The legal landscape for insurance coverage for business email scams remains unsettled, but a recent decision from a Manhattan judge ordering an insurer to cover $4.8 million in losses for a company that fell victim to a “spoofing” scam may give plaintiffs a new weapon in coverage disputes.
Southern District Judge Andrew Carter Jr. granted summary judgment for Medidata, which sued Federal Insurance Co., a subsidiary of insurance giant Chubb Ltd., saying the losses the company suffered when an imposter tricked its accounts payable department into wiring money are covered by computer fraud provisions in its insurance policy.
Carter said that, under Federal’s interpretation of case law, coverage for computer fraud would require a thief to hack into a company’s computer system and initiate a bank transfer.
“But hacking is one of many methods that a thief can use and is an everyday term for unauthorized access to a computer system,” the judge wrote.
Medidata provides cloud-based computing services for scientists conducting clinical trials.
In 2014, the Medidata employee responsible for travel and entertainment expenses received an email in which the sender, claiming to be the company’s president, said that an attorney named Michael Meyer would contact her about the company’s effort to finalize an acquisition.
A man holding himself out to be Meyer contacted the employee and said he would need an immediate wire transfer.
After the employee said she would need to clear the transaction with Medidata’s vice president and director of revenue, all three employees received a group email from someone claiming to be Medidata’s president requesting the funds transfer. They complied and wired almost $4.8 million to an account in China that Meyer provided.
After the supposed attorney asked for a second transfer, however, the vice president became suspicious and the president was contacted in a separate email. After the president said he did not request either of the wire transfers, the company contacted the FBI.
According to court papers, the identities of the scammers were never revealed and Medidata’s money was never recovered. Medidata had a $5 million policy with Federal containing a section that covers computer fraud, but the insurer denied Medidata’s claim, saying there was no fraudulent entry of data into the company’s computer system.
But Carter said that Federal is relying on an overbroad reading of the New York Court of Appeals’ 2015 decision in Universal American v. National Union Fire Insurance, 25 NY3d 675, in which the court said fraud achieved through a violation of a computer system “deceitful and dishonest access” should be covered.
McKool Smith attorneys Robin Cohen, Adam Ziffer and Alexander Sugzda represented Medidata.
Federal was represented by Gordon Rees Scully Mansukhani attorneys Joseph Salvo, Christopher Kahler, Sara Gronkiewicz-Doran and Scott Schmookler.
Carter’s decision comes at a time when courts around the country remain at odds over whether or not insurance claims should cover the types of attacks that befell Medidata, which are becoming more prevalent.
“I don’t think there’s quite an industry standard for how these policies look,” said Brian Collins, a Philadelphia-based attorney for Offit Kurman who handles insurance litigation matters.
On one hand, the U.S. Court of Appeals for the Eighth Circuit found last year in State Bank of Bellingham v. BancInsure, No. 14-3432, that a bank’s financial institution bond covered a malware attack allowed infiltration into the bank’s computer system, which resulted in two fraudulent wire transfers from a Minnesota bank to Poland.
On the other hand, the U.S. Court of Appeals for the Fifth Circuit found that the insurance policy for the Apache Corp., a Houston-based oil company, did not cover $7 million in payments to bank accounts controlled by scammers using spoof email addresses.
To defend against Medidata’s suit, Federal cited the Fifth Circuit’s decision in Apache v. Great American Insurance, 15-20499.
With regard to Apache, Carter said the fraud in that case was achieved through a “muddy chain of events” that included emails, phone calls and the establishment of a fraudulent bank account.
What sets Apache apart from Medidata, Carter said, is that the insured in the former case invited the computer-use: After the thieves called the company to ask to change a vendor’s payment information, they were told by an Apache employee that they would need to make the request via email and attach the vendor’s letterhead.
Medidata employees, by contrast, transferred funds as a direct result of receiving Trojan emails from someone masquerading as the company’s president, Carter said.
Scott Godes, a Washington, D.C.-based partner at Barnes & Thornburg who was not involved with the Medidata case, said the decision was a “good victory” for policyholders, as insurance companies have fought back in the courts against providing coverage for spoofing and other types of computer attacks.
“They have tried to erect a brick wall around providing coverage for this type of claim,” Godes said.
Carter did, however, find that Federal’s policy did not cover Medidata’s forgery claim.
The parties “vehemently” disputed whether or not the spoofed emails in which the sender posed as the president of the company, the judge said, but said the absence of a forged financial document is fatal to Medidata’s claim.