Medidata Solutions, Inc. provides cloud-based services to scientists conducting research in clinical trials and uses Google’s Gmail as a platform for the company’s emails. While the emails are routed through Google’s computer servers, which also process and store messages, Medidata’s emails use the domain “mdsol.com” instead of “gmail.com.” Google’s servers match the email addresses, which consist of a Medidata employee’s first initial and surname, along with the individual’s full name.
In the summer of 2014, Medidata notified its finance department, including Alicia Evans, of the company’s short-term business plans, including possible acquisition. On September 16, 2014 Evans received an email purportedly sent from Medidata’s president stating that Medidata was close to finalizing an acquisition and that an attorney named Michael Meyers would contact Evans. The email contained the president’s name, email address, and picture in the “From” field. That same day, Evans received a phone call from Meyers demanding a wire transfer. Evans explained that in order to make the wire transfer, she needed an email from Medidata’s president, as well as approval from Medidata’s vice president (Ho Chin) and director of revenue (Josh Schwartz). An email purportedly from Medidata’s president was subsequently sent to Chin, Schwartz, and Evans approving the transaction. Evans performed the wire transfer via Chase Bank’s system by entering the information provided by Meyers. Chin and Schwartz then logged into Chase Bank’s system to approve the transfer. On September 18, 2014, Meyers contacted Evans for a second transfer. Evans, again, entered the transfer into Chase Bank’s system and Schwartz approved it. Chin, however, became suspicious and sent an independent email to Medidata’s president regarding the wire transfers. The president stated that he did not approve them. At that point, Medidata realized it had been defrauded. Investigations by the FBI and outside counsel revealed that an unknown actor altered the emails to appear to be sent from Medidata’s president.
The theft occurred by email “spoofing,” which is defined as “the practice of disguising a commercial e-mail to make the e-mail appear to come from an address from which it actually did not originate. Spoofing involves placing in the ‘From’ or ‘Reply-to’ lines, or in other portions of e-mail messages, an email other than the actual sender’s address, without the consent or authorization of the user of the e-mail address whose address is spoofed.” Karvaly v. eBay, Inc., 245 F.R.D. 71, 91, n.34 (E.D.N.Y. 2007).
In Medidata, the thief constructed messages in Internet Message format (“IMF”), which is akin to a letter. The IMF message was transmitted to Gmail in an electronic envelope, i.e., a Simple Mail Transfer Protocol (“STMP”), which, like a real envelope, contains a recipient and a return address. The thief’s code caused the SMTP Envelope to display the thief’s true email address in the “From” field, but Medidata’s president’s email in the “From” field of the IMF letter. The effect of this manipulation was that when Gmail received the email from the thief, the Gmail system compared the address in the IMF letter’s “From” field with Medidata’s contacts and populated Medidata’s president’s name and picture within Medidata’s email system. The email recipients only saw the information in the IMF letter’s “From” field, causing the email to appear to be from Medidata’s president.
Medidata sought coverage for the monies lost in the transfer under a $5,000,000 insurance policy with Federal Insurance Company. Specifically Medidata claimed that its loss was covered by the policy’s “Computer Fraud Coverage,”[1] “Funds Transfer Fraud Coverage,”[2] and “Forgery Coverage.”[3] On December 24, 2014 Federal denied Medidata’s claim under these three coverages:
- Federal denied the claim under the Computer Fraud Coverage because the emails were sent to an inbox open to receive emails, such that the email’s entry was “authorized,” and the emails did not cause any fraudulent change to data elements or program logic of Medidata’s computer system.
- Federal denied the claim under the Funds Transfer Coverage because the wire transfer had been authorized by Medidata employees, such that it was with the company’s knowledge and consent.
- Federal denied the claim under the Forgery Coverage because the emails did not meet the policy’s definition of a “Financial Instrument” and did not directly cause the loss.
Medidata commenced an action against Federal in the District Court for the Southern District of New York. The parties filed cross-motions for summary judgment and the court ordered additional expert discovery. In its decision, the district court addressed whether Medidata’s claim was covered under the Computer Fraud, Funds Transfer Fraud, and Forgery Coverages.
First, the court held that the theft from Medidata was covered by the Computer Fraud Coverage. The court based this conclusion on the fact that “the fraud on Medidata was achieved by entry into Medidata’s email system with spoofed emails armed with a computer code that masked the thief’s true identity.” Id. at 478. The court considered this entry to satisfy the policy definition of a “computer violation.” The next challenge was whether there was sufficient causation between the computer violation and the policy’s definition of “computer fraud.” The court held that “[t]he chain of events began with an accounts payable employee receiving a spoofed email from a person posing as Medidata’s president” and that the “Medidata employees only initiated the transfer as a direct cause of the thief sending spoof emails posing as Medidata’s president.” Id. at 479. The court, therefore, found that the computer violation caused the transfers out of Medidata’s bank account, i.e. “computer fraud” under the policy.
Second, the court held that Medidata’s claim was covered under the Funds Transfer Fraud Coverage. Federal argued that there was no coverage because the wire transfer was voluntary and with Medidata’s knowledge and consent. The court disagreed, holding that the fact that the accounts payable employee physically pressed the “send” button on the bank transfer did not make the transaction valid or voluntary. The court concluded that but for the third party’s manipulation of the emails, the accounts payable employee would not have initiated the wire transfer. The validity of the wire transfer depended on high level employees’ knowledge and consent, which was obtained by deceit.
Third, the court concluded that the Forgery Coverage was not triggered because, regardless of whether the spoofed emails constituted a forgery, they did not constitute a “Financial Instrument.” The policy required a “direct loss resulting from Forgery or alteration of a Financial Instrument committed by a Third Party.”
Federal subsequently appealed the judgment granting summary judgment to Medidata.
In affirming the district court, the Second Circuit added an additional layer of analysis as to why the claim was covered under the Computer Fraud Coverage.[4] Specifically, the fraud implicated the computer system because Medidata’s email system was compromised; the spoofing was a “violation of the integrity of the computer system through deceitful and dishonest access” because the fraudster altered the appearance of the emails to appear that they were sent by the company’s president. In addressing whether Medidata sustained a “direct loss” from the attack so as to trigger the Computer Fraud Coverage, the Second Circuit held that the spoofing was the proximate cause of Medidata’s loss, because while Medidata employees had to act to effectuate the transfer, those actions were insufficient to sever the causal relationship between the spoofing and the loss.
Medidata is instructive as it is an example of how courts may read policy language that the insurer intended to apply only to direct hacking intrusions and extend it to non-hacking incidents that are nonetheless computer-based attacks designed to manipulate computer systems.
[1] The “Computer Fraud Coverage” protected the “direct loss of Money, Securities or Property sustained by an Organization resulting from Computer Fraud committed by a Third Party.” Medidata and its subsidiaries were covered as the “Organization.” A “Third Party” was defined as “a natural person other than: (a) an Employee; or (b) a natural person acting in collusion with an Employee.” “Computer Fraud” was defined as “[T]he unlawful taking or the fraudulently induced transfer of Money, Securities or Property resulting from a Computer Violation.” A “Computer Violation” included both “the fraudulent: (a) entry of Data into . . . a Computer System, [and] (b) change to Data elements or program logic of a Computer System, which is kept in machine readable format . . . directed against an Organization.” “Data” included any “representation of information” and “Computer System” was “a computer and all input, output, processing, storage, off-line media library and communication facilities which are connected to such computer, provided that such computer and facilities are (a) owned and operated by an Organization; (b) leased and operated by an Organization; or (c) utilized by an Organization.”
[2] The policy’s “Funds Transfer Fraud Coverage” covered “direct loss of Money or Securities sustained by an Organization resulting from Funds Transfer Fraud committed by a Third Party.” “Funds Transfer Fraud” was defined as “fraudulent electronic . . . instructions . . . purportedly issued by an Organization, and issued to a financial institution directing such institution to transfer, pay or deliver Money or Securities from any account maintained by such Organization at such institution, without such Organization’s knowledge or consent.”
[3] The policy’s “Forgery Coverage” protected “direct loss sustained by an Organization resulting from Forgery or alteration of a Financial Instrument committed by a Third Party.” “Forgery” was defied as “the signing of the name of another natural person . . . with the intent to deceive . . . Mechanically or electronically produced or reproduced signatures shall be treated the same as handwritten signatures.”
[4] The Second Circuit declined to consider the other two coverages because it found coverage under the Computer Fraud Coverage.