Developments in Computer Fraud Coverage. Over the course of one week in July 2018, the Second and Sixth Circuits issued rulings on the scope of insurance coverage for “spoofing” attacks, in which hackers target companies with fraudulent emails disguised to appear as if they originate from different (usually legitimate) addresses. Such attacks can be a major source of loss for companies and insurers; the FBI has estimated that schemes involving fraudulent electronic communications caused $675 million in adjusted losses in 2017 alone. While the Second and Sixth Circuits both found that spoofing attacks were covered as a form of “computer fraud,” the differences in the Courts’ analysis provide important insight for both policyholders and insurers.
The Second Circuit case was brought by Medidata, a provider of cloud-based computer services to research scientists. Medidata Solutions, Inc. v. Federal Insurance Co., 729 Fed. App’x 117 (2d Cir. 2018). On September 16, 2014, a Medidata employee in the accounts payable department received an email which appeared to be from Medidata’s president and which instructed her that she would shortly be contacted by counsel for a potential acquisition partner to facilitate a wire transfer. Medidata Solutions, Inc. v. Federal Insurance Co., 268 F. Supp. 3d 471, 473 (S.D.N.Y. 2017). The employee then received a phone call, purportedly from the acquiree’s counsel, who requested that the employee prepare and process a wire transfer. The employee explained that she could not do so without an explicit written request from Medidata’s president and approval from two other executives at the company. Shortly after the phone call, the employee and those two executives received an email, which again appeared to be from Medidata’s president, confirming the request. Id. The employee then wired approximately $4.7 million to a bank account for which the supposed-acquiree’s counsel had provided information. When the fraud was discovered, investigation revealed that an unknown actor in China had deployed code which caused Medidata’s email systems (provided by Google) to display the email address of Medidata’s president, rather than the hacker’s email address, as the source of emails. Id. at 476.
Medidata sought coverage from its insurer Federal Insurance Co. under a New York policy which covered losses caused by “Computer Violations,” defined as “the fraudulent: (a) entry of Data into . . . a Computer System” or “(b) change to Data elements or program logic of a Computer System.” Federal denied the claim on two grounds. First, Federal argued that in Universal America Corp. v. National Union Fire Insurance Co., 25 N.Y.3d 675 (2015), the New York Court of Appeals had limited coverage under a similar provision to instances where a insured’s computer system was directly accessed. Federal claimed spoofing emails did not qualify, because the emails did not constitute the “fraudulent entry of Data” into Medidata’s systems and did not directly “cause any fraudulent change to data elements or program logic of Medidata’s computer system.” Id. at 475. Second, Federal argued that there was no “direct nexus” between the emails and Medidata’s losses because Medidata employees also received phone calls and took independent steps to authorize the wire transfer. Id. at 477-78.
The district court granted Medidata’s motion for summary judgment, which was affirmed by the Second Circuit in a Summary Order. 729 Fed. App’x 117 (2018). The Court found that there was “a fraudulent entry of data into the computer system” and “a change to a data element” when the hacker used computer code to mask the spoofed email’s true origins. Id. at 118. The Court further found that Medidata’s loss were directly caused by the computer fraud, because “[t]he chain of events was initiated by the spoofed emails, and unfolded rapidly following their receipt.” Id. at 119. As such, the Court held that the policy provided coverage for Medidata’s losses.
A week after the Second Circuit’s opinion was released, the Sixth Circuit issued an opinion in a factually similar case, American Tooling Center, Inc. v. Travelers Casualty & Surety Co. of America, 895 F.3d 455 (2018). Plaintiff ATC, a tool and die manufacturer in Michigan, was targeted by hackers who posed as an outsourcing vendor used by ATC. ATC regularly corresponded with its vendors by email, including regarding invoices and payment details. In the spring of 2015, hackers intercepted the emails of one of ATC’s vendors and, posing as employees of the vendor, informed ATC’s Vice President and Treasurer that the vendor’s bank account details had changed. Id. at 458. ATC wired three payments, totaling approximately $834,000, to the fraudulent account before the scheme was discovered when the vendor demanded payment on the overdue invoices. Id. at 457-58.
ATC made a claim under the “Computer Fraud” provision of an insurance policy from Travelers Insurance Co. Id. at 459. Travelers denied coverage, arguing that, inter alia, its policy’s definition of “Computer Fraud” “require[d] a computer to ‘fraudulently cause the transfer.’” Id. Here, ATC employees had knowingly transferred funds, albeit directed by the fraudulent email. Id. at 461. The district court granted summary judgment in favor of Travelers.
The Sixth Circuit reversed, holding that “Travelers’ attempt to limit the definition of ‘Computer Fraud’ to hacking and similar behaviors in which a nefarious party somehow gains access to and/or controls the insured’s computer is not well-founded.” Id. at 462. Applying the same logic as the Second Circuit, the Sixth Circuit found that the actions of the ATC employees in transferring funds were “all induced by the fraudulent email,” and therefore were directly caused by computer fraud within the meaning of the policy.
However, in construing Travelers’ policy the Sixth Circuit noted that “[i]f Travelers had wished to limit the definition of computer fraud to such criminal behavior it could have done so.” Id. As an example of a policy that was appropriately limited, the Sixth Circuit cited to the policy interpreted in Universal, the New York Court of Appeals decision. However, the Court did not address the Second Circuit’s analysis, which had just concluded that “Universal in fact support[ed] Medidata’s claim” for coverage of its spoofing attack, because the attack “entail[ed] a ‘violation of the integrity of the computer system through deceitful and dishonest access.’” 729 Fed. App’x at 119 (quoting 25 N.Y.3d at 681). Therefore, while the Second and Sixth Circuits reached similar conclusions as to coverage under their respective policies, they appear to disagree about the appropriate application of Universal to spoofing attacks.
The differing approaches of the Second and Sixth Circuits to the holding in Universal demonstrate that, although the Circuits have reached similar conclusions, differences remain in their analysis of computer fraud provisions in insurance policies. Both insurers seeking to clarify the scope of coverage in future policies, and insureds who wish to understand their policies, should remain mindful of those differences when approaching coverage issues.