Spoofed Emails Armed With Hidden Code: A Terrible, Horrible, No Good, Very Bad Day

Another case can be added to the growing list of decisions addressing computer hacking and coverage under a policy’s “Crime Coverage” form.  The form generally addresses loss caused by various criminal acts, providing forgery, computer fraud, and funds transfer coverage.  In Medidata Sols., Inc. v. Fed. Ins. Co., No. 15-CV-907 (ALC), 2017 U.S. Dist. LEXIS 122210 (July 21, 2017), the United States District Court for the Southern District of New York analyzed coverage under the form in light of Medidata’s loss involving spoofed emails. 

Medidata provides cloud-based services to scientists conducting research in clinical trials.  Medidata used Google’s Gmail platform for company emails, with email addresses consisting of an employee’s first initial and last name followed by the domain name “msdol.com” in lieu of “gmail.com.”  Email messages sent to Medidata employees were routed through Google computer servers.  Google systems processed the stored email messages and, during this processing, compared incoming email addresses with Medidata employee profiles in order to find matches.  If a match was found, Gmail showed the sender’s full name, email address, and picture in the “From” field of the message.  After processing, the email displayed in the Medidata employee’s email account.

Medidata’s terrible, horrible¹ tale unfolds in September 2014.  Around that time, Medidata notified its finance department of the company’s short-term business plans, which included a possible acquisition.  Medidata instructed its finance personnel to be prepared to assist with significant transactions on an urgent basis.  On a no good, very bad day, employee Alicia Evans of the finance department received an email purportedly sent from Medidata’s president, informing her that he was finalizing a strictly confidential acquisition and an attorney would be calling her with payment instructions demanding her immediate attention.  The email message contained the president’s name, email address, and picture in the “From” field.

That same day, Ms. Evans received a phone call from a man claiming to be the referenced attorney.  He requested that Ms. Evans process a wire transfer.  Ms. Evans explained that she would need an email from Medidata’s president requesting the transfer, and would also need to obtain approval from Medidata’s vice-president and director of revenue.  Ms. Evans then received an email that appeared to be from Medidata’s president authorizing a $4.7M wire transfer, copying the vice-president and director of revenue.  As instructed, Ms. Evans initiated the wire transfer, and, as further instructed, the vice-president and director of revenue authorized the wire transfer. 

A few days later, the purported attorney contacted Ms. Evans again, requesting a second wire transfer.  Ms. Evans began initiating the wire transfer. However, this time the vice-president hesitated in granting his authorization for the transfer.  He was suspicious.  He reached out to the president directly, who explained that he had not requested either wire transfer.  Medidata had been defrauded – it was not a good day.    

Medidata submitted a claim to Federal, who issued a denial.  Federal explained that under the Computer Fraud provision there had been no fraudulent entry of data into Medidata’s computer system.  Federal denied coverage under the Funds Transfer clause, as well, noting that the wire transfer had been authorized by Medidata employees and thus was made with the knowing consent of Medidata.  Finally, Federal rejected Medidata’s claim for forgery coverage because the emails did not contain an actual signature and did not meet the policy’s definition of "Financial Instrument."  Federal emphasized that no loss would have taken place if Medidata employees had not acted upon the instructions contained in those spoofed emails.

Litigation ensued.  After analyzing the policy language and discussing landmark hacking cases such as Pestmaster Servs., Inc. v. Travelers and Apache Corp. v. Great American Ins. Co., the court found coverage for the loss under the Computer Fraud and Funds Transfer Fraud provisions (not the Forgery Coverage provision).   Id. *16-19.  It is perhaps the first time a court performed an analysis of the means by which a fraudulent engineering scheme was carried out to determine coverage.  The court began by emphasizing the distinct facts at issue in Medidata that were not at issue in some of these prior cases:  The fraud on Medidata was achieved by entry into Medidata’s email system with spoofed emails armed with a computer code that masked the thief’s true identity.  The thief’s computer code also changed data from the true email address to Medidata’s president’s address to achieve the email spoof. 

The Court was not persuaded by Federal’s argument that, given a number of intervening acts, there was no direct nexus between the spoofed emails and the fraudulent wire transfer.  After all, Medidata’s employees received phone calls from the thief and took other steps in approving the fraudulent transfer.  In contrast to the court in Apache, the court was not bothered by this “muddy chain of events,” noting that the Medidata employees only initiated the transfer as a direct cause of the thief sending spoof emails posing as Medidata’s president.  Id. at *18.  The court found that the “validity of the wire transfer depended upon several high level employees’ knowledge and consent which was only obtained by trick. . . .[and]  [l]arcency by trick is still larceny.”  Id. at *22.  

And Medidata’s terrible, horrible, no good, very bad day wasn’t so bad.²