The Second Circuit Addresses Coverage Afforded by Computer Fraud Provision of Crime Policy
The United States Court of Appeals, Second Circuit, issued a decision in July 2018 in which it addresses the extent of coverage afforded by a computer fraud provision in a crime policy. See Medidata Solutions, Inc. v. Federal Insurance Company (Medidata II), 729 Fed.Appx. 117 (2d Cir. Jul. 6, 2018)(Summary Order). Medidata II upheld the Judgment of the United States District Court for the Southern District of New York ruling that the plain and unambiguous language of the computer fraud provision of the crime policy covered the loss suffered by Medidata Solutions, Inc. (“Medidata”) and rejected Federal Insurance Company’s (“Federal”) position that the coverage was limited to hacking-type intrusions.
Underlying Facts of Medidata
Medidata sought coverage in the underlying action for a $4,770,226.00 loss it suffered after a spoof email attack. Medidata Solutions, Inc. v. Federal Insurance Company (Medidata I), 268 F.Supp.3d 471, 2017 WL 3268529 (2017). A wire transfer was processed on September 16, 2014 by the accounts payable department and approved by both the Vice President and the Director of Revenue after receiving authorization emails from a spoofed email address purporting to be Medidata’s president, as well as follow up calls and emails from an individual holding himself out as an attorney named Michael Meyer. Significant to the Court’s decision, Medidata used Google’s Gmail platform for company emails. Investigation discovered that the spoofed emails contained the President’s name, email address and picture in the “From” field of the email; those elements were automatically generated by the Google platform, which matched incoming emails with Medidata employee profiles. The fraud was discovered after a second wire transfer was requested on September 18, 2014 and the Vice President thought the address in the “Reply To” field appeared suspicious. Medidata held a $5,000,000.00 Federal Executive Protection Policy, which included the computer fraud provision. Medidata submitted the claim to Federal on September 25, 2014. Federal denied the claim for coverage concluding that there had been no “fraudulent entry of Data into Medidata’s computer system.” The denial of coverage was based upon Federal’s understanding that the emails containing false information were sent to an inbox open to receive email from the public and, as such, the email was an authorized entry into the inbox. Federal also concluded that there was no “change to data elements” because the fraudulent emails did not cause fraudulent change to the data elements or program logic of Medidata’s computer system. Federal admitted Gmail added the name and picture to the spoofed email, but took the position that the email did not cause the name and picture to appear. Rather, Medidata’s computer system automatically populated the email in the manner typical for the system.
The policy defined “Computer Fraud” as “the unlawful taking or the fraudulently induced transfer of Money, Securities or Property resulting from a Computer Violation.” “Computer Violation” included “the fraudulent: (a) entry of Data into…a Computer System” as well as “(b) change to Data elements or program logic of a Computer System, which is kept in machine readable format…directed against an Organization.” Federal argued that the loss was not covered by the computer fraud provision because there was no unauthorized access on Medidata’s computer system, the fraudulent actors did not manipulate Medidata’s computers and fraudulent information was not input into the computer system to cause the wire transfer. The Medidata I Court analyzed the New York Court of Appeals decision in Universal Am. Corp. v. Nat’l Union Fire Ins. Co. and disagreed with Federal stating that “the fraud on Medidata falls within the kind of ‘deceiptful and dishonest access’ imagined by the New York Court of Appeals.” Universal Am. Corp. v. Nat’l Union Fire Ins. Co. (Universal), 25 N.Y.3d 675, 16 N.Y.S.3d 21, 37 N.E.3d 78 (2015).
New York Precedent Analyzing Computer Fraud
Universal involved a health insurance company that was defrauded by healthcare providers who submitted reimbursement claims for services that were not rendered. The New York Court of Appeals found that there was no coverage under the computer fraud coverage issued to Universal because the loss did not fall within the unambiguous language of the policy, which limited coverage to “losses incurred from unauthorized access to Universal’s computer system, and not to losses resulting from fraudulent content submitted to the computer system by authorized users.” The Universal Court found that the “intentional placement of ‘fraudulent’ before ‘entry’ and ‘change’ manifest[ed] the parties’ intent to provide coverage for a violation of the integrity of the computer system through deceitful and dishonest access.”
“Computer Violation” Occurred
The Medidata I Court applied principles from Universal and reasoned that, although the Universal opinion referenced hacking as an example of a covered violation, “hacking is one of many methods a thief can use, and ‘is an everyday term for unauthorized access to a computer system.’” Medidata I, citing, Dial Corp. v. News Corp., No. 13-CV-6802, 2016 WL 690868, at *3 (S.D.N.Y. Feb. 17, 2016). The Court also rejected Federal’s reliance on Pestmaster I finding that the Pestmaster Court explained that “Computer Fraud occurs when someone hacks or obtains unauthorized access or entry to a computer in order to make an unauthorized transfer or otherwise uses a computer to fraudulently cause a transfer of funds.” The Pestmaster I Court found there was no coverage where the company’s payroll administrator was authorized to withdraw funds from the corporation’s account and the fraud occurred when he later misappropriated those funds in contrast to Medidata I where Medidata suffered loss, which was achieved by entry into Medidata’s emails system with spoofed emails that were armed with a code intended to mask the thief’s true identity. That same code also changed data from the true email address to the President’s to achieve the end result. The Court held that Medidata proved that its losses fell within the plain and unambiguous language of the computer fraud provision of the crime policy and summary judgment entered in favor of Medidata.
The Second Circuit Weighs In
On July 6, 2018, Medidata II was issued affirming summary judgment in favor of Medidata and awarding $5,841,787.37 in damages and interest. The Medidata II Court found that a fraudulent entry of data occurred because the spoofing code was introduced into the email system, which code enabled the fraudsters to send messages that inaccurately appeared, in all respects, to come from a high-ranking member of Medidata’s organization. The Court also found that a change to a data element took place because the email system’s appearance was altered by the code to misleadingly indicate the sender. The Medidata II Court also analyzed Universal and found that it supported a decision in favor of Medidata because, unlike the incidental use of computers through the general processing of reimbursement claims in Universal, Medidata suffered loss when its email system was compromised, and the spoofing attack clearly amounted to a “violation of the integrity of the computer system through deceitful and dishonest access” a la Universal.
Review of the unique facts considered by the Second Circuit leads one to the conclusion that the Second Circuit falls into a category of jurisdictions along with the Sixth Circuit, which issued American Tooling II, holding that coverage under a computer fraud provision is not limited to cases involving hacking incidents. However, parties with actions pending under New York law can rely upon Universal and Medidata I and II, and their analysis of Pestmaster II, for the proposition that, although hacking may not be required, merely incidental involvement of a computer at some point in the transaction is insufficient to support a finding of coverage under a computer fraud provision.
 “[t]he thief constructed messages in Internet Message Format (“IMF”) which the parties compare to a physical letter containing a return address. Id. ¶ 2. The IMF message was transmitted to Gmail in an electronic envelope called a Simple Mail Transfer Protocol (“SMTP”). Id. ¶ 1. Much like a physical envelope, the SMTP Envelope contained a recipient and a return address. Id. To mask the true origin of the spoofed emails, the thief embedded a computer code. Id. ¶ 10. The computer code caused the SMTP Envelope and the IMF Letter to display different email addresses in the “From” field. Id. The spoofed emails showed the thief’s true email address in the SMTP “From” field, and Medidata’s president’s email address in the IMF “From” field. Id. ¶¶ 20–21. When Gmail received the spoof emails, the system compared the address in the IMF “From” field with a list of contacts and populated Medidata’s president’s name and picture. Id. ¶ 15. The recipients of the Gmail messages only saw the information in the IMF “From” field. Id. ¶ 11.”