It’s the stuff that dreams are made of. Humphrey Bogart delivers this memorable line at the end of The Maltese Falcon, summing up the allure of the shady characters’ search for the eponymous, elusive relic. Pro-policyholder case law can be equally elusive, especially when unsettled areas of insurance law, like coverage for cyber losses, are at issue.
In a prior post, I wrote about Medidata Solutions v. Federal Insurance Company,1 a favorable cyber-insurance decision from the Southern District of New York. The court held that the policyholder, spoofed via e-mail into wiring almost $4.8 million to an unknown overseas bank account, was covered under a computer fraud policy.
The policy provision at issue afforded covered for losses stemming from any “entry of Data into” or “change to Data elements or program logic of” a computer system.
In a recent summary order, a unanimous panel of Second Circuit Court of Appeals judges affirmed the District Court’s decision granting the policyholder’s motion for summary judgment and awarding the company nearly $6 million in damages and interest.2 Seeking to avoid coverage, the insurer argued on appeal that the spoofing attack was not covered because the policy applies only to hacking-type intrusions – i.e., a violation of the integrity of the computer system through deceitful and dishonest access.
The Second Circuit agreed with the District Court that the plain and unambiguous language of the policy covers the policyholder’s losses. The Second Circuit noted that the company was not hacked in the traditional sense but emphasized that the policyholder’s email system was manipulated by the fraudster’s computer-based attack. Because the parties agreed the e-mail system is a “computer system” within the meaning of the subject policy, the Second Circuit held:
“The spoofing code enabled the fraudsters to send messages that inaccurately appeared, in all respects, to come from a high-ranking member of Medidata’s organization. Thus, the attack represented a fraudulent entry of data into the computer system, as the spoofing code was introduced into the email system. The attack also made a change to a data element, as the email system’s appearance was altered by the spoofing code to misleadingly indicate the sender. Accordingly, Medidata’s losses were covered by the terms of the computer fraud provision.”
The insurer also argued that Medidata did not sustain a “direct loss” as a result of the spoofing attack, within the meaning of the policy. The Second Circuit rejected this argument because the spoofed emails told Medidata employees to transfer funds in accordance with an expected deal, and the employees made the transfer that same day. The appellate court further explained that under New York law, the phrase “direct loss” generally means proximate cause and thus, the spoofing attack was the proximate cause of Medidata’s losses.
Even though Medidata employees effected the fraudulent transfer, the court found their intervening actions did not sever the causal relationship between the spoofing attack and the losses incurred. This is because the employees believed they were acting at the direction of a high-ranking company officer, triggering coverage under the policy.
The takeaways:
- Coverage for cyber-crimes and cyber-losses is a rapidly emerging area of insurance law, but policy language has not been subject to widespread judicial interpretation.
- As my colleague Iris Kuhn points out in a recent blog, judicial interpretation will continue to evolve.
- For now, it appears the Medidata rulings provide strong arguments for policyholders —and guidance for courts— to consider in future coverage disputes involving phishing and other social engineering scams. (To paraphrase Humphrey Bogart again, cases like this might signal the beginning of a beautiful friendship between policyholders and the courts on unsettled cyber issues).
- We will continue to track and write about cyber-insurance issues, so check back soon. If you have questions about cyber insurance or the need to implement safeguards to mitigate cyber risks, make sure you consult coverage counsel and other professionals before a loss occurs.
_____________________
1 Medidata Solutions Inc. v. Federal Ins. Co., case number 1:15-cv-00907 (July 21, 2017, S.D.N.Y. 2017).
2 Medidata Solutions Inc. v. Federal Ins. Co., No. 17-2492, 2018 WL 3339245 (July 6, 2018).