Less than a year ago, I blogged about an important court decision in favor of policyholders in the burgeoning area of cyber insurance coverage. In Medidata Solutions, Inc. v. Federal Insurance Company, a New York federal judge granted summary judgment to the plaintiff, awarding it insurance coverage for its multi-million-dollar loss involving an email spoof. The fraudsters had accessed Medidata’s computer system, posed as an executive in emails, and directed employee executives to wire transfer more than $5 million to the fraudsters’ account.
The insurance company appealed. The United States Court of Appeals for the Second Circuit agreed with the trial court judge and ruled that the email spoof was covered by the terms of the computer fraud provision contained in the insurance policy. See Medidata Solutions Inc. v. Federal Insurance Company.
In this case, the email spoof caused Medidata executives to transfer more than $5 million in funds that they would never have transferred but for the spoof. The insurance company argued that the direct loss here was caused by authorized Medidata executives transferring the funds, not the email spoof itself. Although true, the Court stated:
“The chain of events was initiated by the spoofed emails, and unfolded rapidly following their receipt. While it is true that the Medidata employees themselves had to take action to effectuate the transfer, we do not see their actions as sufficient to sever the causal relationship between the spoofing attacks and the losses incurred. The employees were acting, they believed, at the behest of a high-ranking member of Medidata.”
Consequently, the Court rejected the insurance company’s argument that Medidata did not sustain a direct loss as a result of the spoofing attack within the meaning of the policy. New York courts have determined that the term “direct loss” refers to a legal concept called proximate cause. Proximate cause in this context is where a chain of events is created by an act that ultimately results in a loss.
Focusing only on the computer fraud provision contained in the insurance policy, the Court described the conduct of the perpetrators as a computer-based attack on Medidata’s computer system. The court also stated that, “[T]he attack also made a change to a data element, as the email system’s appearance was altered by the spoofing code to misleadingly indicate the sender.“
This decision greatly expands the coverage available to policyholders who have purchased cyber insurance coverage and are victimized by the rampant scammers who are roaming in cyberspace.
Evan S. Schwartz
Founder of Schwartz, Conroy & Hack