In an appeal watched by many insurance coverage attorneys, the Second Circuit Court of Appeals recently affirmed a district court ruling finding coverage for a $4.8 million email spoofing incident suffered by Medidata Solutions, Inc., a New York-based cloud computing firm.
The spoofing incident occurred when a fraudster emailed an employee in Medidata’s accounts payable department, asking the employee to transfer $4.8 million to China, purportedly for a company acquisition. The email was “spoofed” so that it displayed the company president’s name, picture and email address. The transfer was subsequently approved by other company officers before the transfer was made.
Medidata was insured under a commercial crime policy with Chubb. The policy contained a computer fraud coverage, which protected against “direct loss of Money, Securities or Property … resulting directly from Computer Fraud committed by a Third Party.” The policy defined Computer Fraud as “the unlawful taking or the fraudulently induced transfer of Money, Securities or Property resulting from a Computer Violation.” Computer Violation, in turn, was defined to include “the fraudulent … entry of Data into … a Computer System [and] change to Data elements or program logic of a Computer System ….”
The U.S. District Court for the Southern District of New York found coverage and the Second Circuit, in a summary three-page opinion, affirmed. Taken together, there are a number of interesting, perhaps surprising, elements to the courts’ decisions.
First, the courts brushed aside arguments that Medidata did not suffer a “direct loss” because several employees took additional steps after receipt of the email before the transfer was approved. The appellate court held that those intervening steps were insufficient to “sever the causal relationship between” the attack and the loss. This holding appears to be an expansive view of the causation requirement typically applied to policies requiring a “direct” loss to occur.
Second, the court considered the receipt of an email by the insured to constitute the “fraudulent entry of data into a computer system” or a “change of data elements,” because, apparently, the email entered Medidata’s computer system and, when it was received, it contained fraudulent information. The courts were unpersuaded by arguments that the policy language required that the thief fraudulently enter or change data in the insured’s computer system, resulting in the loss, for coverage to apply.
The appellate court summed up its holding as follows: “Thus the attack represented a fraudulent entry of data into the computer system, as the spoofing code was introduced into the email system. The attack also made a change to a data element, as the email system’s appearance was altered by the spoofing code to misleadingly indicate the sender.”
The court’s holdings give life to the potential coverage for spoofing attacks under commercial crime policies. We anticipate that future courts will grapple with the court’s reasoning, particularly with regard to the two points discussed above.