A New York case that many had anticipated would yield a consequential appellate precedent for cyber-insurance claims has instead ended in a three-page unpublished order finding coverage.  In Medidata Solutions, Inc. v. Federal Insurance Company, No. 17‑2492 (2d Cir. July 6, 2018), the U.S. Court of Appeals for the Second Circuit summarily affirmed Judge Andrew Carter’s July 21, 2017 ruling that a company that provides cloud-based services to scientists conducting research in clinical trials was entitled to Computer Fraud coverage for funds that it was fooled into wiring to an outside account by a fraudster’s spoofing attack.

Federal Insurance had argued on appeal that its computer fraud coverage only applied to hacking-type intrusions into an insured’s computer system.  The Second Circuit ruled, however, that actual hacking was not required so long as third party had fraudulent inserted of data into the insured’s computer system.  In this case, the Court of Appeals declared that the spoofing attack quite clearly amounted to a “violation of the integrity of the computer system through deceitful and dishonest access” since the fraudsters were able to alter the appearance of their emails so as to falsely indicate that the emails were sent by a high-ranking member of the company.

Federal had also argued on appeal that there was no “direct loss” resulting from the spoofing attack as various other events intervened to cause the loss.  Nevertheless, the Second Circuit found that in this case the spoofing attack was proximate cause of Medidata’s losses as “the chain of events was initiated by the spoofed emails, and unfolded rapidly following their receipt.”  While acknowledging that Medidata employees themselves had to take action in order to cause the transfer and resulting loss of funds, the court concluded that “we do not see their actions as sufficient to sever the causal relationship between the spoofing attack and the losses incurred.”

The summary nature of the Second Circuit’s opinion and the relative brevity of the court’s analysis may reflect its awareness of the growing volume of these claims and its concern that it not make sweeping findings that may have unintended collateral consequences.   At the same time, Medidata seems likely to add weight to the growing willingness of federal courts to find cyber-coverage for phishing and spoofing attacks on insured’s computer networks.