Medidata and American Tooling Courts Misunderstood Tech
This summer’s U.S. courts of appeals decisions in Medidata Solutions and American Tooling caused considerable stir in the world of insurance coverage. Many policyholder attorneys declared that computer fraud coverage for phishing attacks is now broader than a Yahoo data breach. Certainly, these decisions mark a dramatic shift in what had been to date a lopsided score in which courts more often than not have found coverage unavailable. However, whether Medidata Solutions Inc. v. Federal Ins Co., and American Tooling Ctr. Inc. v. Travelers Cas. & Sur. Co. of Am. mark a permanent shift remains to be seen.
A closer look at technology underlying both decisions suggests that this question is far from settled. The technology at issue in each case, and basic cybersecurity concepts implicated by them — specifically the courts’ imprecise interpretation of “integrity” and “instructions to” a computer system — give pause as to whether the decisions will stand. As discussed below, if the courts had understood fully the factual events of each case, as dictated by the technology, the decisions may have been very different. At the very least, these cases show how critical it is for courts to understand the technology implicated in an underlying claim, for a misunderstanding of the technology can be the difference between a poor decision and a correct one.
Business Email Compromise Attacks
Sometimes called “CEO Fraud,” business email compromise attacks are a category of phishing attacks whereby a third-party fraudster impersonates a trusted source to trick the recipient into wiring money to them. According to an FBI report, BEC claims are a $3 billion problem in the U.S. economy. They strike business of all sizes, and have resulted in losses from thousands of dollars to millions of dollars.
In a BEC attack, a company employee (typically, a lower-level employee) will receive a phishing email purportedly coming from a high-level executive or vendor instructing that a payment be wired to a specific bank account that the fraudster controls. Sometimes these schemes require a first-time payment; other times, they require the company employee to replace standing wiring instructions with new instructions. Many times, the emails have a time pressure component (i.e., “I will need the payment wired ASAP”) or an impatient tone (“This is the third time we’ve made this request”) to intimidate the recipient and inhibit him or her from questioning the request. In every successful BEC attack, the instructions are followed and a payment is wired to the new bank account. Once the money is wired to the new account, it is withdrawn by the perpetrator of the fraud. At that point, the money is gone and irretrievable.
Medidata and American Tooling
In Medidata, fraudsters sent a phishing email to a Medidata employee using a PHP script. Use of the PHP script made the email appear to come from the company’s president. Specifically, the email had the president’s return address in the “From” box, and it had the president’s picture appearing on the message.
The email instructed the company employee that Medidata was close to finalizing an acquisition, and that an attorney named Michael Meyer would contact the employee with further instructions. The employee later received a phone call from a man who identified himself as Meyer and who told the employee to process a wire transfer for $4.7 million. The employee balked, explaining that she needed an email from Medidata’s president requesting the wire transfer, as well as approval from two senior officers. Afterward, all three employees received a group email from the fraudster (still posing as Medidata’s president) instructing them to approve and affect the wire transfer immediately. After receipt of the second email, the first employee entered the banking information provided by the fraudster and submitted the wire transfer for approval. The two senior employees approved the wire, and the money was sent. The company realized the fraud the next day.
Medidata sought coverage for its loss under the computer fraud coverage in its crime policy. The policy covered “direct loss of Money, Securities or Property sustained by an Organization resulting from Computer Fraud committed by a Third Party.” The policy defined “Computer Fraud” as “the unlawful taking or the fraudulently induced transfer of Money, Securities or Property resulting from a Computer Violation.” The policy defined “Computer Violation” as:
the fraudulent: (a) entry of Data into . . . a Computer System; [or] (b) change to Data elements or program logic of a Computer System, which is kept in machine readable format . . . directed against an Organization.
The insurer denied coverage. The parties agreed that use of email satisfied the policy’s definition for “Computer System,” but disagreed whether the matter involved a “fraudulent entry of Data” into a computer system, or a “fraudulent change to Data elements” of a computer system, to satisfy the definition for “Computer Violation” within the meaning of “Computer Fraud.” The trial court held that coverage existed, and the Second Circuit affirmed.
Equating a PHP script to malicious code that “manipulated Medidata’s email system,” the Second Circuit concluded there had been both a fraudulent entry of data and a fraudulent change to data to meet the definition of “Computer Violation.” The court explained:
Thus, the attack represented a fraudulent entry of data into the computer system, as the spoofing code was introduced into the email system. The attack also made a change to a data element, as the email system’s appearance was altered by the spoofing code to misleadingly indicate the sender. Accordingly, Medidata’s losses were covered by the terms of the computer fraud provision. [Emphasis added.]
The Second Circuit also distinguished the New York Court of Appeals decision in Universal American, which had held that fraudulent data entered or changed by an authorized user does not constitute fraudulent entry or change of data into a computer to implicate computer fraud coverage. The Second Circuit differentiated the case, holding that both the access and entry of data in Medidata’s computer system had been fraudulent. Because the fraudsters had “compromised” Medidata’s email system and violated its “integrity,” the court reasoned that the New York Court’s of Appeals decision in American Universal was inapposite and did not preclude coverage:
… the spoofing attack quite clearly amounted to a “violation of the integrity of the computer system through deceitful and dishonest access,” since the fraudsters were able to alter the appearance of their emails so as to falsely indicate that the emails were sent by a high-ranking member of the company. [Emphasis added.]
One week later, the United States Court of Appeals in American Tooling reversed a Michigan federal district court decision holding that a BEC attack did not implicate coverage, and held that a spoofed email constituted “use of a computer to fraudulently cause” a transfer of money to satisfy the definition for “computer fraud.”
There, the insured, American Tooling, had emailed a vendor, Shanghai YiFeng Automotive Die Manufacture Co. Ltd., requesting all outstanding invoices for which payments were due. According to the court, an unidentified third party intercepted the email, and impersonating a YiFeng employee, replied to it with the request that payments be wired to a new bank. The fraudster had spoofed YiFeng’s email address by substituting the letters “r” and “n” for an “m” to make the address “yifeng-rnould” instead of “yifeng-mould.com” to trick the insured’s employee. The American Tooling employee complied with the request and authorized several payments totaling over $830,000 to be wired to the new bank account. When the real YiFeng inquired about payment, American Tooling realized it had been defrauded.
American Tooling sought recovery under its computer fraud coverage, which covered “direct loss of, or direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud.” Unlike the policy in Medidata, the policy defined “computer fraud” to mean the “use of any computer to fraudulently cause a transfer of” money off premises. The Fifth Circuit in Apache Corp. v. Great Amer. Ins. Co., previously held that phishing attacks did not constitute computer fraud. The Sixth Circuit thought different and held that if an email triggers a chain of events leading to the miswire of funds, that trigger is enough to constitute “use of a computer to fraudulently cause a transfer of” money.The court reasoned that the impersonator sent American Tooling “fraudulent emails using a computer and these emails fraudulently caused [American Tooling] to transfer the money to the impersonator.” The court further rejected the contention that “use of a computer” required a manipulation of a computer, through malware or otherwise, to effect the transfer.
Critically, the Sixth Circuit also refused to apply a common computer fraud exclusion (not at issue in Medidata). The exclusion prohibited coverage for “loss or damages resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System.” The policy defined “Electronic Data” in part as “facts or information converted to a form … that does not provide instructions or directions to a Computer System.” The insurer argued that because the insured’s employee had “manually entered the impersonator’s name, banking information, and the amount to be wired [a] the banking portal,” he had input “Electronic Data” to trigger the exclusion.
However, the Sixth Circuit rejected the contention on the basis that the definition for “Electronic Data” excluded “instructions or directions.” The court explained that the “physical pressing of the keyboard and mouse sent instructions to the computer to display specific values” and that these “values combined to form ‘instructions or directions’” to a “Computer System” to fall outside the definition for “Electronic Data.” As a result, the underlying loss did not involve “Electronic Data” to satisfy the exclusion.
Will Technology Have Its Say?
Both decisions effectively broadened computer fraud coverage for BEC attacks; however, a closer look at the technology, and the courts’ misunderstanding of it, suggests that the basis of each decision is suspect. In particular are the courts’ misunderstanding of concepts of a computer system’s “integrity” and instruction “to” a computer system.
In cybersecurity, “integrity” means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity. It is the security goal for protection against either intentional or accidental attempts to violate data integrity (i.e., the property that data has not been altered in an unauthorized manner) or system integrity (i.e., the quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation). System security is a fundamental concept that measures goals and policy of virtually all cybersecurity regulations.
The Medidata decision relies upon the court’s conclusion that the integrity of Medidata’s computer system was breached. In other words, this means either the data contained in Medidata’s system was altered in an unauthorized manner, or Medidata’s computer system did not perform in its intended function. Remove either conclusion, and the logic underpinning the opinion fails. The problem is that both conclusions are unfounded. The use of an email message with PHP scripting, as executed by the fraudsters in Medidata, did not violate the integrity of data or Medidata’s system. Nor did it circumvent the computer system’s security.
In Medidata, as a result of the PHP scripting in the email sent by the fraudster, the “From” box contained the president’s name and company email address. Yet, the script did not corrupt the integrity of Medidata’s computer system. In no instance, based on the facts presented, did Medidata’s system not perform its intended function in an unimpaired, nonmanipulated manner. The code responsible for creating the appearance of the phishing email to resemble an internal communication, including the placement of the Medidata president’s picture in the message, already existed in Medidata’s system, put there by Medidata itself. Medidata’s system, based on code authorized and programmed by Medidata, and not the fraudsters, truncated the email address and supplied the president’s picture. There was no code introduced by the phishing email that manipulated or compromised Medidata’s system. Similarly, there was no violation of the integrity of data. The appearance of the email resulted from computer code installed and/or authorized by Medidata. An alteration — to the extend an alteration existed — was not unauthorized. Any change that occurred happened pursuant to instructions to the computer system set in place by Medidata.
In addition, there was no unauthorized access to Medidata’s system to compromise its integrity. The email was sent to a public address and received by Medidata’s system through a public portal. The fraudsters, while certainly devious, did not circumvent or avoid any security measure to gain access to Medidata’s computer system. Thus, the Medidata court’s conclusion that fraudster’s violated the integrity of Medidata’s system has no factual support, and is little more than a misunderstanding of cybersecurity and the technology employed.
The American Tooling decision also undertakes logical leaps. In Apache, the Fifth Circuit acknowledged the ubiquitous and pervasive presence of computer technology in our society and refused to extend coverage to mere “incidental” use of a computer to perpetrate a fraud. The Fifth Circuit concluded that although the fraudulent phishing email in the case before it “was part of the scheme” to defraud Apache, it was “merely incidental to the occurrence of the authorized transfer of money.” The court feared that “[t]o interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would … convert the computer-fraud provision to one for general fraud[.]” The Sixth Circuit never addressed this issue or even the Apache decision.
More critically, the Sixth Circuit also refused to apply an exclusion prohibiting coverage for loss resulting “from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System,” because, the court reasoned, the information entered into the banking portal fell outside the definition for “Electronic Data.” However, in reaching this decision, the court failed to appreciate the fundamental distinction between instructions and computer code.
The policy defined “Electronic Data” in part as “facts or information converted to a form … that does not provide instructions or directions to a Computer System” (emphasis added). Equating manual typing of information from a keyboard into a computer to be “‘instructions or directions’ to a ‘Computer System,’” the court concluded that the loss did not involve “Electronic Data” to implicate the exclusion. The problem with this conclusion is that it ignores use of the proposition “to” and the meaning of computer code.
Computer code is not merely instructions, but a set of instructions to a computer. Indeed, Merriam Webster’s online dictionary defines “instruction” in part as “a code that tells a computer to perform a particular operation.” By excluding “instructions or directions to a Computer System” from the definition of “Electronic Data,” the policy merely excluded computer code from the definition. The phishing email in American Tooling did not involve computer code. Nor did the company employee who was tricked by the email create or insert any code. Yet, the court missed this distinction. Instead, by holding that typing a message by keyboard in a computer to mean instructions or directions to a computer system, the exception for the definition for “Electronic Data” swallows the exclusion itself. The Sixth Circuit conflated concepts of computer code and typing communicative instructions, the result of which was an exercise that, if taken to its logical end, negates the exclusion in its entirety.
Notably, the Ninth Circuit in Aqua Star (USA) Corp. v. Travelers Cas. & Sur. Co. of Am., never engaged in such a mental exercise when addressing the same exclusion in the context of an underlying BEC. In Aqua Star, the court held both that the exclusion was unambiguous and that it applied where an insured’s employee typed the new bank account information into a document saved on her computer. At the very least, Aqua Star sets up another coverage battle for another day.
In the end, had the courts in Medidata and American Tooling focused more closely on the technology and basic correlating concepts of cybersecurity at hand, they may have reached different decisions. As courts develop a greater understanding of or expertise in cybersecurity and computer technology, other courts may reach different decisions. Contrary to popular opinion, the law in this area remains relatively wide open. In the meantime, insurers may wish to reflect on the various interpretations of computer fraud coverage presented by the courts, and consider revising contract language to ensure clarity and mutual understanding of the scope of coverage contemplated within the four corners of the policy.
 Medidata Solutions Inc. v. Federal Insurance Co., 2018 U.S. App. LEXIS 18376 (2d Cir. July 6, 2018), en banc review denied (Aug. 23, 2018)
 American Tooling Ctr. Inc. v. Travelers Cas. & Sur. Co. of Am., 2018 U.S. App. LEXIS 19208 (6th Cir. July 13, 2018)
 Medidata Sols. Inc. v. Fed. Insurance Co., 268 F. Supp. 2d 471, 473 (S.D.N.Y. 2017).
 Medidata, 268 F. Supp. 3d at 474
 2018 U.S. App. Lexis at *2-3.
 Id. at *3.
 Id. at *3.
 Id. at *3-4.
 American Tooling Ctr. Inc. v. Travelers Cas. & Sur. Co. of Am., 2017 U.S. Dist. LEXIS 120473, at *2 (E.D. Mich. Aug. 1, 2017).
 2018 U.S. App. LEXIS 19208 at *4-5.
 Id. at *6.
 Id. at *10-11.
 Apache Corp. v. Great Amer. Insurance Co., 662 Fed App’x 252 (5th Cir. 2016)
 Id. at *11-12.
 Id. at *13.
 Id. at *18.
 Id. at *19.
 Id. at *19-20.
 See, e.g., NIST SP 800 59.
 662 Fed. App’x 252.
 Id. at 258.
 See Committee on National Security Systems (CNSS) Glossary, CNSSI No. 4009 (April 6, 2015).
 Aqua Star (USA) Corp. v. Travelers Cas. & Sur. Co. of Am., 719 Fed App’x 701 (9th Cir. 2018)
 2018 U.S. App. LEXIS 19208 at *2.