Appeals Court Holds that Computer Fraud Policy Covers Spoofing Attack

The U.S. Court of Appeals for the Second Circuit, applying New York law, has held that an email spoofing attack was covered under a computer fraud policy because the attack involved manipulating the insureds’ email system.  Medidata Solutions Inc. v. Federal Ins. Co., No. 17-2492-cv (2d Cir. July 6, 2018)

A cloud-based service provider experienced a “spoofing” attack, in which an attacker disguised a commercial email to make it appear to come from an address from which it did not originate, and sought coverage under the computer fraud coverage included within its crime policy.  The insurer denied coverage, because the coverage provisions required “entry of Data into” or “change to Data elements or program logic of” a computer system, and the insured’s systems had not suffered a hack or intrusion.  The service provider sued, and the district court granted summary judgment in its favor.

On appeal, the Second Circuit agreed with the district court that the policy was triggered because the attackers crafted a computer-based attack that manipulated Medidata’s email system.  The appeals court held that the spoofing code enabled the attackers to send messages that inaccurately appeared to come from a high-ranking member of the service provider’s organization, constituting a fraudulent entry of data into the computer system.  The court further concluded that the attack made a change to a data element, as the email system’s appearance was altered by the spoofing code to misleadingly indicate the sender.  As a result, the appeals court held, the resulting losses were covered.

The appeals court rejected the insurer’s argument that the fraud only incidentally involved the insured’s computer system, finding that the insured’s email system itself was compromised.  The court also rejected the argument that the loss – fraudulent wires that were sent based on instructions in spoofed emails – was not a “direct loss” as a result of the spoofing attack, holding that the attack was a proximate cause of the loss, which the court deemed sufficient under New York law.

Tags

Wiley Executive Summary

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek