In a recent article appearing in Florida’s Daily Business Review (available here), Hunton Insurance Recovery Practice team head, Walter Andrews, explains why phishing and whaling scams should be covered by insurance. In the article, Andrews notes that recent appellate decisions support policyholders’ reasonable expectations of coverage and reject insurers’ contentions that social engineering losses do not result directly from the use of computers. Andrews goes on to explain that should a company find itself a victim of a phishing or whaling attack, it should carefully assess its insurance coverage to determine whether it applies to the loss, including under both traditional insurance policies and specialized cyber insurance products, and not be dissuaded by their insurers’ initial denial of coverage.
In a recent post, we discussed the Sixth Circuit’s holding in American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of America, No. 17-2014, 2018 WL 3404708 (6th Cir. July 13, 2018), where the Sixth Circuit reversed the district court’s summary judgment for the insurer, finding coverage under its policy for a fraudulent scheme that resulted in a $834,000.00 loss. The insurer, Travelers, has now asked the Court to reconsider its decision.
In a July 9, 2018 article appearing in Insurance Law360, Hunton Andrews Kurth insurance recovery practice head, Walter J. Andrews, explains why the Second Circuit’s decision in Medidata Solutions Inc. v. Federal Insurance Co., No. 17-2492 (2nd Cir. July 6, 2018), affirming coverage for a $4.8 million loss caused by a “phishing” e-mail attack, is a common sense application of the plain language of Medidata’s computer fraud coverage provision. As Andrews explained, “[c]learly, hijacking — or spoofing — email addresses constitutes an attack on a company’s computer system for which a reasonable policyholder should expect coverage. A computer is a computer is a computer. Everyone knows that — except for insurance companies.”
On July 6, 2018, the Second Circuit Court of Appeals affirmed a district court’s summary judgment award in favor of Medidata Solutions, Inc., finding that Medidata’s $4.8 million loss suffered after Medidata was tricked into wiring funds to a fraudulent overseas account, triggered coverage under a commercial crime policy’s computer fraud provision. The decision in Medidata Solutions, Inc. v. Federal Ins. Co., 17-cv-2492 (2d Cir., July 6, 2018), confirms a ruling by District Judge Andrew L. Carter, Jr., in which the district court found that a fraudsters manipulation of Medidata’s computer systems constitutes a fraudulent entry of data into the computer system, since the spoofing code was introduced into the email system.
Phishing attacks are on the rise, and they are targeting Microsoft’s flagship cloud-based products. According to a report by specialist data breach insurer Beazley, hackers have increased attempted and successful attacks on Microsoft Office 365, especially systems used by financial, health care, and professional services organizations. These attacks are deceptively simple, relying on employees and contractors falling for fake, yet well disguised, Microsoft communications, like a HelpDesk message or a survey. Once employees or contractors interact with these communications, they are prompted to enter personal information, which allows the hackers access to confidential information. This information allows the intruders to steal customer data, initiate bank transfers, and gain access to additional employees’ accounts. Microsoft 365’s default settings compound the dangers of these attacks because they decrease the ability to track how many accounts are compromised.
Highlighting the continued problems faced by policyholders in obtaining coverage for “computer fraud,” a Michigan district court recently held that a manufacturer could not recover $800,000 in funds lost after an employee mistakenly wired payment for legitimate vendor invoices into a fraudster’s bank account after receiving a spoofed e-mail requesting payment. In American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, No. 16-12108 (E.D. Mich. Aug. 1, 2017), the district court applied state law favoring a narrow interpretation of the crime policy’s computer fraud provision to hold that the policyholder had not suffered a “direct” loss that was “directly caused” by the use of any computer.
Hunton & Williams insurance practice head Walter Andrews commented in a July 25, 2017, Law360 article concerning a New York federal court’s recent decision in Medidata Solutions, Inc. v. Federal Ins. Co., where the court found coverage for a $4.8 million “social engineering” loss that occurred after Medidata received fraudulent emails that caused accounting personnel to wire funds to a fake bank account in China. The decision, which was the subject of a July 24, 2017, Hunton blog post, focused on two main issues: (1) whether the fraudulent emails amounted to an infiltration of the bank’s computer systems; and (2) whether the fact that Medidata employees voluntarily initiated the funds transfer mattered under the terms of Medidata’s commercial crime insurance policy. Andrews succinctly addressed both issues, stating that “an employee being duped into transferring funds via email is functionally the same as the funds being stolen outright.” With the latter being unquestionably covered, so too should the former.
A federal judge in New York awarded summary judgment on Friday in favor of Medidata Solutions, Inc., finding that Medidata’s $4.8 million loss suffered after Medidata was tricked into wiring funds to a fraudulent overseas account, triggered coverage under a commercial crime policy’s computer fraud provision and funds transfer fraud provision. The award comes after District Judge Andrew L. Carter, Jr., ruled in March 2016 that additional expert discovery was needed concerning the manner in which the fraudsters manipulated Medidata’s computer systems.
The lawsuit, discussed in an August 18, 2016, Hunton & Williams blog post, arose after employees in Medidata’s finance department were deceived into transferring $4.8 million to a Chinese bank account based on emails that falsely appeared to come from a Medidata executive. Federal Insurance Company, a unit of Chubb Corp., insured Medidata under a policy providing coverage for, among other things, computer fraud, forgery and funds transfer fraud. Federal argued that Medidata’s claim was not covered because, among other things, there was no manipulation of Medidata’s computers and Medidata “voluntarily” transferred the funds.
Beginning last Friday, and still occurring today, one of the worst and most widespread malware attacks has impacted more than 200,000 victims in at least 150 countries, including Britain’s National Health Service, FedEx, telecommunications companies Telefonica and Megafon, and automakers Renault and Nissan. The malware, known as “WannaCry,” disables the user’s computer system and all of its data. A note in a text file then appears stating that in order to unlock the computer, $300 worth of the digital currency bitcoin must be paid to the hackers. A countdown timer appears and the fee increases with time. The hackers threaten to delete all data on the computer system if payment is not sent within one week. Cybersecurity experts believe that the malware was sent to computers through “phishing attacks,” which are emails that appear to be from reputable sources and include a download to a link that allows the malware to infect the computer. From these computers, the malware then spread to other computers on the network. One infected computer can spread this virus network-wide, and quickly.
In a case filed in California last week, an insurer once again has taken the position that funds disbursed to computer hackers because of fraudulent commands received via e-mail from hackers are somehow distinguishable from the hacker misappropriating the funds directly. They are not. The typical scheme, via social engineering commonly known as “business e-mail compromise” or “CEO fraud,” involves an e-mail from a high-level executive’s e-mail account directing a subordinate employee to wire funds to a bank account actually owned by a third-party scammer, the true author of the email. Insurers have denied coverage for such liabilities, contending that their policies do not cover voluntary disbursements of company funds – as if the insureds intended to give their funds away to the bad guys!