The legal landscape for insurance coverage for business email scams remains unsettled, but a recent decision from a Manhattan judge ordering an insurer to cover $4.8 million in losses for a company that fell victim to a "spoofing" scam may give plaintiffs a new weapon in coverage disputes.
Southern District Judge Andrew Carter Jr. granted summary judgment for Medidata, which sued Federal Insurance Co., a subsidiary of insurance giant Chubb Ltd., saying the losses the company suffered when an imposter tricked its accounts payable department into wiring money are covered by computer fraud provisions in its insurance policy.
Carter said that, under Federal's interpretation of case law, coverage for computer fraud would require a thief to hack into a company's computer system and initiate a bank transfer.
"But hacking is one of many methods that a thief can use and is an everyday term for unauthorized access to a computer system," the judge wrote.
Medidata provides cloud-based computing services for scientists conducting clinical trials.
|Email appeared to be from company's president
In 2014, the Medidata employee responsible for travel and entertainment expenses received an email in which the sender, claiming to be the company's president, said that an attorney named Michael Meyer would contact her about the company's effort to finalize an acquisition.
A man holding himself out to be Meyer contacted the employee and said he would need an immediate wire transfer.
After the employee said she would need to clear the transaction with Medidata's vice president and director of revenue, all three employees received a group email from someone claiming to be Medidata's president requesting the funds transfer. They complied and wired almost $4.8 million to an account in China that Meyer provided.
After the supposed attorney asked for a second transfer, however, the vice president became suspicious and the president was contacted in a separate email. After the president said he did not request either of the wire transfers, the company contacted the FBI.
|Money never recovered
According to court papers, the identities of the scammers were never revealed and Medidata's money was never recovered. Medidata had a $5 million policy with Federal containing a section that covers computer fraud, but the insurer denied Medidata's claim, saying there was no fraudulent entry of data into the company's computer system.
But Carter said that Federal is relying on an overbroad reading of the New York Court of Appeals' 2015 decision in Universal American v. National Union Fire Insurance, 25 NY3d 675, in which the court said fraud achieved through a violation of a computer system "deceitful and dishonest access" should be covered.
|No industry standard?
Carter's decision comes at a time when courts around the country remain at odds over whether or not insurance claims should cover the types of attacks that befell Medidata, which are becoming more prevalent.
"I don't think there's quite an industry standard for how these policies look," said Brian Collins, a Philadelphia-based attorney for Offit Kurman who handles insurance litigation matters.
On one hand, the U.S. Court of Appeals for the Eighth Circuit found last year in State Bank of Bellingham v. BancInsure, No. 14-3432, that a bank's financial institution bond covered a malware attack allowed infiltration into the bank's computer system, which resulted in two fraudulent wire transfers from a Minnesota bank to Poland.
On the other hand, the U.S. Court of Appeals for the Fifth Circuit found that the insurance policy for the Apache Corp., a Houston-based oil company, did not cover $7 million in payments to bank accounts controlled by scammers using spoof email addresses.
|Receiving trojan emails
To defend against Medidata's suit, Federal cited the Fifth Circuit's decision in Apache v. Great American Insurance, 15-20499.
With regard to Apache, Carter said the fraud in that case was achieved through a "muddy chain of events" that included emails, phone calls and the establishment of a fraudulent bank account.
What sets Apache apart from Medidata, Carter said, is that the insured in the former case invited the computer-use: After the thieves called the company to ask to change a vendor's payment information, they were told by an Apache employee that they would need to make the request via email and attach the vendor's letterhead.
Medidata employees, by contrast, transferred funds as a direct result of receiving Trojan emails from someone masquerading as the company's president, Carter said.
|'Good victory' for policyholders
Scott Godes, a Washington, D.C.-based partner at Barnes & Thornburg who was not involved with the Medidata case, said the decision was a "good victory" for policyholders, as insurance companies have fought back in the courts against providing coverage for spoofing and other types of computer attacks.
"They have tried to erect a brick wall around providing coverage for this type of claim," Godes said.
Carter did, however, find that Federal's policy did not cover Medidata's forgery claim.
The parties "vehemently" disputed whether or not the spoofed emails in which the sender posed as the president of the company, the judge said, but said the absence of a forged financial document is fatal to Medidata's claim.
Contact Andrew Denney at [email protected]. On Twitter: @messagetime
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.