Court: District Court, S.D. New York; July 21, 2017; Federal District Court
Medidata Solutions, Inc. initiated a lawsuit against Federal Insurance Company after the latter denied Medidata's insurance claim. Both parties submitted cross-motions for summary judgment, leading the court to order further expert discovery. The court ultimately granted Medidata's motion for summary judgment.
Medidata provides cloud-based services for clinical trial research and utilizes Google's Gmail platform for its email communications, with unique email addresses formatted with the domain "mdsol.com". Email messages are processed by Google, which verifies incoming addresses against Medidata employee profiles.
In 2014, Medidata's finance team was informed of potential significant transactions, including an acquisition. Alicia Evans, responsible for processing travel and entertainment expenses, received a fraudulent email impersonating Medidata's president, which included the president's name, email, and picture. The email indicated a confidential acquisition and instructed her to prepare for contact from a supposed attorney, Michael Meyer. Following the email, Evans received a phone call from someone claiming to be Meyer, who requested a wire transfer, citing urgent time constraints. Although Evans sought confirmation via email from the president and required approval from other executives, a subsequent group email, allegedly from the president, instructed them to process the wire transfer, further facilitating the fraud.
The president of Medidata's email was used to initiate a wire transfer, which Evans processed through Chase Bank using information provided by Meyer. Schwartz and Chin approved the transfer of $4,770,226.00 to a bank account designated by Meyer. On September 18, 2014, Meyer requested a second wire transfer, which Evans initiated and Schwartz approved, but Chin found the email address in the “Reply To” field suspicious. After discussing this with Evans, he contacted Medidata’s president, who confirmed he had not requested any transfers. This led to the realization that Medidata had been defrauded, prompting the company to contact the FBI and hire outside counsel for an investigation. It was discovered that an unknown actor had altered emails to impersonate Medidata's president.
Medidata had a $5,000,000 insurance policy with Federal, which included a "Crime Coverage Section" encompassing Forgery, Computer Fraud, and Funds Transfer Fraud Coverage. The Computer Fraud Coverage protected against direct losses from fraud committed by a third party, defined broadly to include unlawful taking or fraudulent transfers resulting from computer violations. The Funds Transfer Fraud Coverage protected against losses from fraudulent electronic instructions directing a financial institution to transfer money without the organization's consent. Lastly, the Forgery Coverage addressed losses from forgery or alteration of financial instruments by a third party, encompassing electronically produced signatures treated as equivalent to handwritten ones.
On September 25, 2014, Medidata submitted a claim to Federal for fraud coverage under three policy clauses. Federal assigned claims technician Michael Maillet to investigate. On December 24, 2014, Federal denied the claim, stating there was no fraudulent entry into Medidata’s computer system due to the nature of the email reception, which was open to the public. Federal argued that the emails did not change any data elements or program logic and noted that any changes made, such as the addition of Medidata’s president’s name and picture, were not caused by the fraudulent email. Furthermore, the claim under the funds-transfer fraud clause was denied because the wire transfer had been authorized by Medidata employees, indicating their consent. The Forgery Coverage claim was also rejected since the emails lacked actual signatures and did not meet the definition of a Financial Instrument. Federal maintained that no loss occurred without the actions of Medidata employees acting on the emailed instructions. Medidata responded to the denial on January 13, 2015, but Federal reiterated its denial on January 30, 2015.
The excerpt also outlines the standard for summary judgment, emphasizing that it is appropriate when no genuine issue of material fact exists, and that the burden lies with the moving party to demonstrate this absence. Speculation or mere denials are insufficient to create such issues. It underscores that courts should resolve ambiguities in favor of the nonmoving party and that when evaluating cross-motions for summary judgment, each must be considered on its own merits. Under New York law, insurance policies are interpreted according to contract principles, with the parties' intent guiding the interpretation.
A written agreement must be enforced according to its clear and unambiguous terms. The interpretation of unambiguous contracts is a legal question. When assessing an insurance contract's ambiguity, courts consider the reasonable expectations of the average insured based on the policy's language. Medidata claims that its Computer Fraud clause covers a 2014 loss resulting from fraudulent data entry by a thief into its computer system. Specifically, Medidata contends that the spoofed emails included altered sender information that constituted data manipulation. Conversely, Federal argues that the loss is not covered because no direct access or manipulation of Medidata’s system occurred. The court reviewed the policy and determined that the Computer Fraud clause does provide coverage for the theft, as it defines a computer violation in terms of fraudulent data entry or alteration. The New York Court of Appeals previously ruled that a similar clause only covered losses from unauthorized access to a system, not from fraudulent actions by authorized users. However, the court noted that the fraud against Medidata involved deceitful access, as evidenced by email spoofing, which was facilitated by computer code that masked the true origin of the emails.
Gmail's system compared the "From" field of spoof emails with a contact list, displaying Medidata's president's name and picture to recipients, who only saw this information. Federal's interpretation of the Universal case is deemed overly broad, as they argue that a lack of unauthorized data entry into Medidata’s system negates coverage. This interpretation incorrectly limits the policy's scope by suggesting that only direct hacking resulting in a bank transfer would qualify for coverage. The Universal case references hacking as an example but recognizes that coverage extends to fraud through unauthorized access, not just hacking. The rider specifically addresses losses from unauthorized entries or changes, indicating that the focus is on unauthorized users corrupting data rather than authorized users submitting fraudulent claims.
Federal's reliance on Pestmaster Servs. Inc. v. Travelers is also critiqued; that case denied coverage because the payroll administrator was authorized to withdraw funds, despite misappropriation. The Universal court clarified that computer fraud involves unauthorized access to facilitate a fraudulent transfer. In contrast, the theft against Medidata involved spoofed emails that used computer code to mask the thief’s identity and alter data, creating confusion. Federal argues there is no direct link between the spoofed emails and the wire transfer since Medidata employees approved the transfer after receiving calls from the thief. They cite the Fifth Circuit's Apache Corp. decision, which similarly denied coverage due to a complex chain of events leading to fraud.
Thieves executed a coordinated fraud involving phone calls, spoofed emails, and falsified documents. Under Texas law, the Fifth Circuit ruled that the insured's computer fraud provision did not apply to the theft, as it resulted from factors beyond direct computer use. The court noted that the insured party had initiated the computer use leading to a flawed payment process to a fraudulent account. In contrast, Medidata's case involved an accounts payable employee receiving a spoofed email from someone impersonating the company’s president, which was deemed a direct cause of the fraudulent transfer. The court found Apache's causation analysis unconvincing in Medidata's context.
Federal cited the Ninth Circuit's Taylor Lieberman case, where an accounting firm was denied coverage after falling victim to a spoofing scam. The court emphasized that the theft occurred from the client, not the firm, and noted coverage would be applicable if the funds had been in the firm's account. The Ninth Circuit agreed that merely receiving spoofed emails did not constitute unauthorized access to the firm's computer system. However, Medidata's situation differed, as its losses were directly linked to spoofed emails that led to unauthorized transfers from its own bank account, justifying its claim for coverage.
Medidata contended it was wrongfully denied coverage under the Funds Transfer Fraud clause, asserting that the fraudulent instructions resulted in a direct loss of money without its knowledge or consent. Federal disputed this, claiming the transfer was voluntary and thus constituted consent. The court concluded that the policy's clear language covers Medidata's 2014 theft, defining Funds Transfer Fraud as fraudulent instructions purportedly issued by an organization to a financial institution without the organization's consent.
A funds transfer fraud agreement does not apply to authorized electronic transactions, even if they are linked to fraudulent schemes, as established in Pestmaster. In that case, a corporation transferred valid funds to a payroll administrator, who later misappropriated them. The court ruled against coverage, noting no unauthorized access or manipulation of instructions occurred. Similarly, in Cumberland Packing Corp. v. Chubb Ins. Corp., coverage was denied for voluntary transfers to an authorized agent, as there were no unauthorized instructions. In contrast, in Medidata's case, a third party impersonated an authorized representative, prompting an accounts payable employee to initiate a transfer. Despite the employee's consent, the transaction's validity hinged on manipulation, qualifying it for coverage under the Funds Transfer Fraud clause.
Conversely, the theft does not activate the Forgery coverage because the policy specifies a direct loss from forgery or alteration of a financial instrument by a third party. The dispute centers on whether the spoofed emails constitute forgery. However, even if they were forgeries, the absence of a financial instrument undermines Medidata’s claim. Medidata's argument that forgery alone suffices for coverage is rejected, as it would create ambiguity in the policy. Therefore, Medidata has not proven a loss covered by the Forgery clause. The court concludes by granting Medidata’s motion for summary judgment and denying Federal’s motion.
The trial court observed that the perpetrators enrolled new members in a health plan with their consent, receiving kickbacks from a provider in exchange. In some instances, the provider exploited the member’s personal information without their knowledge. The provider did not enroll in the plan directly but submitted claims using a National Provider Identifier (NPI) obtained from the U.S. Department of Health and Human Services. This NPI was sometimes acquired for a fictitious provider or fraudulently appropriated from a legitimate one. The court referenced the term "Spoofing," describing it as the act of disguising a commercial email to appear as though it originated from a different address without the consent of the actual address's user. The Appellate Division shared concerns regarding the policy language, indicating it was meant to address wrongful acts related to computer system manipulation by hackers, and it did not cover fraudulent claims made by legitimate healthcare providers for services that were not rendered.
