A recent decision by a New York federal judge in the burgeoning area of cyber coverage has significantly expanded the scope of covered losses that involve scams or theft by the hackers and scammers in cyberspace. The name of the case is Medidata Solutions v. Federal Insurance Company, and it was just decided in July of this year.
The officers and employees of Medidata were the targets of an email spoof, whereby scammers obtained access to the Google platform upon which this company operated. They were sent email messages that appeared to come from the president of the company, directing the key people in the company to wire transfer money in connection with a fictitious acquisition that was close to being finalized.
The emails included the president’s name, email address, and a picture in the “from” field. The email message was followed up by a phone call from a lawyer, identified in the fraudulent emails, who was not an actual attorney. The person posing as an attorney demanded that the director of the finance department process a wire transfer in connection with this spoof for nearly $5 million.
The employee from the finance department said he needed an additional email from the president of the company, as well as a sign off from two other company employees, the vice president of the company and the director of revenue. So, these fraudsters actually sent another email to all three of them, in a group email from the president, which was also a spoof, saying, “I’m currently undergoing a financial operation in which I need you to process and approve a payment on my behalf. I already spoke with Alicia; she will file the wire and I would need you two to sign off.”
Again, this was a spoof email that looked like it was coming from the president of the company. The director of finance logged onto the system initiated a wire transfer, and the other two directors and officers signed off on it. When a second wire transfer was attempted through the same scam, one of the employees noticed something odd about the email and reached out to the president, who said he had never authorized that or the initial transaction.
So, the spoof succeeded in accomplishing a scam of nearly $5 million. The company had a $5 million insurance policy, and they submitted a claim. The policy itself had a “crime coverage section,” which covered losses caused by various criminal and fraudulent acts, including computer fraud. The policy also covered funds transfer fraud under the crime coverage section of the policy.
The insurance company denied the claim and the insured, Medidata, filed a lawsuit against the insurance company. After discovery was conducted, the parties both moved for summary judgment. The judge granted summary judgment in favor of the insured, Medidata, and against the insurance company.
In making the ruling, the judge decided that, as a matter of law, this particular scam was covered under both the computer fraud and funds transfer fraud sections of the crime coverage portion of the policy. In making this ruling, the judge distinguished some other cases, one by New York’s highest court, the New York Court of Appeals, and one by a federal appeals court in another part of the country.
The judge ruled that the language of the policy can’t be read to only require coverage when someone actually hacks in and causes a scam transaction to occur. In this situation, the scammers hacked into the Gmail system in order to create these spoof emails. Therefore, the perpetrators of the fraud gained unauthorized access to Medidata’s overall computer system and used that access to dupe these employees into transferring nearly $5 million to them.
So, the court ruled that the email spoof scam was covered and said that previous court decisions limiting coverage under the crime coverage section only to pure hacking scams did not prevent coverage for the loss under these circumstances. Under this ruling, “hacking” has a broader meaning, a meaning that includes a scammer abusing their unauthorized access to your system, not just by taking complete control of your data and manipulating it to their own means.
This case involved manipulation of the computer system as part of a fraudulent scheme to steal. While this can be interpreted as a broader reading of other cases to create coverage, it certainly is a reasonable reading of the crime coverage section of the policy, and policy holders have a reasonable expectation that a scam scenario like this one would be covered.
In addition, the judge ruled that the fund’s transfer fraud coverage section also provided coverage, because this was a direct loss of money caused by fraudulent electronic instructions issued to a financial institution to deliver money from Medidata’s accounts, without their knowledge or consent.
Now, the insurance company said, “We’ll wait. This was voluntary and done with Medidata’s knowledge and consent, because all the employees who were authorized to make the transfer are the ones that did it, and they voluntarily transferred the money. So, how could you say that it was done without Medidata’s knowledge or consent?”
The judge ruled that it was without their knowledge and consent because they were fraudulently duped into doing it by the outside perpetrators. While courts have denied coverage to companies where the employees sent funds that were misappropriated, the Judge viewed these facts as very different from those cases, and for good reason.
In one case, a payroll administrator transferred money out and was authorized to do so, but that same payroll administrator embezzled the funds. That’s far different than having an outside scammer cause the scam and get the funds.
In addition, there is a Bernie Madoff case where coverage was not available because the money had been voluntarily transferred to Bernie Madoff’s company for investment purposes. In that case, Madoff’s company was expressly authorized to act as the policyholder’s broker and agent. So, therefore, it wasn’t an unauthorized transfer of money. The fact that Madoff stole money he was authorized to receive and received via authorized means is, like the embezzling payroll administrator, a different form of fraud, but not the type of fraud that would be covered under this type of policy.
The court here read the crime fraud coverage section of this policy to create avenues of coverage that should be available when computer fraud or funds transfer fraud occurs. I do not know whether or not this case will be taken up on appeal, but for now, it’s a very important decision for policyholders seeking coverage under these policies, especially given the new and creative ways that cyber scammers continue to develop creative to defraud businesses.
Evan S. Schwartz
Founder of Schwartz, Conroy & Hack
833-824-5350
[email protected]