eCases

•      17-2492-cv
  Medidata Solutions Inc. v. Federal Insurance Company
  UNITED STATES COURT OF APPEALS
  FOR THE SECOND CIRCUIT
  SUMMARY ORDER
  RULINGS BY SUMMARY ORDER DO NOT HAVE PRECEDENTIAL EFFECT. CITATION TO A
  SUMMARY ORDER FILED ON OR AFTER JANUARY 1, 2007, IS PERMITTED AND IS GOVERNED
  BY FEDERAL RULE OF APPELLATE PROCEDURE 32.1 AND THIS COURT’S LOCAL RULE 32.1.1.
  WHEN CITING A SUMMARY ORDER IN A DOCUMENT FILED WITH THIS COURT, A PARTY
  MUST CITE EITHER THE FEDERAL APPENDIX OR AN ELECTRONIC DATABASE (WITH THE
  NOTATION “SUMMARY ORDER”). A PARTY CITING A SUMMARY ORDER MUST SERVE A COPY
  OF IT ON ANY PARTY NOT REPRESENTED BY COUNSEL.
  1           At a stated Term of the United States Court of Appeals for the Second Circuit, held at the
  2   Thurgood Marshall United States Courthouse, 40 Foley Square, in the City of New York on the
  3   6th day of July, two thousand eighteen.
  4
  5   Present:    ROSEMARY S. POOLER,
  6               REENA RAGGI,
  7               PETER W. HALL,
  8                           Circuit Judges.
  9   _____________________________________________________
  10
  11   MEDIDATA SOLUTIONS INC.,
  12
  13                                    Plaintiff-Appellee,
  14
  15                            v.                                                 17-2492-cv
  16
  17   FEDERAL INSURANCE COMPANY,
  18
  19                           Defendant-Appellant.
  20   _____________________________________________________
  21
  22   Appearing for Appellant:         Jonathan D. Hacker, O’Melveny & Myers LLP, Washington, D.C.
  23
  24   Appearing for Appellee:          Robert M. Loeb, Orrick, Herrington & Sutcliffe LLP (John A.
  25                                    Jurata, E. Joshua Rosenkranz, Daniel A. Rubens, Russell P. Cohen,
  26                                    Evan M. Rose, on the brief), Washington, D.C.
  27
  28   Appeal from the United States District Court for the Southern District of New York (Carter, J.).
  29
  30        ON CONSIDERATION WHEREOF, IT IS HEREBY ORDERED, ADJUDGED,
  31   AND DECREED that the judgment of said District Court be and it hereby is AFFIRMED.
  1           Defendant-Appellant Federal Insurance Company appeals from an August 10, 2017
  2   judgment entered by the District Court for the Southern District of New York (Carter, J.)
  3   granting summary judgment to Plaintiff-Appellant Medidata Solutions Inc. in this insurance
  4   coverage dispute, and awarding Medidata $5,841,787.37 in damages and interest. We assume the
  5   parties’ familiarity with the underlying facts, procedural history, and specification of issues for
  6   review.
  7
  8            “Our review of a district court’s grant of summary judgment is de novo.” Globecon Grp.,
  9   LLC v. Hartford Fire Ins. Co., 

  434 F.3d 165

  , 170 (2d Cir. 2006). “An insurance contract is
  10   interpreted to give effect to the intent of the parties as expressed in the clear language of the
  11   contract.” Beazley Ins. Co., Inc. v. ACE Am. Ins. Co., 

  880 F.3d 64

  , 69 (2d Cir. 2018) (brackets
  12   omitted). “As with any contract, unambiguous provisions of an insurance contract must be given
  13   their plain and ordinary meaning.” White v. Cont’l Cas. Co., 

  9 N.Y.3d 264

  , 267 (Ct. App. 2007).
  14   Generally, under New York law, if “the terms of an insurance policy are doubtful or uncertain as
  15   to their meaning, any ambiguity must be resolved in favor of the insured and against the insurer.”
  16   Edwards v. Allstate Ins. Co., 

  792 N.Y.S.2d 504

  , 505 (2d Dep’t 2005); see also Tonkin v.
  17   California Ins. Co. of San Francisco, 

  294 N.Y. 326

  , 328-29 (Ct. App. 1945).1
  18
  19           Medidata brought suit, claiming that its losses from an email “spoofing” attack2 were
  20   covered by, inter alia, a computer fraud provision in its insurance policy with Federal Insurance.
  21   The provision covered losses stemming from any “entry of Data into” or “change to Data
  22   elements or program logic of” a computer system. J. App’x at 207. Federal Insurance asserts that
  23   the spoofing attack was not covered, because the policy instead applies to only hacking-type
  24   intrusions.
  25
  26           We agree with the district court that the plain and unambiguous language of the policy
  27   covers the losses incurred by Medidata here. While Medidata concedes that no hacking occurred,
  28   the fraudsters nonetheless crafted a computer-based attack that manipulated Medidata’s email
  29   system, which the parties do not dispute constitutes a “computer system” within the meaning of
  30   the policy. The spoofing code enabled the fraudsters to send messages that inaccurately
  31   appeared, in all respects, to come from a high-ranking member of Medidata’s organization. Thus
  32   the attack represented a fraudulent entry of data into the computer system, as the spoofing code
  33   was introduced into the email system. The attack also made a change to a data element, as the
  34   email system’s appearance was altered by the spoofing code to misleadingly indicate the sender.
  35   Accordingly, Medidata’s losses were covered by the terms of the computer fraud provision.
  36
  37          Federal Insurance argues that Universal Am. Corp. v. Nat’l Union Fire Ins. Co. of
  38   Pittsburgh, Pa., 

  25 N.Y.3d 675

  (Ct. App. 2015), requires a different outcome. However, in our
  1
  The parties agree that New York law applies to this dispute.
  2
  As the district court explained, “spoofing” is “the practice of disguising a commercial e-mail to
  make the e-mail appear to come from an address from which it actually did not originate.
  Spoofing involves placing in the ‘From’ or ‘Reply-to’ lines, or in other portions of e-mail
  messages, an e-mail address other than the actual sender’s address, without the consent or
  authorization of the user of the e-mail address whose address is spoofed.” Medidata Sols., Inc. v.
  Fed. Ins. Co., 

  268 F. Supp. 3d 471

  , 477 n.2 (S.D.N.Y. 2017) (quoting Karvaly v. eBay, Inc., 

  245 F.R.D. 71

  , 91 n.34 (E.D.N.Y. 2007)).
  2
  1   view, Universal in fact supports Medidata’s claim. Universal dealt with a medical claim fraud,
  2   where the perpetrators submitted false claims for services that were never rendered. The Court of
  3   Appeals found that such a fraud was not covered by a similar computer fraud provision, because
  4   the fraud was not on the “computer system qua computer system,” and did not entail a “violation
  5   of the integrity of the computer system through deceitful and dishonest access.” 

  Id. at 681.

   6   Rather, the fraud at issue there only incidentally involved the use of computers, because the
  7   company processed its claims using computers (as opposed to on paper). Here, by contrast, the
  8   fraud clearly implicates the “computer system qua computer system,” since Medidata’s email
  9   system itself was compromised. 

  Id. Further, it

  seems to us that the spoofing attack quite clearly
  10   amounted to a “violation of the integrity of the computer system through deceitful and dishonest
  11   access,” since the fraudsters were able to alter the appearance of their emails so as to falsely
  12   indicate that the emails were sent by a high-ranking member of the company. 

  Id. Accordingly, 13

    Universal is of little assistance to Federal Insurance here.
  14
  15           Federal Insurance further argues that Medidata did not sustain a “direct loss” as a result
  16   of the spoofing attack, within the meaning of the policy. J. App’x at 206. The spoofed emails
  17   directed Medidata employees to transfer funds in accordance with an acquisition, and the
  18   employees made the transfer that same day. Medidata is correct that New York courts generally
  19   equate the phrase “direct loss” to proximate cause. See New Hampshire Ins. Co. v. MF Glob.,
  20   Inc., 

  970 N.Y.S.2d 16

  , 19 (1st Dep’t 2013) (“[A] direct loss for insurance purposes has been
  21   analogized with proximate cause.”); Granchelli v. Travelers Ins. Co., 

  561 N.Y.S.2d 944

  , 944
  22   (4th Dep’t 1990) (“Direct loss is equivalent to proximate cause.”). It is clear to us that the
  23   spoofing attack was the proximate cause of Medidata’s losses. The chain of events was initiated
  24   by the spoofed emails, and unfolded rapidly following their receipt. While it is true that the
  25   Medidata employees themselves had to take action to effectuate the transfer, we do not see their
  26   actions as sufficient to sever the causal relationship between the spoofing attack and the losses
  27   incurred. The employees were acting, they believed, at the behest of a high-ranking member of
  28   Medidata. And New York law does not have so strict a rule about intervening actors as Federal
  29   Insurance argues. See New Hampshire Ins. 

  Co., 970 N.Y.S.2d at 20

  (holding one employee’s
  30   misconduct was proximate cause of losses, despite the fact that the losses were actually sustained
  31   several hours later, when the company settled its trading accounts).
  32
  33          Having concluded that Medidata’s losses were covered under the computer fraud
  34   provision, we decline to consider whether additional provisions in the policy might also provide
  35   coverage. We have considered the remainder of Federal Insurance’s arguments and find them to
  36   be without merit. Accordingly, the judgment of the district court hereby is AFFIRMED.
  37
  38                                                       FOR THE COURT:
  39                                                       Catherine O’Hagan Wolfe, Clerk
  40
  3
  

• Sign In
• Sign Up