Appeals Court Holds that Computer Fraud Policy Covers Spoofing Attack
The U.S. Court of Appeals for the Second Circuit, applying New York law, has held that an email spoofing attack was covered under a computer fraud policy because the attack involved manipulating the insureds’ email system. Medidata Solutions Inc. v. Federal Ins. Co., No. 17-2492-cv (2d Cir. July 6, 2018)
A cloud-based service provider experienced a “spoofing” attack, in which an attacker disguised a commercial email to make it appear to come from an address from which it did not originate, and sought coverage under the computer fraud coverage included within its crime policy. The insurer denied coverage, because the coverage provisions required “entry of Data into” or “change to Data elements or program logic of” a computer system, and the insured’s systems had not suffered a hack or intrusion. The service provider sued, and the district court granted summary judgment in its favor.
On appeal, the Second Circuit agreed with the district court that the policy was triggered because the attackers crafted a computer-based attack that manipulated Medidata’s email system. The appeals court held that the spoofing code enabled the attackers to send messages that inaccurately appeared to come from a high-ranking member of the service provider’s organization, constituting a fraudulent entry of data into the computer system. The court further concluded that the attack made a change to a data element, as the email system’s appearance was altered by the spoofing code to misleadingly indicate the sender. As a result, the appeals court held, the resulting losses were covered.
The appeals court rejected the insurer’s argument that the fraud only incidentally involved the insured’s computer system, finding that the insured’s email system itself was compromised. The court also rejected the argument that the loss – fraudulent wires that were sent based on instructions in spoofed emails – was not a “direct loss” as a result of the spoofing attack, holding that the attack was a proximate cause of the loss, which the court deemed sufficient under New York law.