New York Federal Court Finds Coverage under a Crime Policy for Social Engineering-induced Fraudulent Funds Transfer When a Computer Code Is Used to Alter Emails
Medidata Solutions, Inc. v. Federal Insurance Co., No. 15-CV-907 (U.S.D.C., S.D.N.Y. July 21, 2017). In a case contrary to the prevailing trend, a federal court in New York, applying New York law, held that the wire transfer of $4.8 million resulting from fraudulent social engineering was covered under a Crime Policy.
Medidata provides services to scientists conducting clinical trials. Although it has its own email domain address, it used Google’s Gmail platform for company emails. Messages to employees were routed through Google servers for processing and storage. Gmail displayed the sender’s full name, email address and picture in the “From” field of a message. A fraudster embedded a computer code in false emails, which caused certain Gmail messages to appear as if they came from Medidata’s president. The emails directed an employee to make the transfer and provided the name of a fictitious attorney who communicated with the employee in a telephone call. Ultimately several senior officers approved the transfer.
The court concluded that this sequence of events constituted “deceitful and dishonest access,” which the New York Court of Appeals had indicated would trigger computer fraud coverage in Universal v. Am. Corp. v. Nat’l Union Fire Ins. Co., 25 N.Y.3d 675 (2015). The Medidata court held that such access fell within the language in the Computer Fraud coverage grant which defined a covered Computer Violation as “the fraudulent: (a) entry of Data into or deletion of Data from a Computer System” or “(b) change to Data elements or program logic of a Computer System, which is kept in machine-readable format.” It was sufficient that “[A] thief sent spoofed emails armed with computer code into the email system that Medidata used.”
The court also concluded that these events fell within the Funds Transfer Fraud coverage grant of the Crime Policy, which defined Funds Transfer Fraud as “fraudulent electronic … instructions … purportedly issued by an Organization, and issued to a financial institution directing [a transfer] without such Organization’s knowledge or consent.” It reasoned that “the accounts payable personnel would not have initiated the wire transfer, but for, the third parties’ manipulation of the emails.” The court addressed the requirement that the transfer is “without such Organization’s knowledge or consent” by saying that the “high-level employees’ knowledge and consent … was only obtained by trick” and that “larceny by trick is still larceny.”