Computer Fraud Coverage Extends to Manipulation of External Email Server
The United States District Court for the Southern District of New York, applying New York law, has held that a cloud-based service provider’s loss resulting from fraudulent wire instructions is covered under a computer fraud and funds transfer fraud policy because the fraudulent email changed data in the provider’s computer system despite use of a third-party external email service. Medidata Solutions, Inc. v. Federal Ins. Co., No. 15-CV-907 (S.D.N.Y. July 21, 2017). The court also held that the fraud precluded any finding that coverage was excluded based on the provider’s knowledge or consent to the wire transfer.
The service provider purchased a policy that covered computer fraud and funds transfer fraud. The policy defined “computer fraud” as the “unlawful taking or the fraudulently induced transfer of Money” resulting from fraudulent “entry of Data into . . . or change to Data elements or program logic of a Computer System.” Funds transfer fraud coverage protected the service provider from loss directly caused by fraudulent electronic instructions issued to a financial institution without the provider’s knowledge or consent. Several of the service provider’s employees received emails purportedly from the provider’s president with instructions to wire funds to a bank account, causing an employee to issue a wire transfer of nearly $5 million. The service provider sought coverage for the loss, and the insurer denied on the grounds that there had been no fraudulent entry of data onto the provider’s computer systems. The insurer further argued that funds transfer fraud coverage did not apply because the wire transfer was made with the service provider’s knowledge and consent. The provider sued, and both parties moved for summary judgment.
The court granted summary judgment in favor of the service provider. The court held that the computer fraud coverage applied because the fraudster’s email contained a code that tricked the provider’s email server into identifying the email as coming from the president. The court rejected the insurer’s argument that there was no coverage because the fraudulent emails did not require access to the service provider’s computer system or input of fraudulent information to that system, because the external email server, rather than the provider’s internal computer systems, populated the president’s information in the email. The court held that manipulation of the email system via the code was sufficient to trigger coverage, and that actual hacking of the system was not required.
The court further ruled that the funds transfer fraud coverage grant also was triggered, rejecting the insurer’s argument that the transfer was made with the provider’s knowledge and consent. The court reasoned that “[t]he fact that the accounts payable employee willingly pressed the send button on the bank transfer does not transform the bank wire into a valid transaction. To the contrary, the validity of the wire transfer depended upon several high level employees’ knowledge and consent which was only obtained by trick.”