Social Icons

google plusfacebooklinkedintwitterinstagramrss feedemail

Monday, July 9, 2018

Second Circuit Finds Coverage in Cyber Fraud Case

Published on sdvlaw.com

On Friday, July 6, 2018, the United States Court of Appeals for the Second Circuit held that a fraudulent email that caused a company to transfer $4.8 Million to the fraudster was a “direct loss” covered by the company’s computer fraud insurance.

By defining “direct cause” as “proximate cause,” the Second Circuit Court of Appeals settled a major ambiguity in computer fraud insurance policies in favor of policyholders. “Direct cause” is one of the most hotly debated issues in crime insurance and courts disagree on its interpretation. Earlier this year, the 9th Circuit found against coverage in a similar situation in Taylor & Lieberman v. Federal Insurance Company, 2017 WL 929211 (9th Cir.). These conflicting decisions could give rise to an appeal to United States Supreme Court.




The Loss

In 2014, an employee of Medidata Solutions Inc., (a cloud-based technology company) received an email purporting to be from the company’s president. As a result of the email, the company eventually wired $4.8 million to an outside bank account. That email turned out to be spoofed, and the bank account belonged to a fraudster.

As the district court explained in the underlying case:
“[S]poofing” is “the practice of disguising a commercial e-mail to make the e-mail appear to come from an address from which it actually did not originate. Spoofing involves placing in the ‘From’ or ‘Reply-to’ lines, or in other portions of e-mail messages, an e-mail address other than the actual sender’s address, without the consent or authorization of the user of the e-mail address whose address is spoofed.
Medidata Sols., Inc. v. Fed. Ins. Co., 268 F. Supp. 3d 471, 477 n.2 (S.D.N.Y. 2017) (quoting Karvaly v. eBay, Inc., 245 F.R.D. 71, 91 n.34 (E.D.N.Y. 2007)).

The Claim
  
When the fraudster attempted the same scam a second time, Medidata discovered the fraud and tendered the loss under its Federal Executive Protection policy. The Policy contained a “Crime Coverage Section” addressing loss caused by various criminal acts, including Forgery Coverage Insuring, Computer Fraud Coverage, and Funds Transfer Fraud Coverage.


Federal denied coverage for two reasons. First, Federal claimed that no actual hacking or data breach took place “because the emails did not require access to Medidata’s computer system, a manipulation of those computers, or input of fraudulent information.” Medidata Sols., Inc., 268 F. Supp. 3d at 475. Second, Federal claimed Medidata did not sustain a “direct loss” because the spoofed emails directed Medidata’s employees to transfer the funds, and, therefore the fraudster’s computer-action was not the direct cause of the loss, rather Medidata’s action (through its employees) was an intervening cause.

The Ruling

The District Court rejected Federal’s arguments and the Second Circuit agreed.