On July 6, 2018, the Second Circuit Court of Appeals affirmed a district court’s summary judgment award in favor of Medidata Solutions, Inc., finding that Medidata’s $4.8 million loss suffered after Medidata was tricked into wiring funds to a fraudulent overseas account, triggered coverage under a commercial crime policy’s computer fraud provision. The decision in Medidata Solutions, Inc. v. Federal Ins. Co., 17-cv-2492 (2d Cir., July 6, 2018), confirms a ruling by District Judge Andrew L. Carter, Jr., in which the district court found that a fraudsters manipulation of Medidata’s computer systems constitutes a fraudulent entry of data into the computer system, since the spoofing code was introduced into the email system.

The lawsuit, discussed in Hunton Andrews Kurth blog posts on August 18, 2016 and July 24, 2017 and July 25, 2017, arose after employees in Medidata’s finance department were deceived into transferring $4.8 million to a Chinese bank account based on emails that falsely appeared to come from a Medidata executive. Federal Insurance Company, a unit of Chubb Corp., insured Medidata under a policy providing coverage for, among other things, computer fraud.  Federal denied coverage for the claim, arguing that Medidata’s claim was not covered because, among other things, there had been no manipulation of Medidata’s computers.  Federal further argued that Medidata did not suffer a “direct loss” as a result of the spoofing attack, since Medidata employees caused the funds to be transferred to the fake bank.

The Second Circuit affirmed the district court’s decision, finding that the entry of data into the computer system squarely satisfied the computer fraud provision, which affords coverage for loss stemming from any “entry of Data into” or “change to Data elements or program logic of” a computer system.  The Second Circuit also rejected Federal’s argument that Medidata’s loss did not result directly from the spoofing attack, which was necessary for a finding of coverage since the policy requires a direct or proximate causal link between the fraudulent activity and the resulting loss.  As the appellate court explained, however, “[i]t is clear to us that the spoofing attack was the proximate cause of Medidata’s losses. The chain of events was initiated by the spoofed emails, and unfolded rapidly following their receipt. While it is true that the Medidata employees themselves had to take action to effectuate the transfer, we do not see their actions as sufficient to sever the causal relationship between the spoofing attack and the losses incurred.”

Medidata confirms the breadth of coverage available to policyholders under their commercial crime policies for social engineering and other computer-related fraud-induced losses. The decision also helps overcome the artificial distinction that insurers have tried to maintain between a computer hack-type event and a social engineering intrusion, both of which necessarily entail accessing the target’s computer systems or data and manipulating those systems in a fraudulent manner.  Finally, the decision illustrates that all policies should be consulted whenever there is a loss, and that policyholders should seek advice from counsel with expertise in this area to make sure they get the policy wording correct.  Doing so may help avoid costly and protracted litigation following a loss.