For businesses both large and small, cybersecurity threats continue to proliferate, to the point where being the victim of a cyberattack seems almost inevitable. According to a recent study, cybercrime cost the global economy $454 billion in 2016. As such, cyber insurance policies have become an increasingly popular method of mitigating the resulting losses, which can encompass both financial and reputational harm. For example, insurers have reported a "rapid rise" in cyber insurance policies following the June 2017 "Wannacry" ransomware attack.
The cyber insurance market is projected to grow from $1 billion in 2015 to over $7 billion in the next five to ten years, depending on the source of the projection. Given recent trends, this estimate is unsurprising. Insurers have taken note; in the early 2000s, fewer than a dozen offered cyber insurance coverage, whereas more than 70 do as of 2016.
Courts have begun to encounter a growing number of disputes over cyber insurance coverage, mostly relating to the scope of coverage, not to its existence. One recent example is the Southern District of New York's decision in Medidata Solutions, Inc. v. Federal Insurance Co., No. 15-cv-907 (ALC) (S.D.N.Y. July 21, 2017). The Medidata court confronted myriad issues, including: (1) whether the insured was covered based on unauthorized access (not use of) to its computer systems; and (2) if there existed a sufficient connection between employee communications with a thief posing as the company's president and a fraudulent wire transfer of nearly $5 million.
Facts and Procedural Background
In 2014, Medidata Solutions, Inc. (Medidata), a cloud computing service provider, informed its finance department of near-term business plans, including a potential acquisition. Medidata also instructed its finance team to "be prepared to assist with significant transactions on an urgent basis."
On September 16, 2014, Alicia Evans (Evans), an employee in Medidata's accounts payable department, received an email purportedly sent from Medidata's president. Evans was responsible for processing Medidata's travel and entertainment expenses. The message contained the president's name, email address and picture in the "From" field and it told Evans that Medidata was close to finalizing an acquisition, and that an attorney named Michael Meyer (Meyer) would soon contact her. On the same day, Evans received a call from a man claiming to be Meyer. He demanded that Evans initiate and process a wire transfer in the amount of $4,770,226.00, and that a physical check would not be sufficient because of "time constraints." Evans explained that she needed: (1) an email from Medidata's president requesting the transfer; and (2) approval from two Medidata managers.
The managers and Evans then received an email purportedly sent from Medidata's president instructing them to execute the wire transfer to Meyer because he was "currently undergoing a final operation." The group email contained the president of Medidata's email address in the "From" field and a picture next to his name. The transfer was approved and the money wired to Meyer.
Two days later, Meyer contacted Evans requesting another wire transfer. Evans initiated the second transfer, which was approved by one of the managers. However, the other manager thought the email address in the "Reply To" field seemed suspicious. He spoke to Evans about his qualms, who composed a new email to Medidata's president inquiring about the wire transfers. Medidata's president responded that he had not requested either.
Realizing it had been defrauded, Medidata contacted the FBI and hired outside counsel to conduct an investigation. The investigations discovered that an unknown actor "spoofed" the emails sent to Evans and the Medidata manager's to appear as if Medidata's president was the sender. Spoofing has been defined in another court in this District as "the practice of disguising a commercial e-mail to make the e-mail appear to come from an address from which it did not actually originate." Spoofing generally entails placing in the "From" or "Reply-to" fields of an email an email address other than the actual sender's email address.
Medidata held a $5 million insurance policy (the Policy) with Defendant Federal Insurance Company (Federal). The Policy included a section covering various criminal acts, including "Computer Fraud Coverage," which included coverage for "Computer Violation[s]," such as: "the fraudulent (a) entry of Data into … a Computer System" and the "change to Data elements or program logic of a Computer System" of Medidata's computer system. The Policy circumscribed coverage for "Computer Fraud" to the "direct loss of Money, Securities or Property sustained by [Medidata] resulting from [the wire transfer scheme] committed by [a third party: the thief posing as Medidata's president]" (emphasis added).
Medidata submitted a claim to Federal requesting coverage for the damages resulting from the wire transfer to Meyer. Federal denied coverage under the computer fraud clause because there had been no "fraudulent entry of Data into Medidata's computer system." Medidata then brought the instant action, and the parties cross-moved for summary judgment.
Legal Analysis and Conclusion
Under New York law, insurance policies are interpreted consonant with general rules of contract interpretation.
Medidata first argued that the computer fraud clause covered its loss because the address in the "From" field of the spoofed emails represented manipulated data, i.e., computer code entered by the thief posing as Medidata's president. Federal argued that the 2014 loss was not covered by the computer fraud clause because the fraudulent emails did not involve access to Medidata's computer system, a manipulation of the system, or the entry of fraudulent information.
The Court agreed with Medidata and held that "as a matter of law," the "unambiguous language" of the computer fraud policy encompassed coverage for the 2014 loss because the perpetrator's manipulation of email code fell within the purview of the "deceitful and dishonest access" standard referenced in the Court of Appeals' decision in Universal Am. Corp. v. Nat'l Union Fire Ins. Co., 25 N.Y.3d 675 (2015). Unlike in Universal, where a health insurance company was defrauded by healthcare providers with authorized access to the insurance company's system, the thief's use of computer code in the instant case to mask the true origin of the spoofed emails, i.e. not the president of Medidata, was covered under the computer fraud provision based on the unauthorized access to Medidata's "Computer System[s]."
Federal argued additionally that the Policy only covered hacking into Medidata's computer system, i.e., a direct form of unauthorized access wherein the hacker initiated the wire transfer, whereas Medidata's spoofing occurred only after the conversion of the email information by an intermediary email processor. Although acknowledging that the Universal court "peppered its opinion with references to hacking," the Court in the instant case found that the Policy's coverage for fraud applied more broadly to when a "perpetrator violates the integrity of a computer system through unauthorized access[,]"which in this instance involved manipulating the computer code in Medidata's email delivery system to spoof the "From" email with the address of Medidata's president.
Federal additionally argued that even if the Policy covered the spoofing of the email address of Medidata's president, there was "no direct nexus" between the spoofing and the fraudulent wire transfer. Specifically, the causation element was lacking because Medidata received a call from Meyer (subsequent to the email) and Evans/the Medidata managers took additional steps in approving the wire transfer.
Again, the Court disagreed with Federal's argument and held that the facts at hand did rise to the level of causation necessary to trigger the Policy's coverage. The Court distinguished Federal's supporting cases for a number of reasons, including on grounds that the victim in the supporting cases invited the spoofed emails, and in another case, that the insured was bringing a claim on behalf of a client and not as a directly injured party. See, e.g., Apache Corp. v. Great Am. Ins. Co., 662 F. App'x 252 (5th Cir. 2016); Taylor & Lieberman v. Fed. Ins. Co., No. 15-56102, 2017 WL 929211, at *1 (9th Cir. Mar. 9, 2017). Unlike those cases, Medidata's claim was based on an unsolicited spoofed email to Evans, and Medidata brought a claim as the insured.
Accordingly, the Court granted Medidata's motion for summary judgment as to the computer fraud provision of the Policy.