A federal judge in New York awarded summary judgment on Friday in favor of Medidata Solutions, Inc., finding that Medidata’s $4.8 million loss suffered after Medidata was tricked into wiring funds to a fraudulent overseas account, triggered coverage under a commercial crime policy’s computer fraud provision and funds transfer fraud provision. The award comes after District Judge Andrew L. Carter, Jr., ruled in March 2016 that additional expert discovery was needed concerning the manner in which the fraudsters manipulated Medidata’s computer systems.
The lawsuit, discussed in an August 18, 2016, Hunton & Williams blog post, arose after employees in Medidata’s finance department were deceived into transferring $4.8 million to a Chinese bank account based on emails that falsely appeared to come from a Medidata executive. Federal Insurance Company, a unit of Chubb Corp., insured Medidata under a policy providing coverage for, among other things, computer fraud, forgery and funds transfer fraud. Federal argued that Medidata’s claim was not covered because, among other things, there was no manipulation of Medidata’s computers and Medidata “voluntarily” transferred the funds.
Medidata countered, arguing that the fraudsters changed the code in emails to alter the sender’s address and included the executive’s pictures, email addresses and signatures, and that this alteration amounted to a change of the “data” in Medidata’s computer systems. Medidata further argued that the chain of events began with an accounts payable employee’s receiving a spoofed email purportedly from Medidata’s president, and that but for the receipt of that fraudulent email, the Medidata employee would not have “voluntarily” transferred the funds.
The court agreed with Medidata on both accounts. In finding that Medidata’s loss implicated coverage under the policy’s computer fraud provision, the court determined that the manipulation of code in email messages amounted to the kind of “deceitful and dishonest access” imagined by the New York Court of Appeals in Universal Am. Corp. v. Nat’l Union Fire Ins. Co., 25 N.Y.3d 675, 680 (2015), where the court held that fraud occurs where the perpetrator violates the integrity of a computer system through unauthorized access and denying coverage for fraud caused by the submission of fraudulent data by authorized users. Thus, the manipulation of code in the email messages sent to Medidata, such that the messages arrived at Medidata users’ inboxes displaying the name and photograph of Medidata’s president and other executives, amounted to the type of fraud requisite to trigger coverage. Likewise, the court found that because the chain of events that led to the fraudulent transfer was initiated by the fraudsters’ emails, and not Medidata employees, a sufficient causal nexus existed between the fraudulent conduct and the resulting transfer and loss to merit coverage.
The court also found coverage was implicated under the policy’s funds transfer fraud coverage. There, Medidata argued that coverage was implicated because the theft “(1) caused a direct loss of money; (2) by fraudulent electronic instructions purportedly issued by Medidata; (3) issued to a financial institution; (4) to deliver money from Medidata’s accounts; (5) without Medidata’s knowledge or consent.” Federal challenged only the fifth element of the funds transfer fraud provision, arguing that the funds transfer was voluntary and with Medidata’s knowledge and consent. The court rejected the insurer’s contention, finding the fact that the accounts payable employee willingly pressed the send button on the bank transfer does not transform the bank wire into a valid transaction. To the contrary, the validity of the wire transfer depended upon several high-level employees’ knowledge and consent, which was only obtained by trick. As the court explained, “larceny by trick is still larceny. Therefore, Medidata has demonstrated that the Funds Transfer Fraud clause covers the theft in 2014.”
The Medidata decision underscores the breadth of coverage available to policyholders under their commercial crime policies for social engineering and other fraud-induced losses. Evident from the court’s ruling is that loss caused by fraud or deceit is indeed covered and mere technicalities, such as whether an employee purposefully initiated the transfer of funds, serve no purpose in determining whether a claim in fact implicates coverage. Rather, as the court made clear, “larceny by trick is still larceny,” and the fact that an employee is duped into transferring funds is as much a theft as if the funds were stolen directly.
Medidata also illustrates the complex factual questions that can arise in cases of social engineering and cyber breaches, generally. The decision likewise illustrates the considerable uncertainty that exists under new and rapidly evolving “cyber” insurance policies. These policies are not standard and are largely untested in the courts, making them susceptible to more than one plausible interpretation. It is important, therefore, that policyholders obtain the advice of experienced insurance coverage attorneys to determine whether their “cyber” insurance is, in fact, sufficient to meet their cybersecurity needs and, when necessary, enforce their right to recovery.