268 F. Supp. 3d 471
S.D.N.Y.2017Background
- Medidata, a cloud-based clinical-trials company, used Gmail for corporate email; Gmail displayed senders' names/pictures by matching incoming IMF "From" addresses to Medidata contacts.
- In Sept. 2014, Medidata employees received spoofed emails (and follow-up phone calls) appearing to come from the company president; employees authorized two wire transfers totaling about $4.77 million to accounts provided by the fraudster.
- The spoofing involved manipulation of SMTP/IMF fields and embedded code so the IMF "From" field displayed the president's address while the SMTP envelope showed the attacker’s address; Gmail populated the president's name/picture from contact matching.
- Medidata submitted a claim under its Federal Executive Protection policy asserting coverage under Computer Fraud, Funds Transfer Fraud, and Forgery provisions; Federal denied coverage, contending there was no unauthorized entry/change to Medidata's computer system and that the wires were authorized by employees.
- Medidata sued; cross-motions for summary judgment were filed. After discovery and expert submissions, the court considered whether the policy language unambiguously covered Medidata's loss.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether Computer Fraud coverage applies | Spoofed emails and embedded code effected a fraudulent entry/change of data in Medidata's computer system (IMF "From" field populated president's identity) | No entry/change to Medidata's system; attacker sent messages externally and Gmail/Medidata systems "normally" populated display; Universal limits coverage to unauthorized access/hacking of the insured's system | Court held Computer Fraud covers the loss: spoofing with manipulated IMF/SMTP fields and code constituted a Computer Violation that directly caused the loss |
| Whether Funds Transfer Fraud coverage applies | Transfers were made pursuant to fraudulent electronic instructions purportedly issued by Medidata, without Medidata's true knowledge/consent | Transfers were voluntarily executed by employees and thus were authorized by Medidata, so not "without knowledge or consent" | Court held Funds Transfer Fraud applies: third party disguised as an authorized representative induced employees to initiate transfers, so transfers were fraudulent instructions lacking true knowledge/consent |
| Whether Forgery coverage applies | Emails that displayed the president's name constituted a forgery or alteration triggering coverage | Emails lack a signature and the policy requires a forged "Financial Instrument"; coverage does not extend absent a financial instrument | Court held Forgery does not apply: even if emails were forged, no "Financial Instrument" was altered or forged as required by the policy |
| Causation — whether computer use directly caused loss | Computer manipulation directly caused employees to rely on spoofed emails, so loss flowed directly from computer violation | Multiple non-computer acts (phone calls, employee approvals) break the direct nexus; computer use was only one step in a multi-step fraud | Court found the spoofed emails were the direct cause of the transfers and thus satisfied the policy's direct-loss requirement |
Key Cases Cited
- Celotex Corp. v. Catrett, 477 U.S. 317 (summary judgment standard)
- Gallo v. Prudential Residential Servs., Ltd. P'ship, 22 F.3d 1219 (2d Cir.) (when a nonmoving party's evidence is so slight no reasonable jury could find for it)
- Olin Corp. v. Am. Home Assur. Co., 704 F.3d 89 (2d Cir.) (insurance-contract interpretation principles)
- Universal Am. Corp. v. Nat'l Union Fire Ins. Co., 26 N.Y.3d 675 (N.Y.) (construing computer-fraud language to cover unauthorized access to insured's computer system)
- Bank of New York v. First Millennium, Inc., 598 F. Supp. 2d 550 (S.D.N.Y.) (contract interpretation and enforcement of clear insurance terms)