← Return to the Database

Groundbreaking Cyber Insurance Decision

By Kevin La Croix (The D&O Diary).
10 August 2017 

Consider the following two scenarios resulting in identical losses, but potentially two entirely different insurance coverage outcomes:

In the first instance, a thief hacks, or gains unauthorized entry, into an insured’s computer system and causes that computer system to execute a bank transfer to the thief’s offshore account.

In the second instance, a thief utilizes a process called “spoofing,” in which an authentic looking, but fraudulent, email is created to trick the insured into wiring funds to the thief’s offshore account. The “spoofing” process in essence tricks the insured’s email server into recognizing the fraudulent email as one that actually originated from the insured’s client or other trusted source.

Computer fraud policies often provide coverage in the first scenario because in that instance the thief had actually obtained access to the insured’s computer and had “used” that computer, in the words of typical policy language, “to fraudulently cause a transfer of [] property from inside [the insured’s premises] to … a person outside those premises.”

By contrast, in the second scenario, the courts have been generally unreceptive to finding coverage because an insured’s acting on, or treating as genuine, a fraudulent email directing the payment of funds has not been thought to be the equivalent of the “use of a computer” in a manner that fraudulently “caused” a transfer of money or other property. As stated by one court, “[t]o interpret the computer-fraud provision as reaching any fraudulent scheme in which [a computer] communication was part of the process would … convert the computer-fraud provision to one for general fraud.” Apache Corp. v. Great Am. Ins. Co., 662 Fed. Appx. 252, 258 (5th Cir. 2016); see also Taylor & Lieberman v. Federal Insurance Company, 2017 WL 929211 (9th Cir. 2017).

A recent case decided by the U.S. District Court for the Southern District of New York, however, creates greater opportunities for policyholders to secure coverage in connection with the second scenario. In Medidata Solutions, Inc. v. Federal Insurance Company, CV-00907 (S.D.N.Y. July 21, 2017), the court ruled that a “spoofing” incident, which resulted in an insured wiring money overseas, was covered under the insured’s computer fraud policy even though the thief had not gained access to or directly used the insured’s computer system.

In Medidata, the insured, a company that provided cloud-based services to scientists conducting clinical research, used Google’s Gmail platform for company emails. In context of the company’s possible acquisition, the company’s finance department received an email purportedly from the company’s president stating that an attorney named Michael Meyer would be contacting the finance department. The email message purportedly from the company’s president contained the president’s name, email address and picture in the “From” field, but it was a fraudulent “spoof.”

On the same day, the company’s finance department received a phone call from a man who held himself out to be Meyer, who demanded that a wire transfer be processed for him. The company’s finance department advised that it needed further authorization to process Meyer’s request in the form of a further email from the company’s president requesting the wire transfer. The finance department thereupon received an email from the company’s president which, as before, contained the president’s email address in the “From” field and a picture next to his name.

Based on this subsequent, authentically appearing email, the finance department wired approximately $4.7 million to a bank account that was provided by Meyer. To state the predictable, the man purporting to be Meyer was a thief and the company’s $4.7 million was lost.

Medidata had an “Executive Protection” policy which included a coverage section for computer fraud. Like many such policies, the operative policy language required “the fraudulent (a) entry of Data into … a Computer System; [and] (b) change to Data elements or program logic of a Computer System.” Invoking this language, Medidata’s insurer denied coverage for the loss because there had been no “fraudulent entry of Data into Medidata’s computer system.” In addition, the insurer argued that the subject emails containing the false information were sent to “an inbox which was open to receive emails from any member of the public” and thus entry of the fictitious emails “was authorized.”

The District Court disagreed. As Medidata successfully argued, the address in the “From” field of the spoofed emails constituted “data” which was entered by the thief posing as Medidata’s president. The thief accomplished this by entering computer code into the fraudulent email which caused Gmail to “change” the hacker’s email address to that of Medidata’s president.

Indeed, the court in Medidata noted that direct hacking into an insured’s computer is only “one of many methods a thief can use” and that the fraud perpetrated on Medidata was “achieved by entry into Medidata’s email system with spoofed emails armed with a computer code that masked the thief’s true identity. The thief’s computer code also changed data from the true email address to Medidata’s president’s address to achieve the email spoof.” For this reason, the court concluded that Medidata’s losses were a direct cause of a computer violation and granted summary judgment to Medidata against its carrier.

While it is believed that the Medidata decision is the first which extends the concept of computer “use” or “violation” to the practice of “spoofing,” it may not necessarily be the last word on the subject.

Thus, just a few days after the Medidata decision was issued, the District Court for the Eastern District of Michigan took a different approach.

In American Tooling Center vs. Travelers Casualty and Surety Company, CV-12108-JCO, the granted summary judgment to the insurer that issued a computer fraud policy to American Tooling. The scenario in play in the American Tooling case was similar to what occurred in Medidata: in American Tooling, the company wired funds to a fraudster’s account in reliance on a fraudulent email that it believed was from an established vendor. Predictably, the email was an instance of “spoofing” – the email fraudulently impersonated the company’s vendor and led the company to mistakenly wire $800,000 to the fraudster’s account.

In granting summary judgment to the insurer, the Court in American Tooling relied on the language in the insuring clause which required that the company suffer “direct loss” that was “directly caused” by the “use” of any computer. In this regard, the Court noted that “[a]lthough fraudulent emails were used to impersonate a vendor and dupe ATC into making a transfer of funds, such emails do not constitute the use of any computer to fraudulent cause a transfer. There was no infiltration or “hacking” of ATC’s computer system.”

The Medidata and American Tooling cases illustrate that there is a sharp split among courts about whether “spoofing” is covered under the insuring clause of a computer fraud policy. Until that split is more definitively resolved, policyholders will look to the Medidata case as providing some useful precedent for obtaining coverage for losses in this context.

Article Source

Permission has been granted for this article to be reproduced on the LMA website by the author, Kevin La Croix from The D&O Diary.

Link to original article.
Disclaimer
This website contains general information, including that of a legal nature. None of this material constitutes legal or other professional advice and should not be treated as such. You should not...

show full disclaimer