MEDIDATA SOLUTIONS INC v. FEDERAL INSURANCE COMPANY (2018)

SUMMARY ORDER

Defendant-Appellant Federal Insurance Company appeals from an August 10, 2017 judgment entered by the District Court for the Southern District of New York (Carter, J.) granting summary judgment to Plaintiff-Appellant Medidata Solutions Inc. in this insurance coverage dispute, and awarding Medidata $5,841,787.37 in damages and interest. We assume the parties’ familiarity with the underlying facts, procedural history, and specification of issues for review.

“Our review of a district court’s grant of summary judgment is de novo.” Globecon Grp., LLC v. Hartford Fire Ins. Co., 434 F.3d 165, 170 (2d Cir. 2006). “An insurance contract is interpreted to give effect to the intent of the parties as expressed in the clear language of the contract.” Beazley Ins. Co., Inc. v. ACE Am. Ins. Co., 880 F.3d 64, 69 (2d Cir. 2018) (brackets omitted). “As with any contract, unambiguous provisions of an insurance contract must be given their plain and ordinary meaning.” White v. Cont’l Cas. Co., 9 N.Y.3d 264, 267, 848 N.Y.S.2d 603, 878 N.E.2d 1019 (Ct. App. 2007). Generally, under New York law, if “the terms of an insurance policy are doubtful or uncertain as to their meaning, any ambiguity must be resolved in favor of the insured and against the insurer.” Edwards v. Allstate Ins. Co., 16 A.D.3d 368, 792 N.Y.S.2d 504, 505 (2d Dep’t 2005); see also Tonkin v. California Ins. Co. of San Francisco, 294 N.Y. 326, 328-29, 62 N.E.2d 215 (Ct. App. 1945).¹

Medidata brought suit, claiming that its losses from an email “spoofing” attack ² were covered by, inter alia, a computer fraud provision in its insurance policy with Federal Insurance. The provision covered losses stemming from any “entry of Data into” or “change to Data elements or program logic of” a computer system. J. App’x at 207. Federal Insurance asserts that the spoofing attack was not covered, because the policy instead applies to only hacking-type intrusions.

We agree with the district court that the plain and unambiguous language of the policy covers the losses incurred by Medidata here. While Medidata concedes that no hacking occurred, the fraudsters nonetheless crafted a computer-based attack that manipulated Medidata’s email system, which the parties do not dispute constitutes a “computer system” within the meaning of the policy. The spoofing code enabled the fraudsters to send messages that inaccurately appeared, in all respects, to come from a high-ranking member of Medidata’s organization. Thus the attack represented a fraudulent entry of data into the computer system, as the spoofing code was introduced into the email system. The attack also made a change to a data element, as the email system’s appearance was altered by the spoofing code to misleadingly indicate the sender. Accordingly, Medidata’s losses were covered by the terms of the computer fraud provision.

Federal Insurance argues that Universal Am. Corp. v. Nat’l Union Fire Ins. Co. of Pittsburgh, Pa., 25 N.Y.3d 675, 37 N.E.3d 78 (Ct. App. 2015), requires a different outcome. However, in our view, Universal in fact supports Medidata’s claim. Universal dealt with a medical claim fraud, where the perpetrators submitted false claims for services that were never rendered. The Court of Appeals found that such a fraud was not covered by a similar computer fraud provision, because the fraud was not on the “computer system qua computer system,” and did not entail a “violation of the integrity of the computer system through deceitful and dishonest access.” Id. at 681, 37 N.E.3d 78. Rather, the fraud at issue there only incidentally involved the use of computers, because the company processed its claims using computers (as opposed to on paper). Here, by contrast, the fraud clearly implicates the “computer system qua computer system,” since Medidata’s email system itself was compromised. Id. Further, it seems to us that the spoofing attack quite clearly amounted to a “violation of the integrity of the computer system through deceitful and dishonest access,” since the fraudsters were able to alter the appearance of their emails so as to falsely indicate that the emails were sent by a high-ranking member of the company. Id. Accordingly, Universal is of little assistance to Federal Insurance here.

Federal Insurance further argues that Medidata did not sustain a “direct loss” as a result of the spoofing attack, within the meaning of the policy. J. App’x at 206. The spoofed emails directed Medidata employees to transfer funds in accordance with an acquisition, and the employees made the transfer that same day. Medidata is correct that New York courts generally equate the phrase “direct loss” to proximate cause. See New Hampshire Ins. Co. v. MF Glob., Inc., 108 A.D.3d 463, 970 N.Y.S.2d 16, 19 (1st Dep’t 2013) (“[A] direct loss for insurance purposes has been analogized with proximate cause.”); Granchelli v. Travelers Ins. Co., 167 A.D.2d 839, 561 N.Y.S.2d 944, 944 (4th Dep’t 1990) (“Direct loss is equivalent to proximate cause.”). It is clear to us that the spoofing attack was the proximate cause of Medidata’s losses. The chain of events was initiated by the spoofed emails, and unfolded rapidly following their receipt. While it is true that the Medidata employees themselves had to take action to effectuate the transfer, we do not see their actions as sufficient to sever the causal relationship between the spoofing attack and the losses incurred. The employees were acting, they believed, at the behest of a high-ranking member of Medidata. And New York law does not have so strict a rule about intervening actors as Federal Insurance argues. See New Hampshire Ins. Co., 970 N.Y.S.2d at 20 (holding one employee’s misconduct was proximate cause of losses, despite the fact that the losses were actually sustained several hours later, when the company settled its trading accounts).

Having concluded that Medidata’s losses were covered under the computer fraud provision, we decline to consider whether additional provisions in the policy might also provide coverage. We have considered the remainder of Federal Insurance’s arguments and find them to be without merit. Accordingly, the judgment of the district court hereby is AFFIRMED.

FOOTNOTES

1.   The parties agree that New York law applies to this dispute.

2.   As the district court explained, “spoofing” is “the practice of disguising a commercial e-mail to make the e-mail appear to come from an address from which it actually did not originate. Spoofing involves placing in the ‘From’ or ‘Reply-to’ lines, or in other portions of e-mail messages, an e-mail address other than the actual sender’s address, without the consent or authorization of the user of the e-mail address whose address is spoofed.” Medidata Sols., Inc. v. Fed. Ins. Co., 268 F.Supp.3d 471, 477 n.2 (S.D.N.Y. 2017) (quoting Karvaly v. eBay, Inc., 245 F.R.D. 71, 91 n.34 (E.D.N.Y. 2007) ).