New York Court Orders Cyber-Insurance Coverage for a Multi-Million Dollar Spoofing Scam
October 10, 2017
New York Court Orders Insurance Coverage for Email Spoofing Scam
Businesses that fall victim to email scams are often left footing the bill for the fallout. However, a recent decision by a New York judge should give businesses more leverage when seeking insurance coverage for their losses. In Medidata v. Federal Insurance, Southern District Judge Andrew Carter Jr. ruled that an insurer must cover $4.8 million in losses for a company that mistakenly wired money to the perpetrators of an email spoofing scam.
Rise in Sophisticated Email Spoofing Scams
In an email spoofing scam, the scammers send emails to a target organization that impersonates a legitimate contact, such as a vendor or business partner. The spoofed email incorporates domain names that closely resemble those of the organization being impersonated. The fraudulent email message contains instructions for the recipient to send money via wire transfer to a new bank account. Unlike less sophisticated email-based cyberattacks, the spoofed emails appear legitimate. The body of the email does not contain spelling or grammatical errors, and the perpetrators of the fraud generally use appropriate legal and financial terminology. Not surprisingly, they are frequently successful, particularly if members of the organization have not been trained to spot such attacks.
Company Falls Victim to Cyberattack
In the summer of 2014, Medidata notified its finance department of a possible acquisition. Alicia Evans (Evans) worked in accounts payable and was responsible for processing all the company’s travel and entertainment expenses. On September 16, 2014, Evans received an email purportedly sent from Medidata’s president. The email message contained the president’s name, email address, and picture in the “From” field.
The message to Evans stated that Medidata was close to finalizing an acquisition and that an attorney named Michael Meyer (Meyer) would contact Evans. On that same day, Evans received a phone call from a man who held himself out to be Meyer who demanded that Evans process a wire transfer for him. Evans explained to Meyer that she needed an email from Medidata’s president requesting the wire transfer, as well as approval from Medidata Vice President Ho Chin (Chin), and Director of Revenue Josh Schwartz (Schwartz).
Chin, Evans, and Schwartz then received a group email purportedly sent from Medidata’s president stating: “I’m currently undergoing a financial operation in which I need you to process and approve a payment on my behalf. I already spoke with Alicia, she will file the wire and I would need you two to sign off.” In response, Evans logged on to Chase Bank’s online system to initiate a wire transfer. Schwartz and Chin subsequently approved it, and $4,770,226.00 was wired to a bank account that was provided by Meyer.
On September 18, 2014, Meyer contacted Evans requesting a second wire transfer. Evans initiated the second wire transfer and Schwartz approved it. However, Chin thought the email address in the “Reply To” field seemed suspicious. Evans composed a new email to Medidata’s president inquiring about the wire transfers. He informed Evans and Chin that he had not requested the wire transfers, and the employees then realized that the company had been defrauded. Medidata contacted the FBI, and a subsequent investigation revealed that an unknown actor altered the emails that were sent to Chin, Evans, and Schwartz to appear as if they were sent from Medidata’s president.
Relevant Insurance Coverage
Medidata sought insurance coverage for the fraud under a $5,000,000 insurance policy with Federal Insurance Co. (Federal). The “Federal Executive Protection Policy” (Policy) contained a “Crime Coverage Section” addressing loss caused by various criminal acts, including Forgery Coverage Insuring, Computer Fraud Coverage, and Funds Transfer Fraud Coverage. After Federal denied coverage, Medidata filed suit.
The Policy’s “Computer Fraud Coverage” protected the “direct loss of Money, Securities or Property sustained by an Organization resulting from Computer Fraud committed by a Third Party.” The Policy defined “Computer Fraud” as: “[T]he unlawful taking or the fraudulently induced transfer of Money, Securities or Property resulting from a Computer Violation.” A “Computer Violation” included both “the fraudulent: (a) entry of Data into…a Computer System; [and] (b) change to Data elements or program logic of a Computer System, which is kept in machine-readable format…directed against an Organization.”
The Policy’s Funds Transfer Fraud Coverage protected “direct loss of Money or Securities sustained by an Organization resulting from Funds Transfer Fraud committed by a Third Party.” It defined “Funds Transfer Fraud” as: “fraudulent electronic…instructions…purportedly issued by an Organization, and issued to a financial institution directing such institution to transfer, pay or deliver Money or Securities from any account maintained by such Organization at such institution, without such Organization’s knowledge or consent.”
The Policy’s Forgery Coverage protected “direct loss sustained by an Organization resulting from Forgery or alteration of a Financial Instrument committed by a Third Party.” “Forgery” is defined as “the signing of the name of another natural person…with the intent to deceive…Mechanically or electronically produced or reproduced signatures shall be treated the same as hand-written signatures.”
Court Orders Insurer to Pay Claim
Judge Carter granted summary judgment for Medidata. He specifically held that the “unambiguous language of the Computer Fraud clause provides coverage for the theft from Medidata.”
In reaching his decision, Judge Carter rejected Federal’s narrow interpretation of the New York Court of Appeals’ decision in Universal American v. National Union Fire Insurance, in which the court held that the insurance policy only provided coverage for a violation of the integrity of the computer system through deceitful and dishonest access. “In this case, Federal focuses on the thief’s construction of the spoofed emails and computer code before sending them to Gmail, arguing that, as a result, there was no entry or change of data to Medidata’s computer system,” Judge Carter wrote. “Under this logic, Universal would require that a thief hack into a company’s computer system and execute a bank transfer on their own in order to trigger insurance coverage. However, this reading of Universal incorrectly limits the coverage of the policy in this case.”
He added: “Universal is more appropriately read as finding coverage for fraud where the perpetrator violates the integrity of a computer system through unauthorized access and denying coverage for fraud caused by the submission of fraudulent data by authorized users.”
Judge Carter also determined that Medidata was entitled to coverage under the Funds Transfer Clause. He rejected Federal’s argument that the bank wire transfer was voluntary and with Medidata’s knowledge and consent. “The fact that the accounts payable employee willingly pressed the send button on the bank transfer does not transform the bank wire into a valid transaction,” the court explained. “To the contrary, the validity of the wire transfer depended upon several high-level employees’ knowledge and consent which was only obtained by trick. As the parties are well aware, larceny by trick is still larceny.”
Lastly, Judge Carter found that the theft did not trigger coverage under the Forgery Clause because the Policy requires a “direct loss resulting from Forgery or alteration of a Financial Instrument committed by a Third Party.” As he explained, “Even if the emails contained a forgery, the absence of a financial instrument proves fatal to Medidata’s claim for coverage.”
Message for New York Businesses
Companies should have data security policies and procedures in place to thwart email-based cyber attacks, such as spoofing scams. Should prevention methods fail, the court’s decision in Medidata v. Federal Insurance makes it more likely that insurance coverage may be available to cover your losses. Nonetheless, it is always wise to regularly review your relevant insurance policies to address any potential gaps in coverage, particularly with respect to growing cybersecurity threats, and to obtain insurance coverage, if necessary, to close those gaps.
Do you have any questions? Would you like to discuss the matter further? If so, please contact me, David Einhorn, at 201-806-3364.