Computer Fraud Policy Covers Wire Transfer Theft Induced by “Spoofed” Email
COURT REJECTS INSURER’S ARGUMENT THAT POLICY’S “DIRECT LOSS” REQUIREMENT IS NOT MET IF THE INSURERED TAKES STEPS TO INITIATE THE WIRE TRANSFER.
As email spoofing schemes have proliferated, so have coverage disputes for the resulting losses. Recent decisions demonstrate that courts are not entirely uniform in their approach to the requirement of a “direct loss.” They also underscore the importance of parsing the specific policy language, as well as understanding the technology that contributed to the fraud.
My colleague Harvey Nosowitz reported here on American Tooling Center, Inc. v. Travelers Casualty and Surety Co., 2017 WL 3263356 (E.D. Mich., August 1, 2017). American Tooling held that where the insured authorized and initiated a wire transfer in response to a fraudulent email that appeared to come from the insured’s vendor, the computer crime coverage under the insured’s crime policy did not apply because the policy required “direct loss . . . directly caused by” the computer fraud, and the insured’s intervening authorization of the wire transfer meant that the loss was not “directly” caused by the fraudulent email.
In contrast, a recent decision, Medidata Solutions, Inc. v. Federal Insurance Co., 2017 WL 3268529 (S.D.N.Y. July 21, 2017) found coverage under similar facts. A thief sent emails to a Medidata accounts payable employee that appeared to come from Medidata’s president relating to a potential acquisition. Like other internal email, the email contained the president’s name, email address and picture in the “from” field. Medidata had previously notified employees of a potential acquisition and requested that they be prepared to assist on an urgent basis. The fraudulent email stated that Medidata was close to finalizing an acquisition and that an attorney, “Michael Meyer” would contact the employee and she should devote her attention to his demands. “Michael Meyer” then called with instructions to complete a wire transfer for the acquisition. The employee followed protocol and explained that she needed an email from the company president requesting the transfer. The employee then received an email, again purporting to be from the company president, approving the payment. A Medidata vice president and as well as its director of revenue also believed that the emails were from the company’s president and as a result approved a wire transfer of $4.8 million to “Michael Meyer”.
When the scam was discovered, Medidata sought coverage from Federal Insurance Co. whose policy covered “direct loss of Money . . . resulting from Computer Fraud committed by a Third Party” “Computer Fraud” was defined as “[T]he unlawful taking or the fraudulent induced transfer of Money . . . resulting from a Computer Violation.” In turn, “Computer Violation” was defined to include “fraudulent (a) entry of Data into a Computer System . . . and (b) change to Data elements or program logic of a Computer System.” Federal asserted that coverage did not apply because there was no hacking into or change of data in Medidata’s computer system. Instead, the thief took advantage of the Gmail system used by Medidata to insert code into the email that caused Gmail to display an inaccurate address in the “from” field rather than the thief’s true email address. Then, with that false name in the “from,” line, Gmail populated the email with the president’s name and picture.
Rejecting Federal’s arguments, the court concluded that hacking was not required to trigger coverage, and instead it was sufficient that the perpetrator violated the integrity of a computer system through unauthorized access to it by the use of code embedded in the email routed through Gmail.
Federal also contended that there was no coverage because there was no “direct nexus” between the spoofed emails and the wire transfer since the emails “did not create, authorize, or release a wire transfer” and the employees also received a phone call from the thief and took other steps in approving the wire transfer. The court disagreed, holding that because the chain of events that led to the wire transfer began with the spoofed emails, the emails were a direct cause of the wire transfer. In that respect, the Medidata court takes a broader view of the “direct loss” causation requirement than did the court in American Tooling.
The Court also discussed the policy’s Funds Transfer Fraud coverage, which covered a loss of money from fraudulent electronic instructions “without Medidata’s knowledge or consent.” Again, Federal argued that coverage did not apply because the transfer was made voluntarily and with Medidata’s knowledge and consent. Again, the court rejected Federal arguments, concluding that where the transfer was induced by fraud, it was not a valid, voluntary transaction.
The court granted Federal one Pyrrhic victory. It agreed that the policy’s forgery coverage did not apply because there was no “forgery or alteration of a Financial Instrument committed by a Third Party,” as required by the policy. Although there may have been a falsification of the identity of the sender of the fraudulent emails, there was no forgery of a financial instrument.
Medidata provides a useful summary of recent case law addressing coverage under various forms of computer fraud policies. Because policy language varies, it is a good reminder of the importance of carefully reviewing the policy language to obtain the best available coverage.
Posted In: Cyber Liability