Plaintiff, Medidata Solutions, filed a 2015 lawsuit against Federal Insurance Company for coverage of a $4.8M fraudulent wire transfer (Cause No. 1:15-cv-00907 S.D.N.Y). According to the facts of the case, Medidata notified its finance department of a potential acquisition that could require urgent assistance in the summer of 2014. With knowledge of this transaction, the cyber thief used common social engineering tactics to consummate the fraud. He spoofed the e-mail address of Medidata’s president in numerous requests and impersonated an attorney over the phone to dupe an accounting employee to complete the fraudulent wire.
Medidata held a $5M insurance policy with Federal that contained a “Crime Coverage Section” that addressed losses caused by criminal acts, including “Computer Fraud,” “Funds Transfer Fraud,” and “Forgery.” Medidata submitted a claim for coverage in September of 2014 under these provisions, and in December of 2014, Federal denied coverage because (1) there had been no fraudulent entry of data in Medidata’s computer system, (2) the wire transfer was approved by Medidata employees, and (3) the e-mails in question did not contain an actual signature or forgery. Medidata disagreed and filed suit.
For the most part, Judge Carter of the Southern District of New York agreed with Medidata. On summary judgment, he ruled that this fraud, including the spoofing of e-mails, falls within the kind of “deceitful and dishonest access” into Medidata’s computer system imagined by the New York Court of Appeals under the “Computer Fraud” provision, and that the “Funds Transfer Fraud” provision also covers the loss, since it was undisputed that the wire would not have been initiated without manipulation of the e-mails. Thus, Federal is on the hook for the fraudulent transfer. The judge denied coverage under the “Forgery” provision because the spoofed e-mails did not amount to forgery of a financial instrument.
These courtroom battles continue as insurers and their clients fight over coverage for cyber incidents. We expect cyber insurance policies to change and evolve along with the case law and the sophistication of these cyberattacks, so make sure your company selects a policy that fits its cyber risk profile. No one wants to pay premiums for a cyber policy that will never pay out.
RegitzMauck PLLC is an intellectual property boutique based in Dallas, Texas. The firm focuses on providing value-based legal services to cost-conscious clients seeking high quality legal representation in intellectual property, cybersecurity, and technology matters and disputes.