Posted on 09/07/2017 at 12:00 AM by John Lande
This blog has been following Medidata Solutions, Inc. v. Federal Insurance Co. since the litigation began over two years. The controversy is over whether Medidata’s computer fraud, funds transfer, or forgery insurance covers a loss resulting from an email ghosting campaign.
Blog readers will recall that Medidata employees received an email from someone purporting to be a Medidata executive. The “executive” informed the employees that a lawyer would be contacting the employees with wire instructions for a large funds transfer. When a real person called the employees claiming to be the lawyer, the employees followed the “lawyer’s” instructions and wired over $4 million to an overseas bank account.
The case began when Medidata’s insurance carrier, Federal Insurance, refused to cover the loss. Federal Insurance argued that Medidata’s computer fraud coverage only applied if fraudsters actually gained unauthorized access to Medidata’s computer systems. When the case began, no one knew if fraudsters hacked into Medidata’s computers, or if fraudsters merely took advantage of widely available tools to make their email addresses appear identical to Medidata executive email addresses. Federal Insurance denied coverage under the funds transfer provision because employees authorized the wire transfer. Finally, Federal Insurance denied coverage under the forgery provision because that coverage is limited to forgeries of checks and other similar instruments.
The court recently rejected Federal Insurance’s arguments regarding the computer fraud and funds transfer provisions, and ruled that the computer fraud and funds transfer provisions cover Medidata’s loss. Starting with the computer fraud coverage, the court noted that the computer fraud coverage applied to: “(a) entry of Data into or deletion of Data from a Computer System or (b) change to Data elements or program logic of a Computer System, which is kept in machine readable format.”
The court concluded that the computer fraud provision applied because of the technical way that fraudsters sent their ghosted, or spoofed, emails. According to the court, emails are constructed in Internet Message Format (“IMF”), which is akin to a physical letter. The emails are then transmitted via Simple Mail Transfer Protocol (“SMTP”), which is like an envelope. The fraudsters’ true identity was coded into the IMF, but fraudsters inserted computer code to change the “return” or “from” address on the SMTP. When the ghosted email arrived in a Medidata inbox, the fraudsters’ computer code caused the system to populate a Medidata executive’s name and picture in the “From” line of the email, rather than the fraudsters’ email address.
Due to the way that fraudsters tricked Medidata’s system, the court concluded that fraudsters had actually entered data into a computer system, or changed data elements in Medidata’s computer system.
The court also rejected Federal Insurance’s claim that funds transfer coverage did not apply because Medidata employees voluntarily approved the wire transfer. The court explained that Medidata employees only authorized the wire transfer because fraudsters tricked them. The court explained that theft by trick is still theft, so the wire transfers were not authorized.
Federal Insurance has appealed the court’s ruling to the United States Court of Appeals for the Second Circuit. The appeal will likely take a year or more to resolve. In the meantime, insureds all over the country will cite this case in support of expansive readings of insurance policies.
Organizations should still be cautious. First, this ruling could still be reversed by the court of appeals. Second, Medidata’s victory depended heavily on the particular way that fraudsters spoofed email. Other fraudsters may not use the same technology. If fraudsters’ tactics are sufficiently different, then Medidata’s case may not be precedent at all.
Medidata still remains a cautionary tale for organizations of all sizes. Medidata could have avoided the loss entirely by having stronger internal controls that limited employees’ ability to engage in wire transfers. Organizations need to continually analyze their cybersecurity defenses. Those defenses should be a layered system of internal controls, software, hardware, employee training, and, finally, insurance. Only by increasing the variety of cybersecurity defenses can organizations truly minimize risk.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
- John Lande