The case Medidata Solutions, Inc. v. Federal Ins. Co. involved a fraudulent impersonation scheme and an alleged entry into the insured’s computer system. The case involved a series of events seen all too often. The court’s ruling presents a peek into the intricacies of analyzing coverage in traditional computer fraud claims. It is important to understand the difference between loss resulting from social engineering schemes and computer hacking. Losses involving social engineering do not require a hacker gaining unauthorized access.
The Timeline of Unfortunate Events
- Summer of 2014 –Medidata notified its financial department of a possible acquisition. Medidata instructed personnel “to be prepared to assist with significant transactions on an urgent basis.”
- A few months later, a Medidata employee received an email purporting to be from Medidata’s president stating Medidata was finalizing an acquisition and an attorney would be contacting the employee. The following events occurred in succession:
- The employee received a call from an individual purporting to be the attorney providing instructions for the wire transfer.
- The employee explained an email from the president was necessary to request a transfer and the employee would need approval of two other persons.
- The employee and the two other persons received an email from the person purporting to be the president with instruction regarding the transfer.
- The employee and the other two parties each took steps to approve the wire transfer.
- A few days later, a second wire request was received. One of the individuals noted suspicious indicators in the “Reply to” field. Medidata discovered the president did not request the wire transfers.
- Medidata sought coverage under funds transfer fraud and computer fraud.
Federal argued that no coverage existed under computer fraud as there had been no hacking – the fraudulent emails were sent to an open inbox that was capable of receiving emails from the public. Federal argued there had been no “change to data elements” because the emails did not cause any fraudulent change to Medidata’s computer system. Federal further argued that the “emails did not require access to Medidata’s computer system, a manipulation of those computers, or input of fraudulent information.”
The Medidata court found the requirement of an unauthorized entry had occurred. Although no hacking had occurred, the court found the fraudsters had introduced harmful code on the transmitted emails that caused the Google server during processing to mask the fraudster’s true email to that of the insured’s president. The court found a direct loss.
The Medidata court further found coverage under funds transfer fraud on grounds Medidata’s accounts payable personnel would not have initiated the wire transfer “but for” the third parties’ manipulation of the emails.
Actions to Take
The question of a scheme involving social engineering and hacking or entry into a computer system presents a challenge to analyzing traditional computer crime coverages. Suggested steps to prevent social engineering loss may include policies requiring the following:
- Multiple-person sign off.
- Training for request to change account information.
- A designated call-back number.
- Limit employees’ social media posting.
- Educate employees about schemes.
- Centralized email address to which employees direct their suspicious emails.
- Internal communication informing employees of an established “tell” so employees can ensure emails received from managers are legitimate.