Opinion
17-2492-cv
07-06-2018
MEDIDATA SOLUTIONS INC., Plaintiff-Appellee, v. FEDERAL INSURANCE COMPANY, Defendant-Appellant.
Appearing for Appellant: Jonathan D. Hacker, O'Melveny & Myers LLP, Washington, D.C. Appearing for Appellee: Robert M. Loeb, Orrick, Herrington & Sutcliffe LLP (John A. Jurata, E. Joshua Rosenkranz, Daniel A. Rubens, Russell P. Cohen, Evan M. Rose, on the brief), Washington, D.C.
SUMMARY ORDER
RULINGS BY SUMMARY ORDER DO NOT HAVE PRECEDENTIAL EFFECT. CITATION TO A SUMMARY ORDER FILED ON OR AFTER JANUARY 1, 2007, IS PERMITTED AND IS GOVERNED BY FEDERAL RULE OF APPELLATE PROCEDURE 32.1 AND THIS COURT'S LOCAL RULE 32.1.1. WHEN CITING A SUMMARY ORDER IN A DOCUMENT FILED WITH THIS COURT, A PARTY MUST CITE EITHER THE FEDERAL APPENDIX OR AN ELECTRONIC DATABASE (WITH THE NOTATION "SUMMARY ORDER"). A PARTY CITING A SUMMARY ORDER MUST SERVE A COPY OF IT ON ANY PARTY NOT REPRESENTED BY COUNSEL.
At a stated Term of the United States Court of Appeals for the Second Circuit, held at the Thurgood Marshall United States Courthouse, 40 Foley Square, in the City of New York on the 6th day of July, two thousand eighteen. Present: ROSEMARY S. POOLER, REENA RAGGI, PETER W. HALL, Circuit Judges. Appearing for Appellant: Jonathan D. Hacker, O'Melveny & Myers LLP, Washington, D.C. Appearing for Appellee: Robert M. Loeb, Orrick, Herrington & Sutcliffe LLP (John A. Jurata, E. Joshua Rosenkranz, Daniel A. Rubens, Russell P. Cohen, Evan M. Rose, on the brief), Washington, D.C. Appeal from the United States District Court for the Southern District of New York (Carter, J.).
ON CONSIDERATION WHEREOF, IT IS HEREBY ORDERED, ADJUDGED, AND DECREED that the judgment of said District Court be and it hereby is AFFIRMED.
Defendant-Appellant Federal Insurance Company appeals from an August 10, 2017 judgment entered by the District Court for the Southern District of New York (Carter, J.) granting summary judgment to Plaintiff-Appellant Medidata Solutions Inc. in this insurance coverage dispute, and awarding Medidata $5,841,787.37 in damages and interest. We assume the parties' familiarity with the underlying facts, procedural history, and specification of issues for review.
"Our review of a district court's grant of summary judgment is de novo." Globecon Grp., LLC v. Hartford Fire Ins. Co., 434 F.3d 165, 170 (2d Cir. 2006). "An insurance contract is interpreted to give effect to the intent of the parties as expressed in the clear language of the contract." Beazley Ins. Co., Inc. v. ACE Am. Ins. Co., 880 F.3d 64, 69 (2d Cir. 2018) (brackets omitted). "As with any contract, unambiguous provisions of an insurance contract must be given their plain and ordinary meaning." White v. Cont'l Cas. Co., 9 N.Y.3d 264, 267 (Ct. App. 2007). Generally, under New York law, if "the terms of an insurance policy are doubtful or uncertain as to their meaning, any ambiguity must be resolved in favor of the insured and against the insurer." Edwards v. Allstate Ins. Co., 792 N.Y.S.2d 504, 505 (2d Dep't 2005); see also Tonkin v. California Ins. Co. of San Francisco, 294 N.Y. 326, 328-29 (Ct. App. 1945).
The parties agree that New York law applies to this dispute.
Medidata brought suit, claiming that its losses from an email "spoofing" attack were covered by, inter alia, a computer fraud provision in its insurance policy with Federal Insurance. The provision covered losses stemming from any "entry of Data into" or "change to Data elements or program logic of" a computer system. J. App'x at 207. Federal Insurance asserts that the spoofing attack was not covered, because the policy instead applies to only hacking-type intrusions.
As the district court explained, "spoofing" is "the practice of disguising a commercial e-mail to make the e-mail appear to come from an address from which it actually did not originate. Spoofing involves placing in the 'From' or 'Reply-to' lines, or in other portions of e-mail messages, an e-mail address other than the actual sender's address, without the consent or authorization of the user of the e-mail address whose address is spoofed." Medidata Sols., Inc. v. Fed. Ins. Co., 268 F. Supp. 3d 471, 477 n.2 (S.D.N.Y. 2017) (quoting Karvaly v. eBay, Inc., 245 F.R.D. 71, 91 n.34 (E.D.N.Y. 2007)). --------
We agree with the district court that the plain and unambiguous language of the policy covers the losses incurred by Medidata here. While Medidata concedes that no hacking occurred, the fraudsters nonetheless crafted a computer-based attack that manipulated Medidata's email system, which the parties do not dispute constitutes a "computer system" within the meaning of the policy. The spoofing code enabled the fraudsters to send messages that inaccurately appeared, in all respects, to come from a high-ranking member of Medidata's organization. Thus the attack represented a fraudulent entry of data into the computer system, as the spoofing code was introduced into the email system. The attack also made a change to a data element, as the email system's appearance was altered by the spoofing code to misleadingly indicate the sender. Accordingly, Medidata's losses were covered by the terms of the computer fraud provision.
Federal Insurance argues that Universal Am. Corp. v. Nat'l Union Fire Ins. Co. of Pittsburgh, Pa., 25 N.Y.3d 675 (Ct. App. 2015), requires a different outcome. However, in our view, Universal in fact supports Medidata's claim. Universal dealt with a medical claim fraud, where the perpetrators submitted false claims for services that were never rendered. The Court of Appeals found that such a fraud was not covered by a similar computer fraud provision, because the fraud was not on the "computer system qua computer system," and did not entail a "violation of the integrity of the computer system through deceitful and dishonest access." Id. at 681. Rather, the fraud at issue there only incidentally involved the use of computers, because the company processed its claims using computers (as opposed to on paper). Here, by contrast, the fraud clearly implicates the "computer system qua computer system," since Medidata's email system itself was compromised. Id. Further, it seems to us that the spoofing attack quite clearly amounted to a "violation of the integrity of the computer system through deceitful and dishonest access," since the fraudsters were able to alter the appearance of their emails so as to falsely indicate that the emails were sent by a high-ranking member of the company. Id. Accordingly, Universal is of little assistance to Federal Insurance here.
Federal Insurance further argues that Medidata did not sustain a "direct loss" as a result of the spoofing attack, within the meaning of the policy. J. App'x at 206. The spoofed emails directed Medidata employees to transfer funds in accordance with an acquisition, and the employees made the transfer that same day. Medidata is correct that New York courts generally equate the phrase "direct loss" to proximate cause. See New Hampshire Ins. Co. v. MF Glob., Inc., 970 N.Y.S.2d 16, 19 (1st Dep't 2013) ("[A] direct loss for insurance purposes has been analogized with proximate cause."); Granchelli v. Travelers Ins. Co., 561 N.Y.S.2d 944, 944 (4th Dep't 1990) ("Direct loss is equivalent to proximate cause."). It is clear to us that the spoofing attack was the proximate cause of Medidata's losses. The chain of events was initiated by the spoofed emails, and unfolded rapidly following their receipt. While it is true that the Medidata employees themselves had to take action to effectuate the transfer, we do not see their actions as sufficient to sever the causal relationship between the spoofing attack and the losses incurred. The employees were acting, they believed, at the behest of a high-ranking member of Medidata. And New York law does not have so strict a rule about intervening actors as Federal Insurance argues. See New Hampshire Ins. Co., 970 N.Y.S. 2d at 20 (holding one employee's misconduct was proximate cause of losses, despite the fact that the losses were actually sustained several hours later, when the company settled its trading accounts).
Having concluded that Medidata's losses were covered under the computer fraud provision, we decline to consider whether additional provisions in the policy might also provide coverage. We have considered the remainder of Federal Insurance's arguments and find them to be without merit. Accordingly, the judgment of the district court hereby is AFFIRMED.
FOR THE COURT:
Catherine O'Hagan Wolfe, Clerk