Client Alert: Second Circuit's Decision Involving Medidata Solutions, Inc. is a Big Win For Social Engineering Victims

On July 6, 2018, the Second Circuit Court of Appeals issued a decision in Medidata Solutions, Inc. v. Federal Insurance Company, -- Fed. Appx. --- (C.A. 2 2018) affirming the lower court’s decision (2017 WL 3268529) finding coverage under Medidata’s computer crime policy for losses suffered in a social engineering scheme perpetrated against Medidata. The decision is a significant win for policyholders seeking recovery under their insurance policies for the ever-increasing number of business email compromise scams perpetrated against their employees.

In Medidata, criminals utilized a series of spoofed emails and other communications to cause Medidata’s employee to wire over $4 million to an overseas bank account believing that she was wiring the money pursuant to instructions from the company’s management.  Medidata sought coverage under the computer fraud coverage provision in its insurance policy, which provided coverage for the “unlawful taking or the fraudulently induced transfer of Money, Securities or Property resulting from a Computer Violation.”  The dispute in Medidata centered primarily upon whether the email scheme perpetrated against Medidata was a “Computer Violation” because the email scheme was not a traditional “hacking” event Federal contended was contemplated by the policy’s language.  The Second Circuit found a sufficient nexus between the use of a computer to perpetrate the scheme and the policyholder’s loss, noting that Medidata’s “email system appearance was altered by the spoofing code to misleadingly indicate the sender.”

The Second Circuit also found that Medidata suffered a “direct loss,” rejecting Federal’s argument that Medidata’s employees’ voluntary act of wiring the money to the criminals is an indirect loss, as opposed to the traditional hacking where the criminals hack directly into the victim’s computer and steal funds.  The court held that while “the Medidata employees themselves had to take action to effectuate the transfer, we do not see their actions as sufficient to sever the causal relationship between the spoofing attack and the losses incurred. The employees were acting, they believed, at the behest of a high-ranking member of Medidata.”  In so holding, the Second Circuit expressly adopted a proximate cause standard for recovery, rather than the direct-means-direct approach advocated by Federal and other insurers in similar cases.  It will be interesting to follow the Medidata decision’s effects on other cases currently pending within similar fact patterns, including the upcoming Sixth Circuit Court of Appeals review of American Tooling Center, Inc. v. Travelers Cas. and Sur. Co. of Am., 2017 WL 3263356 (E.D. Mich. Aug, 1, 2017), in which the lower court held that intervening acts, such as the verification of production milestones, authorization of the transfers, and initiation of the transfers without verifying bank account information, “preclude[d] a finding of ‘direct’ loss ‘directly caused’ by the use of any computer.”