A New York federal judge recently ruled that a thief's use of emails to trick employees of Medidata into wiring money overseas was a covered incident under the company's computer fraud policy, weakening insurers' arguments that such coverage is meant to apply only to hacking into policyholders' computers.
The computer fraud provision in Medidata Solutions Inc.'s crime policy covered losses that occurred as a result of the "fraudulent entry" or changing of data in the policyholder's computer system. In a Friday decision, U.S. District Judge Andrew L. Carter Jr. held that while Medidata's computers weren't directly hacked by a third party, the provision's requirements were still met because the fraudster used a computer code to alter email messages requesting a funds transfer to make them appear as though they originated from Medidata's president.
Judge Carter pointed out that hacking is "one of the many methods" a thief can use, and concluded that the fraudster's use of deceptive emails to scam Medidata — in what is colloquially referred to as a "social engineering" scheme — is a form of fraudulent entry that falls under the language of the computer fraud provision.
"As the parties are well aware, larceny by trick is still larceny," the judge wrote.
According to Anderson Kill PC shareholder Joshua Gold, Judge Carter's conclusion is a pro-policyholder ruling that is consistent with the policy language, as the computer fraud provision doesn't use the words "hack" or "hacking."
"The gaining of unauthorized access into a computer system can be accomplished in a number of ways: the policyholder can be manipulated into handing over the keys to the kingdom, or a third party can steal the keys to the kingdom by brute force," Gold said. "Under the Medidata court's reasoning, it appears that either scenario would result in coverage."
To read the full article: Medidata Win Fortifies Policyholders In Digital Fraud Fights