Is that really an email from the CEO?
Posted on 02/17/2017 at 08:00 AM by John Lande
This blog recently covered ongoing litigation between Medidata Solutions, Inc. and its insurance company, Federal Insurance Company, over losses resulting from email fraud. The case began after fraudsters tricked employees at Medidata into wiring $4.8 million to overseas bank accounts. The fraudsters impersonated a Medidata executive in email communications to accounting department employees.
After Medidata discovered the fraud, it made a claim on its Federal Insurance Company insurance policy. Federal Insurance Company denied the claim and argued that the policy doesn’t cover (1) fraud committed by employees and (2) fraud resulting from voluntary employee conduct. Medidata sued Federal Insurance Company.
One of the critical issues for determining whether Federal Insurance Company is obligated to provide coverage is whether fraudsters actually infiltrated Medidata’s computer systems. Medidata and Federal Insurance Company engaged in extensive discovery to try to determine whether fraudsters actually infiltrated any of Medidata’s computer systems.
Expert analysis revealed that fraudsters sent Medidata “spoofed” emails. These emails appeared to be from Medidata executives, but in reality were from an outside source. Fraudsters never actually gained unauthorized access to Medidata’s systems.
Federal Insurance Company argues that this means that the computer-fraud coverage provisions in its insurance policy don’t cover Medidata’s losses. Federal Insurance Company also points out that Medidata employees testified that they would not have authorized the transfer of $4.8 million without verbal approval. In this case, Medidata employees engaged in telephone conversations with someone claiming to be an “attorney” who could authorize the wire transfer. In reality, the “attorney” was a fraudster.
Both Federal Insurance Company and Medidata asked the Court to rule in their favor. However, after reviewing the factual background, the Court ordered Mediata and Federal Insurance Company to conduct additional discovery. The Court instructed the parties to provide additional information regarding “the method in which the perpetrator sent its emails to [Medidata] and discussing what changes, if any, were made to [Medidata’s] computer systems when the emails were received.”
The Court’s request likely does not bode well for Medidata. The Court’s inquiry is consistent with Federal Insurance Company’s main argument—that phony emails that trick employees do not constitute computer fraud.
The parties submitted all of their remaining material on October 18, 2016, and the Court has yet to rule. If the Court does find in favor of Federal Insurance Company, it will be a significant victory for insurance companies. There has been a substantial amount of litigation involving situations similar to this case. Insurance companies have tended to prevail in these situations which means insureds like Medidata are ultimately responsible for fraud losses.
Cases like Medidata’s are becoming increasingly common. The Iowa Attorney General recently released an alert regarding this kind of cyberattack.
Medidata’s case serves as a reminder that cyber-insurance is not going to cover every kind of loss that occurs through a computer. In order to defend against Medidata-like frauds, organizations need to couple hardware and software safeguards with other controls that minimize potential risk. For example, Medidata could have required its accounting personnel to obtain additional verifications before sending out wires over a certain dollar threshold.
Organizations need to constantly examine and update their procedures to determine the weak points in their organizational hierarchy, because insurance isn’t always going to be available to cover losses from a cyberattack.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Law is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Law blog postings does NOT create an attorney-client relationship between you and Dickinson, Mackaman, Tyler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.