Posted on 07/10/2018 at 10:46 AM by John Lande
This blog has been following years of litigation arising from a spoofing campaign that tricked employees at Medidata Solutions, Inc. (“Medidata”) into wiring millions of dollars to fraudsters. In Medidata Solutions, Inc. v. Federal Insurance Co., fraudsters sent spoofed emails to employees that appeared to come directly from Medidata executives. The fraudsters eventually convinced the Medidata employees to wire over $4 million to the fraudsters.
Medidata filed a claim under its computer fraud cyberinsurance coverage, but Federal Insurance Company (“Federal Insurance”) denied the claim. Federal Insurance argued that the loss was not the result of a computer fraud, because fraudsters’ spoofed emails were not the kind of hacking attack the insurance policy was intended to cover. The district court disagreed with Federal Insurance and ruled in favor of Medidata. Federal Insurance appealed to the Second Circuit Court of Appeals.
The Second Circuit agreed with the district court. In a summary ruling, the Second Circuit ruled that the spoofing attack was a violation of the integrity of Medidata’s computer systems. As a result, it fell within the scope of the computer fraud insurance clause.
Federal Insurance also argued that the loss was not covered under the policy because the employees, not fraudsters, were ultimately responsible for wiring funds. In response, the Second Circuit ruled that “[w]hile it is true that the Medidata employees themselves had to take action to effectuate the transfer, we do not see their actions as sufficient to sever the causal relationship between the spoofing attack and the losses incurred.” (emphasis added). In other words, Medidata employees may have wired the funds, but fraudsters were the root cause of the transaction.
This decision is an important victory for Medidata and insureds. The insurance industry was closely watching the outcome of this case, and it will no doubt have consequences for the way that cyberinsurance policies are drafted in the future.
Even though Medidata ultimately prevailed, however, it took over four years, and undoubtedly six figures of legal expenses, to prevail. In the meantime, not only was Medidata deprived of over $4 million, but it also had to subject its employees to substantial document production and other discovery hassles. All of this could have been avoided if Medidata had implemented strong internal controls to prevent the unauthorized transfer of funds. For example, Medidata could have required more employees to be involved in authorizing wire transfers, or required supplemental verifications for wire transfers over a certain dollar threshold. Medidata could also better train its employees to detect fraudulent wire transfer requests.
This case is a cautionary tale for insureds, because they should recognize that even though Medidata prevailed it was an arduous road to victory. Organizations of all kinds should use the Second Circuit’s ruling as a catalyst for reviewing their own internal controls on processes like wire transfers to make sure that this never happens to them.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.