Home Search Services People Contact

What can we help you find? Enter your search above.

Sugarman, Rogers, Barshak & Cohen, P.C. Logo Sugarman, Rogers, Barshak & Cohen, P.C. Logo

What can we help you find? Enter your search above.

I understand
Sugarman Rogers Icon

July 31, 2017

Legal Update
John G. O'Neill, Jessica H. Park

Court finds coverage under crime policy for email fraud loss

Close Video
Related Video

Video Title

Video Content

Featured Flourish

In a recent decision, a federal court in New York found that a nearly $4.8 million loss sustained by a life sciences technology company, Medidata, Inc., from an email spoofing scam was covered under an Executive Protection policy issued by Federal Insurance Company.

The case, Medidata Solutions Inc. v. Federal Insurance Co. (S.D.N.Y. July 21, 2017), arose out of a fraud that took place in 2014, when a Medidata employee received emails, ostensibly from the company’s president, instructing her to initiate a wire transfer. The emails, along with a telephone call from a man posing as an attorney for the company, led both the employee and two company executives to sign off on the transfer, resulting in $4,770,226 being wired to a bank account number the thief had provided.  Medidata soon realized it had been defrauded, and that the thief had altered codes in the emails to make them appear to have been sent by the company’s president.

Medidata sought coverage under the crime coverage section of its policy, including a “Computer Fraud Coverage” clause that covered losses resulting from fraudulent “entry of Data into . . . a Computer System” or fraudulent “change to Data elements or program logic of a Computer System[.]”  But Federal denied coverage for the claim, arguing, among other things, that the quoted language required some sort of hacking or manipulation of Medidata’s computer system–not just the transmission of deceptive e-mails to an employee’s inbox.

The court disagreed and granted summary judgment for Medidata, finding that Federal’s reading of the policy was too narrow. Distinguishing other decisions interpreting similar language, the court found that the “Computer Fraud Coverage” was not necessarily restricted to hacking, but could encompass other “deceitful and dishonest access” to a computer system as well. The email spoofing, in which the thief embedded codes that made it appear that his email had been sent by the company president, qualified as such deceitful and dishonest access, and the “Computer Fraud Coverage” clause unambiguously applied.

The Medidata decision provides a new data point in the developing area of cyber coverage and lends insight into the complexities of construing computer fraud and related coverages in the face of constantly evolving, and increasingly sophisticated, cyber fraud schemes.