In a July 9, 2018 article appearing in Insurance Law360, Hunton Andrews Kurth insurance recovery practice head, Walter J. Andrews, explains why the Second Circuit’s decision in Medidata Solutions Inc. v. Federal Insurance Co., No. 17-2492 (2nd Cir. July 6, 2018), affirming coverage for a $4.8 million loss caused by a “phishing” e-mail attack, is a common sense application of the plain language of Medidata’s computer fraud coverage provision. As Andrews explained, “[c]learly, hijacking — or spoofing — email addresses constitutes an attack on a company’s computer system for which a reasonable policyholder should expect coverage. A computer is a computer is a computer. Everyone knows that — except for insurance companies.”
Andrews’ common sense illustration was partly in response to the unsuccessful hyper-technical arguments raised by Medidata’s insurer, Chubb Ltd. a unit of Federal Insurance Co., whereby the insurer contended that Medidata’s loss was not the result of the fraudulent e-mails but, rather, the voluntary acts of the Medidata employees who were duped by them. That argument was soundly rejected by the Second Circuit, which explained that “[i]t is clear to us that the spoofing attack was the proximate cause of Medidata’s losses. The chain of events was initiated by the spoofed emails, and unfolded rapidly following their receipt.”
The Second Circuit’s rejection of Chubb’s technical application of the term “direct” is particularly significant for policyholders, as it represents an acknowledgment that insurers’ technical and restrictive applications of policy terms like “direct” have no place in a world of sophisticated and multilayered theft and embezzlement schemes, many of which involve the use of computers. As Andrews further explained, “[the] decision shows that at least one appellate court will give that term a normal meaning and agree that sending emails ‘directly’ uses a computer system to cause a fraudulent transfer.