Federal courts continue to shape the landscape for cyberfraud coverage. The recent spate of cases focus on the scope of coverage for “phishing” or “spoofing” attacks. Recent cases focus on these attacks for two reasons: they are slightly different than a classic system intrusion or hack, and these forms of invasion have grown to become the major threat that many companies face (see Matthews, Lee, “Homeland Security Chief Cites Phishing As Top Hacking Threat,” Forbes, Nov. 29, 2016). It is not surprising to see an increase in court decisions dealing with the topic given this reality.
Phishing is an attempt to acquire sensitive information such as usernames, passwords and credit card details by posing as a trustworthy entity in an electronic communication. Similarly, spoofing is when a hacker uses a computer program to create a false email that appears to be from a trusted source such as a CEO or CFO. Typically, these scams will involve an insider, such as the CFO, receiving an email from another insider, such as the CEO, authorizing a wire transfer to specific bank account. The crooks then take the money out of the account after the wire transfer.
Two recent federal court cases, one in Michigan and one in New York, come to divergent results about whether cyberinsurance policies owned by the plaintiffs covered this fraud loss. The first, Medidata Solutions v. Federal Insurance (July 21) S.D.N.Y.), held that there was coverage, but the second, American Tooling Center v. Travelers (Aug. 1, E.D. Mich.) held that there was no coverage. The cases illustrate differing approaches and policy language and are useful for understanding the latest evolution of cybercoverage.
Medidata Solutions, Inc. uses Gmail to maintain its email service. The email addresses use the company’s domain name, so they do not read as @gmail.com. If the email address matches a Medidata employee, then their full name, email address and picture all appear in the email.
On Sept. 16, 2014, a clerk in the accounts payable department received an email, claiming to be from Medidata’s president. The email contained the president’s full name, email address and picture in the “from” field. The email advised that the company was finalizing an acquisition and that an attorney named Michael Meyer would contact the clerk with wiring instructions. The clerk later received a phone call with the wiring instructions from someone who claimed to be Michael Meyer. After the phone call, a second email came from the “president” confirming the instructions. Following these interactions, Medidata authorized a $4.77 million wire transfer.
An investigation revealed that spoofed emails sent to Medidata’s email addresses hid the true email addresses and made the emails appear genuine. The computer code changed data from the true email address to Medidata’s president to make this spoof possible. The company submitted the claim to its carrier, Federal, who denied coverage.
In the policy, Medidata had coverage for “computer fraud coverage,” which protects against “direct loss of money, securities or property sustained by an organization resulting from computer fraud committed by a third party.” The policy defined computer fraud as “the unlawful taking or the fraudulently induced transfer of money, securities or property resulting from a computer violation.” And the policy defined a “computer violation as both “the fraudulent entry of data into … a computer system; and change to data elements or program logic of a computer system, which is kept in machine readable format… directed against an organization.”
The policy also had “funds transfer fraud” coverage. This coverage protects against “direct loss of money or securities sustained by an organization resulting from funds transfer fraud committed by a third party.” The policy defines “funds transfer fraud” as “fraudulent electronic … instructions … purportedly issued by an organization and issued to a financial institution directing such institution to transfer, pay or deliver money and securities … without such organization’s knowledge or consent.”
After Medidata filed suit, it brought a motion for summary judgment arguing that there was no factual dispute that the policy provided it with coverage. While interpreting the policy, the court concluded that both the computer fraud coverage section and the funds transfer fraud coverage section provided coverage for Medidata’s loss.
For the computer fraud coverage, Federal had argued that because the intrusion did not require hacking directly into Medidata’s system, the policy did not cover the loss. Federal also argued that the loss did not require a manipulation of Medidata’s computer, or the input of fraudulent information, all of which the policy required for coverage. The court rejected these arguments and said that even though the hackers did not directly enter the systems, their actions still met the coverage definition because they used a computer code to alter a series of email messages. The court also held that the spoofed emails themselves did not need to directly cause the wire transfer, because Medidata employees “only initiated the transfer as a direct cause of the thief sending spoof emails posing as Medidata’s president.” In other words, the spoofed email was the proximate cause of the loss.
The court also relied on a 2015 decision from the New York Court of Appeals in Universal American v. National Union Fire Insurance, to support its decision to provide coverage interpreting similar policy language. Both cases involved “deceitful and dishonest access” to the computer systems and therefore fell within the coverage provided, per the court’s ruling.
For the funds transfer fraud coverage, Federal argued that since the employees made a voluntary transfer, the coverage did not apply. This defense is common for insurance companies seeking to avoid coverage under a fraud or cybercoverage policy. The court also rejected this argument, focusing on how the masking of the sender’s identity negated the “voluntariness” of the transfer. The court wrote that “it is undisputed that a third party masked themselves as an authorized representative, and directed Medidata’s accounts payable employee to initiate the electronic back transfer.” Again, the court noted that the transfer would not have happened without the fraudulent email, and thus receipt of the spoofed email was the proximate cause of the transfer.
American Tooling Finds No Coverage
The Eastern District of Michigan reached the opposite result in a similar case, American Tooling Center v. Travelers. The case came before the district court on cross motions for summary judgment, which resulted in a denied motion from the policyholder, American Tooling, and a granted motion for the insurance carrier, Travelers.
American Tooling has many vendors that it pays on a regular basis. From these vendors, the company asked for an invoice which it then uses to authorize payments to those vendors. Following its customary business practices in this case, the company sent an email to one of its vendors asking for its invoices. In return, it received an email from an address that was confusingly similar to the address of one of its vendors. The email included invoices with wiring instructions to a different bank account than the one that the vendor used before. The invoices were for legitimate work completed by the vendor but the bank account was fraudulent. The company confirmed the legitimacy of the invoices, meaning it confirmed that the vendor had performed these services. However, American Tooling did not verify the new wiring instructions, and as a result, it wired approximately $800,000 to the new account before discovering the fraud.
American Tooling submitted the claim to its insurance carrier, Travelers, who denied coverage. The policy covers “computer crime” as follows: “The company will pay the insured for the insured’s direct loss of, or direct loss from damage to, money, securities and other property directly caused by Computer Fraud.” The policy defines computer fraud as the use of any computer to fraudulently cause a transfer of money, securities or other property from inside the premises or financial institution premises: to a person (other than a messenger) outside the premises or financial institution premises or to a place outside the premises or financial institution premises.
Travelers, in support of its decision to deny coverage, argued that the loss was not a “direct loss” that was “directly caused by the use of a computer.” Meaning, intervening events between the receipt of the emails and the transfer of funds occurred, such as verifying the work performed for the invoices, and the authorizations to send the funds, before the funds transferred. Travelers’ argument, mirrors the voluntary act argument advanced by Federal in the Medidata case.
In reaching the conclusion that the policy did not provide coverage, the district court focused on the definition of the word direct. Specifically, the court wrote, “the Sixth Circuit, applying Michigan law, has noted that ‘direct’ is defined as ‘immediate,’ without anything intervening.” (citing Tooling Manufacturing & Technologies v. Hartford Fire Insurance, 693 D.3d 665, 673 (6th Cir. 2012) (“The primary word used to describe “directly” in each of these definitions is ‘immediate,’ and each of the dictionaries defines ‘directly’ or ‘direct’ as ‘without anything intervening’ or without any intervening space or time … agency or instrumentality.”). The court, in a footnote, addresses the decision in Medidata which is at odds with its decision, by noting that the policy language in Medidata lacked the “direct loss” language. Given that the company had to engage in intervening acts to complete the wire transfer, the court concluded it was not a “direct loss” and denied coverage.
Conclusions and Comparisons
As with any discussion of insurance coverages, the policy language made a tremendous difference in the two cases. The difference in language seems to do most of the work in reaching opposing results. The inclusion, or exclusion, of “direct loss” from the language potentially made the difference. However, it is not clear that even if the court in Medidata had interpreted the same policy as the American Tooling court that it would have reached a different result. The court in Medidata heavily emphasized that the fraudulent emails were the cause of the loss, and that the transfer would not have happened without them. This conclusion makes logical sense, particularly considering the purpose of cybercoverage is to protect against losses from fraud perpetrated by digital deception.
The divergence in the cases creates several possibilities. First, it is possible that carriers will increasingly include language providing coverage only for direct loss. The insurance carriers would hope to receive the more favorable interpretation under American Tooling for phishing and spoofing losses with this type of language. Second, it is also possible that some carriers will see a market opportunity and create policies with specific riders to cover spoofing and phishing schemes. Third, both cases are likely to end up on appeal and an appeal could erase the distinctions between the cases or create new ones. As always, policy language is key. •