Developments from Recent Cases Involving Computer Fraud Insurance

Posted by John AtkinsFor this month, we have a couple of computer fraud insurance coverage developments for regular readers to think about.First, on July 6, a Second Circuit panel held in favor of the insured in a dispute over the computer fraud provisions of a crime policy. In Medidata Solutions, Inc. v. Federal Insurance Company[1]the appellate court found that a scheme in which bad actors, via a “spoofing” scheme, hijacked a business’s email system and thereby induced fraudulent payments by the company fell within the scope of coverage of a computer fraud provision in a crime policy.Although the panel’s decision is not precedential, the decision is nevertheless important. The scope of computer fraud provisions in crime policies has been in question for some time, after some recent decisions holding that merely incidental use of computer systems in connection with a fraud will not bring such fraud within the scope of computer fraud coverage. In Apache Corp. v. Great American Insurance Company[2] in 2016, the Fifth Circuit found that a fraud that involved, in part, a spoofing scheme did not fall within the scope of coverage of a similarly worded provision. In 2017, the Ninth Circuit made a similar ruling in Taylor & Lieberman v. Fed. Ins. Co.[3] and held that a spoofing scheme whereby an accounting firm was induced to pay client money to a bad actor was not covered by its computer fraud insurance. In those cases, the bad actors managed to send emails that were manipulated to appear as if they were sent by authorized employees. The Second Circuit in Medidata in fact discussed a similar ruling by the New York Court of Appeals.The facts of Medidata were somewhat unique, however. The insurance provision at issue was relatively typical, extending coverage for losses resulting from fraudulent “entry of Data into” or “change to Data elements or program logic of” a computer system. But in this case, unlike other recent cases, the fraudsters introduced a malicious code into the email system of the target business, which caused the email system to misidentify the sender of emails. The fraudsters used this to send an email purportedly from the president of the company to an employee directing the employee to follow payment directions that would shortly be given to him via phone call. This modification of the email system of the victim was sufficient to put the claim within the scope of coverage. This result may give hope to insureds that spoofing attacks are not always excluded from computer fraud coverage, but it is usually dangerous to read a single court opinion more broadly than its facts permit.Second, there is a new coverage dispute being litigated in Virginia involving two cyber intrusions against (and the theft of $2.4 million from) the National Bank of Blacksburg.[4] Although the litigation is still in the early stages, the alleged facts are interesting. In this case there were two separate attacks, both via “phishing,” a technique whereby a link is embedded in an otherwise innocuous email which, when clicked, causes malware to be downloaded.In the first attack, a phishing email hooked an employee of the bank, resulting in the installation of some malware on the employee’s computer. That malware infected another computer in the bank’s system—one that had the ability to handle debit card transactions. The thieves then proceeded to use their access to dispense more than $500,000 of funds from depositor accounts. The bank changed its policies after the first attack, but apparently not enough; a second attack, also by phishing, resulted in an even more extensive breach that gave the criminals almost complete control over many of the bank’s customer accounts, enabling the creation of millions of dollars of fake credits and the withdrawal of same from hundreds of ATMs across the continent.The bank’s insurer (largely) denied coverage, and the bank sued. The bank’s policy provided significant coverage for electronic crime, but this coverage was subject to exclusions for crimes involving the use of debit or credit cards or ATMs. The bank’s policy offered very limited coverage for crimes involving stolen or modified debit cards, which the insurer tendered, but this left nearly all the loss uncovered. The litigation has not progressed far, but we will be monitoring this case going forward.The first thing to note about these cases is this: the operative coverage is the computer fraud or crime coverage within a crime policy, not a dedicated cyber insurance policy. Email spoofing and other cyber risks are not always covered by a cyber insurance policy, and it is important to understand how various insurance policies interlock. The second thing to note is that the content and interpretation of computer fraud insurance is a hot topic at the moment, and as court opinions come in it is likely that both the state of the law, and the drafting of the provisions granting such coverage, will change. Thompson & Knight’s cybersecurity team will be following these and related cases as the insurance market continues to evolve. [1] No. 17-2492-cv (2d Cir. July 6, 2018).[2] 662 Fed. Appx. 252 (5th Cir. 2016).[3] 681 Fed. Appx. 627, 629 (9th Cir. 2017).[4]See Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M, Krebs on Security, www.krebsonsecurity.com, available athttps://krebsonsecurity.com/2018/07/hackers-breached-virginia-bank-twice-in-eight-months-stole-2-4m/ (last visited July 25, 2018).