Computer fraud coverage and email spoofing

Medidata Solutions, Inc. v Federal Insurance Co. illustrates the importance of ensuring that businesses have computer fraud coverage, establish and update regularly processes to thwart fraud, and train employees on both those processes and the latest fraudulent schemes.

In a world where technology is constantly changing, thieves keep finding new and better ways to defraud companies. In Medidata Solutions, Inc. v. Federal Insurance Co., No. 15-CV-907 (ALC), — F. Supp. 3d — (S.D.N.Y. July 21, 2017), the United States District Court for the Southern District of New York addressed the availability of computer fraud coverage for losses resulting from one such scheme. In the process, the court gave an expansive reading to the policy’s computer fraud coverage provision and distinguished its ruling from the New York Court of Appeals’ recent decision in Universal Am. Corp. v. Nat’l Union Fire Ins. Co. of Pittsburgh, PA, 37 N.E.3d 78 (N.Y. 2015), and other decisions.

Medidata illustrates the importance of ensuring that businesses have computer fraud coverage, establish and update regularly processes to thwart fraud, and train employees on both those processes and the latest fraudulent schemes.

The fraudulent scheme involving Medidata Solutions worked as follows: An accounts payable employee received an email message purportedly sent from the company’s president stating that Medidata was close to finalizing an acquisition, an attorney named Michael Meyer would contact her, and the acquisition was confidential before instructing her to devote her attention to Mr. Meyer’s request. The email contained the President’s name, email address, and picture in the “From” field.

Later that day a man holding himself out to be Mr. Meyer called the employee and asked her to process a wire transfer. The employee told “Mr. Meyer” that she would need a request from the company’s president and approval from a company vice president and a company director to accomplish the transfer. Shortly thereafter, the employee received the requested email, again purportedly from the company’s president, instructing her to process the request and copying the vice president and director and instructing them to approve it. All did as requested. Two days later “Mr. Meyer” tried again, but the vice president became suspicious because of a strange address in the “Reply To” field and halted the transaction.

Medidata made an insurance claim for its loss from the completed wire transfer, which its insurer Federal Insurance Company denied. Medidata had a $5 million “Federal Executive Protection” policy that included “Computer Fraud Coverage.” The Computer Fraud Coverage protected the organization from “direct loss … resulting from Computer Fraud committed by a Third Party.” The policy defined “Computer Fraud” as “the unlawful taking or the fraudulently induced transfer of Money, Securities or Property resulting from a Computer Violation.” The policy in turn defined “Computer Violation” as “the fraudulent: (a) entry of Data into … a Computer System; [and] (b) change to Data elements or program logic of a Computer System, which is kept in machine readable format … directed against an Organization.” Finally, the policy defined “Data” to include any representation of information” and “Computer System” as “a computer and all input, output, processing, storage, off-line media library and communication facilities which are connected to such computer, provided that such computer and facilities are: (a) owned and operated by an Organization; (b) leased and operated by an Organization; or (c)  tilized by an Organization.”

The district court granted summary judgment for Medidata Solutions and against Federal Insurance. In doing so, the district court rejected Federal Insurance’s argument that the insurance claim was properly denied because the emails did not require access to Medidata’s computer system, a manipulation of those computers, or input of fraudulent information. The court instead found that the email spoofing scheme here was unambiguously covered because it involved the fraudulent entry of data into a computer system through manipulation of an SMTP email envelope to make it appear that the email (through Google) was from a person within Medidata even if that person did not hack into Medidata’s computer system to do it.

The district court distinguished the fraudulent scheme in this case with the fraudulent scheme addressed by the New York Court of Appeals in Universal where the insured was attempting to collect for false claims submitted electronically and then paid out through the insured’s computer system. The district court concluded that Universal did not stand for the proposition that computer hacking was the only type of conduct for which computer fraud coverage was available despite the court’s use of hacking as an example of a type of conduct covered.

The district court also distinguished the Fifth Circuit’s decision in Apache Corp. v. Great Am. Ins. Co., 662 F. Appx. 252 (5th Cir. 2016), because the thieves in that case were invited in through that insured’s vendor payment system, while Medidata employees did not invite the spoofed emails and only facilitated the wire transfer as a result of the uninvited spoofing. The district court found Apache unpersuasive to the extent the facts in Medidata fit within it.

The district court also held that Medidata Solutions should not have been denied “Funds Transfer Fraud Coverage” because the employee did not act knowingly in facilitating the fraud. “Larceny by trick,” according to the court, “is still larceny.” Finally, the district court held that “Forgery Coverage” was properly denied because there was no forgery or alteration of a financial instrument as required by the policy.

As important as it is for a business to stay one step ahead of thieves who exploit technology to defraud through effective policies, procedures, and training, it is equally important that a business maintain comprehensive computer fraud coverage to protect itself against losses resulting from tricksters who thwart the most secure of computer systems and that insurers who sell such policies be held to the promises, as the Medidata court seems to make clear.


Shannon W. Conway Becomes Managing Shareholder at Talcott Franklin P.C.

Talcott Franklin P.C. has elevated Shannon W. Conway to Managing Shareholder of the firm.  Prior to joining Talcott Franklin P.C., Shannon spent her entire career with Patton Boggs LLP, first joining the firm as a Secretary, attending law school at night, and working her way up the ladder to Paralegal, Law Clerk, Staff Attorney, Associate and, finally, Partner.

“Shannon is the perfect person to manage our firm into the future,” said Talcott Franklin, the firm’s founder.  “She exemplifies the characteristics that clients value: integrity, hard work, perseverance, and intelligence.”

The move also results in the firm becoming a female majority-owned firm.  Previously, the firm had a noted gender studies professor review the firm’s practices, procedures, pay, and structure.  Her conclusion?  The firm is “a field leader in gender equality.”

“The best thing about the firm is the collegiality,” said Conway.  “We’re a firm of many different people with very different backgrounds and points of view, but there is a strong culture of respect for each other that is one of our core values. It also fosters collaboration so that we really are able to provide our clients with the benefit of our collective knowledge and experience which, in my mind, translates to outstanding client service.”

One of Conway’s points of emphasis will be expanding the firm’s flat rate “general counsel” services to growing businesses.

“It’s an important evolution and innovation in legal services,” said Conway.  “The idea is making sophisticated counsel available to a growing business at an affordable and predictable rate.  The critical thing is that we add value to the bottom line of the business through legal strategies that would otherwise be cost-prohibitive.”

Please join us in congratulating Shannon Conway!


“Promptly” Get Up On Your Roof!


This may come as a surprise to some, but Texans take note: if there is a hailstorm in your area, it is apparently your duty to “promptly” climb up on your roof – or hire someone to do it for you – to check for hail damage. Not physically fit to do so? Can’t afford to hire someone to do so? Well, too bad. Because if you don’t learn of that hail damage until too far down the line and you therefore don’t “promptly” make a claim under your applicable insurance policy, then you don’t have coverage. At least that’s what the U.S. District Court for the Northern District of Texas held in the decision issued this week in Certain Underwriters at Lloyd’s of London v. Lowen Valley View, LLC, Case No. 16-CV-0465-B, Memorandum Opinion & Order (N.D. Tex. July 21, 2017) (read it here).

Quick summary: Unbeknownst to the Insured, a hail storm occurred in June 2012; Insured realizes hail damage on hotel’s roof in November 2014, during the course of a property evaluation and is informed by both Insured’s roof inspector and Insurer’s adjuster that roof is significantly damaged as a result of the June 2012 hail storm.

Moral of the story: 30 months between a hail storm and an insured’s submission of a claim is too long to secure the coverage paid for under an occurrence policy. It does not matter that: (1) the Insured is unaware that a hail storm occurred; (2) the hail damage caused no interior leaks to the hotel which would have put the Insured on notice of the hail damage; or (3) the Insured does not conduct routine roof inspections because it can only be accessed by a crane.

In Lowen Valley View, the Insureds owned the Hilton Garden Inn in Irving, Texas and, in November 2014, evaluated the property for potential capital improvement projects. During the course of that evaluation, the Insureds noticed that the hotel’s roof shingles looked bad. So they hired a roofing contractor, who inspected the property and found evidence of “significant hail damage.” The most recent hailstorm that could have caused this damage was in June 2012, so the Insureds immediately made a claim under their property policy that was in place in June 2012. Lloyd’s then sent its chosen adjuster to inspect the property and that report concluded that the hotel suffered significant hail damage that would require that the roof be replaced rather than repaired.

The decision doesn’t indicate how much the replacement of the roof was estimated to be, but rather than pay to replace the hotel’s roof, here is what Lloyd’s did instead: (1) issued a reservation of rights letter; (2) hired outside counsel to file a lawsuit against the Insured, seeking a declaratory judgment that there is no coverage under the Policy because of the Insured’s failure to “promptly” notify Lloyd’s of the damage; (3) hired yet another engineering firm to examine when the hail damage occurred; (4) required the Insured to provide testimony in an Examination Under Oath; and then (5) spent the next 15 months conducting expert discovery, engaging in mediation, and motions briefing. And Lloyd’s won. So perhaps it was all worth it.


Racial Slur Incident Proves the Value of Social Media in Brand Protection

I’ll be the first to admit that I was slow to recognize the value of social media.  I’m now a convert, for a variety of reasons, but a recent story drove home the necessity of a social media presence for a brand in today’s world.

According to USA Today, Walmart “featured an ad on its website early Monday offering a wig cap for sale in which the color was described as ‘n—r brown.’ The ad has since been removed and Walmart told the Huffington Post that it has determined that the product was sold by a third-party seller posing as a company out of the United Kingdom.”

Walmart was quick to respond on social media, and the company from the United Kingdom, Jagazi Naturals, also quickly posted the following statement:

We woke up this morning to the news that someone has used our name Jagazi to list an item.  Please beware that we are reporting this to as many people as we can and trying to get all the listings pulled down. The real Jagazi is a 100% black company for black people. People have often used our brand name to try and sell their fake products. Please be aware. Very sorry for all the distress this has caused. We are feeling the pain here as well. Most shocking!

They’ll probably never find the piece of human garbage that abused Jagazi Naturals’ brand in such an ugly manner, and even if they found the culprit, legal remedies such as a trademark infringement suit or even a preliminary injunction obtained a few days later would have been cold and expensive comfort if Jagazi hadn’t used social media to immediately get its message out.

Jagazi probably never dreamed someone would do something so horrible, but in the digital age, we can expect the unexpected.  The more robust your social media presence, the more effectively and inexpensively you can defend your brand against tarnishment by some anonymous internet abuser.

Talcott J. Franklin maintains a dual practice in intellectual asset protection and securitization litigation. He is the author of several legal treatises, including Protecting the Brand (Barricade Books 2003)He is the principal of Talcott Franklin P.C., a national law firm with attorneys licensed in DC, GA, KS, MD, MI, MO, NC, NY, TX, VA, and WV.

Investors Seek Class Certification in RMBS Lawsuits

Investors seeking recovery on RMBS claims have had mixed results pursuing their claims in class actions. Recently, an investor in two trusts involving Wells Fargo Bank N.A. as trustee requested class certification in a suit against the bank. Royal Park Invs. SA/NV v. Wells Fargo Bank NA, No. 1:14-cv-09764 (S.D.N.Y. June 29, 2017). Royal Park claimed in the lawsuit Wells Fargo knew or should have known about widespread problems with the underlying mortgages in the two trusts (ABFC 2006-OPT1 and SASCO 2007-BC1) as well as misconduct by loan servicers. As a result, Royal Park alleged that certificates in the two trusts “are now near or total losses, having been written down to the point that they are worthless or virtually worthless.”

In support of its request for class certification, Royal Park stated: “Plaintiff’s allegations present a predominant question of liability that is susceptible to common proof — whether Wells Fargo’s course of conduct breached the governing agreements, . . . The predominance of common issues, and the impracticability of bringing individual actions to redress Wells Fargo’s wrongful conduct, renders this case ideally suited for class certification.”

The proposed class would cover approximately 185 investors whose holdings in the trusts range from less than $10,000 to more than $10 million. Wells Fargo is expected to oppose the request for class certification.

In a similar case also involving Royal Park, but involving a different trustee, a New York federal judge recently denied Royal Park’s motion to certify the case because the proposed class, as defined, failed to satisfy the “implied” ascertainability requirement. See Royal Park Invs. SA/NV v. Deutsche Bank Nat’l Trust Co., No. 14-CV-4394 (AJN), 2017 WL 1331288 (S.D.N.Y. Apr. 4, 2017).  Royal Park is continuing to attempt to certify that case as a class action, and briefing on its latest motion to certify was completed on May 30, 2017.

These cases, as well as others, highlight the challenges in utilizing the class action vehicle to assert RMBS claims. Investors with holdings in trusts that are at issue in class actions, and who receive notices that their claims have been asserted in a pending class action, should not automatically assume the class action is the best vehicle for recovering their RMBS damages. Such investors should consider seeking legal advice from law firms with securitization litigation experience to help evaluate whether a given class action is adequately protecting the investor’s interests, and whether the better course might be to opt out of the class action.

The Requirement of a Fully Adversarial Proceeding to Enforce a Judgment Against an Insurer Who Wrongfully Refuses to Defend

What happens when an insurer wrongfully refuses to defend its insured, and the insured assigns its claims against its insurer to the plaintiff? Here’s one possibility: “when an insured and tort claimant enter into an agreed judgment accompanied by a covenant not to execute the judgment, that judgment can be enforceable [against the insurer] if coverage exists.” Ayers v. CD General Contractors, 269 F. Supp. 2d 911, 915 (W.D. Ky. 2003). The Kentucky district court then notes, id., at 915 n.5, that “[t]he Supreme Court of Texas appears to be the only court not following this rule.”) (citing State Farm Fire and Cas. Co. v. Gandy, 25 S.W.2d 696 (Tex. 1996)).

So what rule does Texas follow? In the seminal case of State Farm Fire Cas. Co. v. Gandy, 925 S.W.2d 696 (Tex. 1996), the Texas Supreme Court invalidated, as against public policy, an insured’s prejudgment assignment of claims against the liability insurer to the tort victim. Such prejudgment assignments, the high court concluded. tend to encourage collusion. While it may be difficult to understand such solicitude for an insurer who wrongfully refuses to defend its insured (we don’t typically think of contract-breaching insurance companies as needing special protection from courts), the resistance to enforcing collusive judgments against insurers is a very real feature of Texas law, as reinforced last month in Great American Insurance Co. v. Hamel, No. 14-1007, — S.W.3d — (Tex. June 16, 2017).

Hamel is significant for several reasons, including (1) reinforcing the rule that a judgment against an insured cannot be enforced against an insurer unless the judgment was the result of a “fully adversarial trial“; (2) using a much simpler test for determining whether a proceeding was a “fully adversarial trial”; and (3) holding that when liability issues are not the result of a “fully adversarial trial,” the liability issues may be litigated in a subsequent coverage suit.

The Supreme Court contributed enormous clarity on the potentially knotty requirement to prove a “fully adversarial trial.” Rather than force a fact-sensitive inquiry into “collusiveness” or an equally excruciating evaluation of adversarial “effectiveness” (the court of appeals approach), the Court adopted a straightforward skin-in-the-game test: “the controlling factor is whether, at the time of the underlying trial or settlement, the insured bore an actual risk of liability for the damages awarded or agreed upon, or had some other meaningful incentive to ensure that the judgment or settlement accurately reflects the plaintiff’s damages and thus the defendant-insured’s covered liability loss.”  Id. at *7.  In other words, “proceedings lose their adversarial nature when, by agreement, one party has no stake in the outcome and thus no meaningful incentive to defend itself.”  Id. at *8.

The Court then concluded that even though there was no prejudgment assignment of claims (as in Gandy), there had been a pretrial agreement by the Hamels not to enforce any resulting judgment against the insured’s personal assets (other than the insurance policy), or certain named work-related assets, which the insured later testified constituted his only assets. Thus did the insured lose that sword of Damocles that incentivizes robustly adversarial proceedings. He literally had nothing to lose.

The straightforward skin-in-the-game test does not, however, altogether eliminate factual inquiries into the issue. The test creates “a strong presumption,” id. at *9, not a categorical rule. Indeed, the Court held open the possibility that either party could overcome the presumption attaching to the existence, or absence, of “a formal, written pretrial agreement that eliminates the insured’s financial risk.” Id. First, the insurer could show “that, even though the plaintiff and insured defendant did not enter into any formal, written agreement, the evidence nonetheless establishes that the defendant had no meaningful stake in the outcome of the underlying litigation.” Id. Second, “the plaintiff (acting as the defendant’s assignee) may overcome the presumption by submitting evidence demonstrating that the defendant retained a meaningful incentive to defend the underlying suit despite an agreement that eliminated the defendant’s financial risk.” Id.

It is not yet clear what form these attempts at rebutting the “strong presumption” could take. For example, could a reputational risk suffice in the absence of a financial risk?

Importantly, the Supreme Court did not simply let the insurer off the hook upon concluding that the proceeding below had not been fully adversarial. Instead, the Court made it clear that liability issues could be litigated in a subsequent coverage lawsuit, and that, even though the subsequent lawsuit against the insurer by the insured’s assignee had failed to cure the absence of an adversarial proceeding originally, the insured’s assignee should get another bite at that apple, given the confusion on these issues preceding this opinion. The insurer was, after all, accountable for much this messiness in failing initially to honor its contractual duty to defend.