By Benjamin Duke, Matt Schlesinger, and Scott Levitt
[This article was also published as a Client Alert.]
Two recent federal district court decisions involving computer “spoofing” scams highlight the uncertainty about whether such incidents may be covered under standard “computer fraud” provisions in widely used crime insurance forms. The conflicting results in these cases provide a stark reminder to policyholders that seemingly minor differences in policy wordings can have a major impact on the scope of coverage – and severe financial consequences.
“Spoofing” refers to the practice of manipulating a commercial e-mail to falsify the e-mail’s true origin, without the consent or authorization of the user whose e-mail address is “spoofed.” See Karvaly v. eBay, Inc., 245 F.R.D. 71, 91 n.34 (E.D.N.Y. 2007). As recent cases reflect, scam artists have used spoofing—also known as “business email compromise,” “social engineering,” or “fake president” fraud—to induce even high-level executives of sophisticated companies to transfer millions of dollars to accounts under the scammers’ control. Faced with irretrievable losses, many companies have understandably looked first to the “computer fraud” and other provisions of their corporate crime policies for insurance coverage.
Last month, in Medidata Solutions, Inc. v. Federal Insurance Co., 2017 WL 3268529, __ F. Supp. 3d __ (S.D.N.Y. July 21, 2017), the court found coverage under the “computer fraud” provision of the insured’s crime policy for a $4.8 million loss resulting from an email spoofing scam. The scam started with a spoofed email to an accounts payable employee purportedly from Medidata’s president, directing the employee to await an attorney’s wire transfer instructions to pay for an impending acquisition. Id. at *1. That same day, the purported attorney called with instructions to process the wire transfer, and a subsequent spoofed email induced both Medidata’s vice-president and its CFO to sign off on the transfer. Id. at *2. Not until two days later did the company realize that it had been defrauded. Id. Continue Reading