Login Register Subscribe
Current Issue

Chubb unit on the hook for email spoofing loss

Reprints

A cloud-based services firm has prevailed in a coverage dispute with a Chubb Ltd. unit in a case in which the company lost $4.8 million because of spoof emails.

In June 2014, an accounts payable employee of Ross, California-based Medidata Solutions Inc., which provides cloud-based services to scientists conducting research in clinical trials, received an email purportedly from the company’s president instructing her to devote her full attention to the demands of “attorney” Michael Meyer, according to Friday’s ruling by the U.S. District Court in New York in Medidata Solutions Inc. v. Federal Insurance Co.

That email led to the company eventually wiring — and losing — $4.8 million to a bank account provided by “Mr. Meyer.” A second attempted wire transfer was stopped after a Medidata official became suspicious and an investigation ensued, according to the ruling.

Medidata sought coverage for the loss under its “Federal Executive Protection” policy with Federal Insurance Co., a unit of Warren Township, New Jersey-based Chubb Ltd., which provided up to $5 million in coverage, according to the ruling.

Chubb denied coverage, and Medidata filed suit. The District Court granted Medidata’s motion for summary judgment in the case.

“Medidata argues that the policy’s computer fraud clause covers the company’s loss in 2014, because a thief fraudulently entered and changed data in Medidata’s computer system,” said the ruling.

Federal argued the loss is not covered “because the emails did not require access to Medidata’s computer system, a manipulation of those computers, or input of fraudulent information,” said the ruling.

“The court has reviewed the Policy and concludes that, as matter of law, the unambiguous language of the computer fraud clause provides coverage for the theft from Medidata,” said the ruling. “Medidata has demonstrated that its losses were a direct cause of a computer violation.”

The ruling also held Medidata was entitled to coverage under its policy’s funds transfer fraud coverage. The “validity of the wire transfer depended upon several high-level employees’ knowledge and consent which was only obtained by trick,” said the ruling.

“As the parties are well aware, larceny by trick is still larceny. Therefore, Medidata has demonstrated that the funds transfer clause covers the theft in 2014,” the ruling said.

The ruling did agree with Chubb that the policy’s forgery clause did not trigger coverage.

In May, Google’s parent company, Alphabet Inc., warned its users to beware of emails from known contacts asking them to click on a link to Google Docs after a large number of people turned to social media to complain that their accounts had been hacked.