The Second Circuit affirmed the district court's finding of coverage for a cyber attack. Medidata Solutions Inc. v. Federal Ins. Co., 2018 U.S. App LEXIS 18376 (2nd Cir. July 6, 2018). The district court's decision is summarized in a prior post here.
Medidata sued Federal when coverage was denied for an email "spoofing" attack. Medidata contended the attack was covered by a computer fraud provision in its policy. The policy covered losses from any "entry of Data into" or "change to Data elements or program logic" of a computer system. Federal argued that the spoofing attack was not covered, because the policy instead applied to only hacking-type intrusions.
The Second Circuit agreed with the district court that the plain language of the policy covered the losses. While Medidata conceded that no hacking occurred, the criminals nonetheless crafted a computer-based attack that manipulated Medidata's email system. The spoofing code enabled the criminals to send messages that inaccurately appeared to come from a high-ranking member of Medidata's organization. The attack represented a fraudulent entry of data into the computer system, as the spoofing code was introduced into the email system. The attack also made a change to a data element, as the email system's appearance was altered by the spoofing code to misleadingly indicate the sender. Therefore, Medidata's losses were covered by the terms of the computer fraud provision.
Federal also argued that Medidata did not sustain a "direct loss" due to the spoofing attack. New York courts equated the phrase "direct loss" to proximate cause. The spoofing attack here was the proximate cause of Medidata's losses. The chain of events was initiated by the spoofed emails, and unfolded rapidly following their receipt. While the Medidata employees themselves had to take action to effectuate the transfer, their actions were not sufficient to sever the causal relationship between the spoofing attack and the losses incurred.