     17-2492-cv
     Medidata Solutions Inc. v. Federal Insurance Company

                                   UNITED STATES COURT OF APPEALS
                                       FOR THE SECOND CIRCUIT

                                              SUMMARY ORDER

     RULINGS BY SUMMARY ORDER DO NOT HAVE PRECEDENTIAL EFFECT. CITATION TO A
     SUMMARY ORDER FILED ON OR AFTER JANUARY 1, 2007, IS PERMITTED AND IS GOVERNED
     BY FEDERAL RULE OF APPELLATE PROCEDURE 32.1 AND THIS COURT’S LOCAL RULE 32.1.1.
     WHEN CITING A SUMMARY ORDER IN A DOCUMENT FILED WITH THIS COURT, A PARTY
     MUST CITE EITHER THE FEDERAL APPENDIX OR AN ELECTRONIC DATABASE (WITH THE
     NOTATION “SUMMARY ORDER”). A PARTY CITING A SUMMARY ORDER MUST SERVE A COPY
     OF IT ON ANY PARTY NOT REPRESENTED BY COUNSEL.



 1           At a stated Term of the United States Court of Appeals for the Second Circuit, held at the
 2   Thurgood Marshall United States Courthouse, 40 Foley Square, in the City of New York on the
 3   6th day of July, two thousand eighteen.
 4
 5   Present:    ROSEMARY S. POOLER,
 6               REENA RAGGI,
 7               PETER W. HALL,
 8                           Circuit Judges.
 9   _____________________________________________________
10
11   MEDIDATA SOLUTIONS INC.,
12
13                                    Plaintiff-Appellee,
14
15                            v.                                                 17-2492-cv
16
17   FEDERAL INSURANCE COMPANY,
18
19                           Defendant-Appellant.
20   _____________________________________________________
21
22   Appearing for Appellant:         Jonathan D. Hacker, O’Melveny & Myers LLP, Washington, D.C.
23
24   Appearing for Appellee:          Robert M. Loeb, Orrick, Herrington & Sutcliffe LLP (John A.
25                                    Jurata, E. Joshua Rosenkranz, Daniel A. Rubens, Russell P. Cohen,
26                                    Evan M. Rose, on the brief), Washington, D.C.
27
28   Appeal from the United States District Court for the Southern District of New York (Carter, J.).
29
30        ON CONSIDERATION WHEREOF, IT IS HEREBY ORDERED, ADJUDGED,
31   AND DECREED that the judgment of said District Court be and it hereby is AFFIRMED.
 1           Defendant-Appellant Federal Insurance Company appeals from an August 10, 2017
 2   judgment entered by the District Court for the Southern District of New York (Carter, J.)
 3   granting summary judgment to Plaintiff-Appellant Medidata Solutions Inc. in this insurance
 4   coverage dispute, and awarding Medidata $5,841,787.37 in damages and interest. We assume the
 5   parties’ familiarity with the underlying facts, procedural history, and specification of issues for
 6   review.
 7
 8            “Our review of a district court’s grant of summary judgment is de novo.” Globecon Grp.,
 9   LLC v. Hartford Fire Ins. Co., 434 F.3d 165, 170 (2d Cir. 2006). “An insurance contract is
10   interpreted to give effect to the intent of the parties as expressed in the clear language of the
11   contract.” Beazley Ins. Co., Inc. v. ACE Am. Ins. Co., 880 F.3d 64, 69 (2d Cir. 2018) (brackets
12   omitted). “As with any contract, unambiguous provisions of an insurance contract must be given
13   their plain and ordinary meaning.” White v. Cont’l Cas. Co., 9 N.Y.3d 264, 267 (Ct. App. 2007).
14   Generally, under New York law, if “the terms of an insurance policy are doubtful or uncertain as
15   to their meaning, any ambiguity must be resolved in favor of the insured and against the insurer.”
16   Edwards v. Allstate Ins. Co., 792 N.Y.S.2d 504, 505 (2d Dep’t 2005); see also Tonkin v.
17   California Ins. Co. of San Francisco, 294 N.Y. 326, 328-29 (Ct. App. 1945).1
18
19           Medidata brought suit, claiming that its losses from an email “spoofing” attack2 were
20   covered by, inter alia, a computer fraud provision in its insurance policy with Federal Insurance.
21   The provision covered losses stemming from any “entry of Data into” or “change to Data
22   elements or program logic of” a computer system. J. App’x at 207. Federal Insurance asserts that
23   the spoofing attack was not covered, because the policy instead applies to only hacking-type
24   intrusions.
25
26           We agree with the district court that the plain and unambiguous language of the policy
27   covers the losses incurred by Medidata here. While Medidata concedes that no hacking occurred,
28   the fraudsters nonetheless crafted a computer-based attack that manipulated Medidata’s email
29   system, which the parties do not dispute constitutes a “computer system” within the meaning of
30   the policy. The spoofing code enabled the fraudsters to send messages that inaccurately
31   appeared, in all respects, to come from a high-ranking member of Medidata’s organization. Thus
32   the attack represented a fraudulent entry of data into the computer system, as the spoofing code
33   was introduced into the email system. The attack also made a change to a data element, as the
34   email system’s appearance was altered by the spoofing code to misleadingly indicate the sender.
35   Accordingly, Medidata’s losses were covered by the terms of the computer fraud provision.
36
37          Federal Insurance argues that Universal Am. Corp. v. Nat’l Union Fire Ins. Co. of
38   Pittsburgh, Pa., 25 N.Y.3d 675 (Ct. App. 2015), requires a different outcome. However, in our
     1
      The parties agree that New York law applies to this dispute.
     2
      As the district court explained, “spoofing” is “the practice of disguising a commercial e-mail to
     make the e-mail appear to come from an address from which it actually did not originate.
     Spoofing involves placing in the ‘From’ or ‘Reply-to’ lines, or in other portions of e-mail
     messages, an e-mail address other than the actual sender’s address, without the consent or
     authorization of the user of the e-mail address whose address is spoofed.” Medidata Sols., Inc. v.
     Fed. Ins. Co., 268 F. Supp. 3d 471, 477 n.2 (S.D.N.Y. 2017) (quoting Karvaly v. eBay, Inc., 245
     F.R.D. 71, 91 n.34 (E.D.N.Y. 2007)).


                                                     2
 1   view, Universal in fact supports Medidata’s claim. Universal dealt with a medical claim fraud,
 2   where the perpetrators submitted false claims for services that were never rendered. The Court of
 3   Appeals found that such a fraud was not covered by a similar computer fraud provision, because
 4   the fraud was not on the “computer system qua computer system,” and did not entail a “violation
 5   of the integrity of the computer system through deceitful and dishonest access.” Id. at 681.
 6   Rather, the fraud at issue there only incidentally involved the use of computers, because the
 7   company processed its claims using computers (as opposed to on paper). Here, by contrast, the
 8   fraud clearly implicates the “computer system qua computer system,” since Medidata’s email
 9   system itself was compromised. Id. Further, it seems to us that the spoofing attack quite clearly
10   amounted to a “violation of the integrity of the computer system through deceitful and dishonest
11   access,” since the fraudsters were able to alter the appearance of their emails so as to falsely
12   indicate that the emails were sent by a high-ranking member of the company. Id. Accordingly,
13   Universal is of little assistance to Federal Insurance here.
14
15           Federal Insurance further argues that Medidata did not sustain a “direct loss” as a result
16   of the spoofing attack, within the meaning of the policy. J. App’x at 206. The spoofed emails
17   directed Medidata employees to transfer funds in accordance with an acquisition, and the
18   employees made the transfer that same day. Medidata is correct that New York courts generally
19   equate the phrase “direct loss” to proximate cause. See New Hampshire Ins. Co. v. MF Glob.,
20   Inc., 970 N.Y.S.2d 16, 19 (1st Dep’t 2013) (“[A] direct loss for insurance purposes has been
21   analogized with proximate cause.”); Granchelli v. Travelers Ins. Co., 561 N.Y.S.2d 944, 944
22   (4th Dep’t 1990) (“Direct loss is equivalent to proximate cause.”). It is clear to us that the
23   spoofing attack was the proximate cause of Medidata’s losses. The chain of events was initiated
24   by the spoofed emails, and unfolded rapidly following their receipt. While it is true that the
25   Medidata employees themselves had to take action to effectuate the transfer, we do not see their
26   actions as sufficient to sever the causal relationship between the spoofing attack and the losses
27   incurred. The employees were acting, they believed, at the behest of a high-ranking member of
28   Medidata. And New York law does not have so strict a rule about intervening actors as Federal
29   Insurance argues. See New Hampshire Ins. Co., 970 N.Y.S. 2d at 20 (holding one employee’s
30   misconduct was proximate cause of losses, despite the fact that the losses were actually sustained
31   several hours later, when the company settled its trading accounts).
32
33          Having concluded that Medidata’s losses were covered under the computer fraud
34   provision, we decline to consider whether additional provisions in the policy might also provide
35   coverage. We have considered the remainder of Federal Insurance’s arguments and find them to
36   be without merit. Accordingly, the judgment of the district court hereby is AFFIRMED.
37
38                                                       FOR THE COURT:
39                                                       Catherine O’Hagan Wolfe, Clerk
40




                                                     3
