Email Hack Leading to Wire Transfer Covered

Cause Was Unauthorized Entry Into System By Outsiders and Not Fact Employees Physically Transferred the Funds

The United States District Court for the Southern District of New York, applying New York law, held that Federal Insurance Company’s (“Federal”) insurance policy provided coverage for email fraud that resulted in Medidata Solutions, Inc. (“Medidata”) wiring $4,722,226 to a hacker.  According to the court, even though Medidata’s own employees ultimately transferred the money, the direct cause of the theft was unauthorized entry into Medidata’s email system.  Thus, the claim was covered under the policy’s computer fraud and funds transfer fraud coverage.

Federal issued a $5,000,000 Federal Executive Protection policy to Medidata.  The policy contained a “Crime Coverage Section” which included forgery coverage, computer fraud coverage, and funds transfer fraud coverage.  Medidata tendered a claim for fraud to Federal after it learned that it was defrauded out of millions of dollars through an elaborate email scam.   The hacker sent an email that appeared to be sent from the president of Medidata which instructed an account receivable employee to assist with the finalizing of an acquisition.  The hacker then requested a wire transfer for almost $4.8 million.  Shortly thereafter, the employee received another email supposedly from the Medidata’s president, copying both Medidata’s vice president and director of revenue, requesting the wire.  The wire was initiated and approved by the appropriate employees.  When the accounts receivable employee received a second request for a wire transfer, it was revealed that none of the emails had actually come from the president of Medidata and the money had been sent to a hacker.

Federal denied coverage for the following reasons: (1) under the computer fraud clause, because there had been no “fraudulent entry of Data into Medidata’s computer system;” (2) under the funds transfer fraud clause, because the wire transfer had been authorized by Medidata employees and, thus, was made with the knowledge and consent of Medidata; and (3) under the forgery coverage, because the emails did not contain an actual signature and were not a “Financial Instrument.”  Medidata filed a claim for coverage against Federal and the parties filed cross motions for summary judgment.

The court granted summary judgement on behalf of Medidata, holding that “the unambiguous language of the computer fraud clause provides coverage for the theft from Medidata.”  The court reasoned that, under New York law, it is appropriate to find “coverage for fraud where the perpetrator violates the integrity of a computer system through unauthorized access and [it is appropriate to deny] coverage for fraud caused by the submission of fraudulent data by authorized users.”  The court concluded that the direct cause of the fraud was achieved by the unauthorized entry into Medidata’s email system with spoofed emails that masked the thief’s true identity.  As to the fraudulent transfer of funds clause, the court found that, because Medidata’s employees’ knowledge and consent to the wire transfer were obtained by trick, there was not actual knowledge or consent.

Conversely, the court agreed with Federal that there was no coverage under the forgery coverage provision of the policy, because the claim was not a “direct loss resulting from Forger or alteration of a Financial Instrument committed by a Third Party.” Medidata Solutions, Inc. v. Federal Ins. Co., 15-CV-901(ALC) (S.D.N.Y. July 21, 2017).