Coverage for Cyber Attack

  The federal district court determined there was coverage for losses sustained by the insured due to a cyber attack. Medidata Solutions, Inc. v. Federal Ins. Co., 2017 U.S. Dist. LEXIS 122210 (S.D. N.Y. July 21, 2017). 

  Medidata provided cloud-based services to scientists conducting research in clinical trials. Medidata email addresses consisted of an employee's first initial and last name followed by the domain name "mdsol.com." Email messages sent to Medidata employees were routed through Google computer servers. Google systems processed and stored the email messages. During processing, Google compared an incoming email address with Medidata employee profiles in order to find a match. If a match was found, Gmail displayed the sender's full name, email address, and picture in the "From" field of the message. After processing, the emails were displayed in the Medidata employee's email account. 

  In 2014, Medidata notified its finance department of the company's short-term business plans which included a possible acquisition. Medidata instructed the finance personnel to assist with the anticipated significant transactions on an urgent basis. Alicia Evans was responsible for processing all of Medidata's travel and entertainment expenses. On September 16, 2014, Evans received an email purportedly sent from Medidata's president stating that Medidata was close to finalizing an acquisition, and that an attorney name Michael Meyer would contact Evans.

  On that same day, Evans received a phone call from Meyer, who demanded that Evans process a wire transfer for him. Evan's explained that she needed an email from Medidata's president requesting the wire transfer. Evans then received an email purportedly from Medidata's president approving the wire transfer. The email contained the president's email address in the "from" field and a picture next to his name. Evans then processed a wire transfer of $4,770,226.00 to a bank account provided by Meyer. 

  When Meyer requested a second wire transfer two days later, Evans sought approval from the president. Medidata's president said he had not requested the wire transfer. Medidata then realized it had been defrauded. An investigation revealed that an unknown actor altered the emails that were sent to Evans to appear as though they were sent by the Medidata president.

  Medidata had a $5,000,000 insurance policy with Federal called "Federal Executive Protection." The policy contained a "Crime Coverage Section" addressing loss caused by various criminal acts, including Forgery Coverage Insuring, Computer Fraud Coverage, and Funds Transfer Fraud Coverage. Federal denied Medidata's claim for the loss. Medidata sued and the parties filed cross-motions for summary judgment.

  The court found, as a matter of law, that the unambiguous language of the Computer Fraud clause provided coverage for the theft from Medidata. Under the policy, a computer violation occurred upon the "fraudulent" (a) entry of Data into or detection of Data from a Computer System" or (b) change to Data elements or program logic of a Computer System, which is kept in machine readable format."

    The fraud had occurred by way of email spoofing. The thief constructed messages in Internet Message Format (IMF) which was like a physical letter containing a return address. The IMF message was transmitted to Gmail in an electronic envelope called a Simple Mail Transfer Protocol (SMTP). Much like a physical envelope, the SMTP Envelope contained a recipient and a return address. To mask the true origin of the spoofed emails, the thief embedded a computer code. The code caused the SMTP Envelope and the IMF Letter to display different email addresses in the "From" field. The spoofed emails showed the thief's true email address in the SMTP "From" filed, and Medidata's president's email address in the IMF "From" field. When Gmail received the spoof emails, the system compared the address in the IMF "From" field with a list of contacts and populated Medidata's president's name and picture. The recipients of the Gmail messages only saw the information in the IMF "from" field. Medidata demonstrated that a thief fraudulently entered and changed data in its computer system. The losses were a direct cause of a computer violation. 

  There was also coverage under the policy's Funds Transfer Fraud provision, which was defined as "fraudulent electronic . . . instructions . . . purportedly issued by an Organization, and issued to a financial institution directing such institution to transfer, pay or deliver Money or Securities from any account maintained by such Organization without such Organization's knowledge or consent." The fact that the accounts payable employee willingly pressed the send button on the bank transfer did not transform the bank wire into a valid transaction. Instead, the validity of the wire transfer depended upon several high level employees' knowledge and consent which was only obtained by trick. 

  Finally, the theft did not trigger coverage under the Forgery clause because the policy required a "direct loss resulting from Forgery or alteration of a Financial instrument committed by a Third Party." Even if the emails contained a forgery, the absence of a financial instrument proved fatal to Medidata's claim for coverage under this provision. 

  Nevertheless, Medidata's motion for summary judgment was granted while Federal's motion for summary judgment was denied.