the policy language does not distinguish between them. Although policyholders may be able to obtain coverage, they should not rely entirely on crime policies for phishing losses. Pertinent cyber coverage should be purchased (and often with much higher limits, these programs can also be layered).
The Medidata decision will have an important effect on the case law, as many insurance policies call for the application of New York law. The wisest use of a policyholder’s finances and resources is to have insurance coverage in place and to invest in low-cost means of avoiding phishing attacks (awareness tests, trainings, labeling of emails as external/internal, phone verification). Through a multi-faceted risk management approach, companies will be better equipped to fend off these phishing attacks.
Nicholas M. Insua is a shareholder in the New Jersey office of Anderson Kill who focuses his practice on insurance recovery litigation and counseling. He also represents clients in business disputes outside the insurance coverage context and is a past chair of the Insurance Law Section and co-editor of the sections’ newsletter. Insua is currently the chair of the Pro Bono Committee.
- 729 F. App’x 117 (2d Cir. 2018).