The Second Circuit has rejected Chubb subsidiary Federal Ins. Co.’s request for reconsideration of the court’s July 6, 2018 decision, confirming that the insurer must cover Medidata’s $4.8 million loss under its computer fraud insurance policy. In July, the court determined that the loss resulted directly from the fraudulent e-mails. The court again rejected the insurer’s argument that the fraudster did not directly access Medidata’s computer systems. But the court again rejected that argument, finding that access indeed occurred when the “spoofing” code in emails sent to Medidata employees ended up in Medidata’s computer system.
In a recent post, we discussed the Sixth Circuit’s holding in American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of America, No. 17-2014, 2018 WL 3404708 (6th Cir. July 13, 2018), where the Sixth Circuit reversed the district court’s summary judgment for the insurer, finding coverage under its policy for a fraudulent scheme that resulted in a $834,000.00 loss. The insurer, Travelers, has now asked the Court to reconsider its decision.
In a July 9, 2018 article appearing in Insurance Law360, Hunton Andrews Kurth insurance recovery practice head, Walter J. Andrews, explains why the Second Circuit’s decision in Medidata Solutions Inc. v. Federal Insurance Co., No. 17-2492 (2nd Cir. July 6, 2018), affirming coverage for a $4.8 million loss caused by a “phishing” e-mail attack, is a common sense application of the plain language of Medidata’s computer fraud coverage provision. As Andrews explained, “[c]learly, hijacking — or spoofing — email addresses constitutes an attack on a company’s computer system for which a reasonable policyholder should expect coverage. A computer is a computer is a computer. Everyone knows that — except for insurance companies.”
On July 6, 2018, the Second Circuit Court of Appeals affirmed a district court’s summary judgment award in favor of Medidata Solutions, Inc., finding that Medidata’s $4.8 million loss suffered after Medidata was tricked into wiring funds to a fraudulent overseas account, triggered coverage under a commercial crime policy’s computer fraud provision. The decision in Medidata Solutions, Inc. v. Federal Ins. Co., 17-cv-2492 (2d Cir., July 6, 2018), confirms a ruling by District Judge Andrew L. Carter, Jr., in which the district court found that a fraudsters manipulation of Medidata’s computer systems constitutes a fraudulent entry of data into the computer system, since the spoofing code was introduced into the email system.
On Tuesday, the U.S. District Court for the District of New Jersey granted Travelers’ motion to dismiss Posco Daewoo America Corporation’s suit for coverage under the computer fraud provision of its crime insurance policy. Distinguishing itself from precedent like Medidata, Principal Solutions Group, Apache and American Tooling Center, Daewoo did not seek coverage for money fraudulently transferred or stolen from its own accounts. Instead, Daewoo sought coverage for amounts that had been designated for payment to Daewoo by a third party supplier, Allnex, and stolen from Allnex after a criminal impersonated a Daewoo employee. The Court held that the crime policy did not cover the lost sums because Daewoo did not “own” the money stolen from Allnex.
Hunton & Williams insurance practice head Walter Andrews commented in a July 25, 2017, Law360 article concerning a New York federal court’s recent decision in Medidata Solutions, Inc. v. Federal Ins. Co., where the court found coverage for a $4.8 million “social engineering” loss that occurred after Medidata received fraudulent emails that caused accounting personnel to wire funds to a fake bank account in China. The decision, which was the subject of a July 24, 2017, Hunton blog post, focused on two main issues: (1) whether the fraudulent emails amounted to an infiltration of the bank’s computer systems; and (2) whether the fact that Medidata employees voluntarily initiated the funds transfer mattered under the terms of Medidata’s commercial crime insurance policy. Andrews succinctly addressed both issues, stating that “an employee being duped into transferring funds via email is functionally the same as the funds being stolen outright.” With the latter being unquestionably covered, so too should the former.
A federal judge in New York awarded summary judgment on Friday in favor of Medidata Solutions, Inc., finding that Medidata’s $4.8 million loss suffered after Medidata was tricked into wiring funds to a fraudulent overseas account, triggered coverage under a commercial crime policy’s computer fraud provision and funds transfer fraud provision. The award comes after District Judge Andrew L. Carter, Jr., ruled in March 2016 that additional expert discovery was needed concerning the manner in which the fraudsters manipulated Medidata’s computer systems.
The lawsuit, discussed in an August 18, 2016, Hunton & Williams blog post, arose after employees in Medidata’s finance department were deceived into transferring $4.8 million to a Chinese bank account based on emails that falsely appeared to come from a Medidata executive. Federal Insurance Company, a unit of Chubb Corp., insured Medidata under a policy providing coverage for, among other things, computer fraud, forgery and funds transfer fraud. Federal argued that Medidata’s claim was not covered because, among other things, there was no manipulation of Medidata’s computers and Medidata “voluntarily” transferred the funds.
In a case filed in California last week, an insurer once again has taken the position that funds disbursed to computer hackers because of fraudulent commands received via e-mail from hackers are somehow distinguishable from the hacker misappropriating the funds directly. They are not. The typical scheme, via social engineering commonly known as “business e-mail compromise” or “CEO fraud,” involves an e-mail from a high-level executive’s e-mail account directing a subordinate employee to wire funds to a bank account actually owned by a third-party scammer, the true author of the email. Insurers have denied coverage for such liabilities, contending that their policies do not cover voluntary disbursements of company funds – as if the insureds intended to give their funds away to the bad guys!
The United Kingdom’s recent vote to sever ties with the European Union will have global economic consequences. The ramifications of an EU economic retraction resulting from financial uncertainty will undoubtedly reach Latin America. The cross-border insurance industry will likely not be spared. Multinationals with local operations must be proactive to get ahead of the storm – now is the time to review the unique aspects of their business and their target markets to pinpoint their ideal risk management structure, and to ensure that their insurance regimes sufficiently anticipate the shifting risks in this dynamic bloc.
On April 14, 2016, in the case of St. Paul Mercury Ins. Co. v. Am. Bank Holdings, Inc., 15-1559, 2016 WL 1459517, at *1 (4th Cir. Apr. 14, 2016), the Fourth Circuit held that notice to a registered agent started the clock for purposes of calculating timely notice under American Bank’s liability policy with St. Paul. The policyholder, American Bank Holdings, Inc., provided untimely notice after the registered agent forwarded the underlying lawsuit to American Bank’s CFO, who was no longer with the business. With no apparent back-up for the CFO, the underlying lawsuit remained untouched until the plaintiff obtained and sought to enforce a $98.5 million default judgment. When American Bank alerted St. Paul, the insurer denied coverage based on untimely notice under the policy’s provision that notice be given “as soon as practicable, but in no event later than: (a) sixty (60) days after expiration of the Policy Year in which the Claim was first made.” American Bank later spent approximately $1.8 million in attorneys’ fees and costs getting the default judgment vacated and the state-court lawsuit dismissed.