Court Finds Spoofing Attack is Hacking Covered Under Cyber Coverage (NY)

The Second Circuit recently declined to reconsider its July summary order that required an insurer to pay more than $4.8 million to its insured, a cloud-based services firm, lost as a result of “spoof” emails.  The case, Medidata Solutions Inc. v. Federal Insurance Company, provides insight into the burgeoning world of cyber insurance coverage, and how courts may handle the various policy provisions invoked by insureds seeking coverage

In June 2014, an employee at  Medidata Solutions received an email purporting to be from the company’s president instructing her to wire money to an outside bank account, which the firm eventually did.  Medidata sought coverage under its commercial crime policy.  The policy covered losses stemming from “entry of Data into” or “change to Data elements or program logic of” a computer system.  When the insurer denied coverage, Medidata sued. The insurer argued that the spoofing attack was not covered because the policy applied to hacking-type intrusions.  Medidata argued that the fraudsters entered data when they changed the “From” entry in “spoof” emails to make it seem like they were actual Medidata executives.

In unanimously affirming the district court, the Second Circuit held that “[w]hile Medidata concedes that no hacking occurred, the fraudsters nonetheless crafted a computer-based attack that manipulated Medidata’s email system.”  Moreover, because the spoofing code enabled the fraudsters to send messages which seemingly came from high-ranking members of the firm, the court held that “the attack represented a fraudulent entry of data into the computer system.”  Therefore, the court held the insurer was on the hook for the $4.8 million.

In declining to rehear this case, the Second Circuit let stand a major decision for policyholders.  In an era when claims for cyber attacks is at an all-time high, policyholders will welcome holdings in which courts find coverage for cyber attacks in non-cyber specific policies.  The holding could also put the Second Circuit at odds with a similar case currently pending before the Sixth Circuit. American Tooling Center Inc. v. Travelers Casualty & Surety Co. of America, No. 16-12108, 2017 WL 3263356 (E.D. Mich. Aug. 1, 2017).  There, the district court found no coverage under a crime policy where the Michigan firm wired $800,000 in funds to a fraudster’s account by finding the loss was not a “direct loss” caused by the “use of a computer.”  Insureds and insurers alike are keeping tabs on these and other decisions invoking cyber coverage in light of the magnitude of cyber cases in recent years.

Thanks to Douglas Giombarrese for his contribution to this post.