Medidata Solutions Inc. v. Fed. Ins. Co.

• Decision Date: 06 July 2018
• Docket Number: 17-2492-cv
• Parties: MEDIDATA SOLUTIONS INC., Plaintiff-Appellee, v. FEDERAL INSURANCE COMPANY, Defendant-Appellant.
• Court: U.S. Court of Appeals — Second Circuit

MEDIDATA SOLUTIONS INC., Plaintiff-Appellee, v. FEDERAL INSURANCE COMPANY, Defendant-Appellant.

17-2492-cv

UNITED STATES COURT OF APPEALS FOR THE SECOND CIRCUIT

July 6, 2018

SUMMARY ORDER

RULINGS BY SUMMARY ORDER DO NOT HAVE PRECEDENTIAL EFFECT. CITATION TO A SUMMARY ORDER FILED ON OR AFTER JANUARY 1, 2007, IS PERMITTED AND IS GOVERNED BY FEDERAL RULE OF APPELLATE PROCEDURE 32.1 AND THIS COURT'S LOCAL RULE 32.1.1. WHEN CITING A SUMMARY ORDER IN A DOCUMENT FILED WITH THIS COURT, A PARTY MUST CITE EITHER THE FEDERAL APPENDIX OR AN ELECTRONIC DATABASE (WITH THE NOTATION "SUMMARY ORDER"). A PARTY CITING A SUMMARY ORDER MUST SERVE A COPY OF IT ON ANY PARTY NOT REPRESENTED BY COUNSEL.

At a stated Term of the United States Court of Appeals for the Second Circuit, held at the Thurgood Marshall United States Courthouse, 40 Foley Square, in the City of New York on the 6^th day of July, two thousand eighteen.

Present: ROSEMARY S. POOLER, REENA RAGGI, PETER W. HALL, Circuit Judges.

Appearing for Appellant:

Jonathan D. Hacker, O'Melveny & Myers LLP, Washington, D.C.

Appearing for Appellee:

Robert M. Loeb, Orrick, Herrington & Sutcliffe LLP (John A. Jurata, E. Joshua Rosenkranz, Daniel A. Rubens, Russell P. Cohen, Evan M. Rose, on the brief), Washington, D.C.

Appeal from the United States District Court for the Southern District of New York (Carter, J.).

ON CONSIDERATION WHEREOF, IT IS HEREBY ORDERED, ADJUDGED, AND DECREED that the judgment of said District Court be and it hereby is AFFIRMED.

Defendant-Appellant Federal Insurance Company appeals from an August 10, 2017 judgment entered by the District Court for the Southern District of New York (Carter, J.) granting summary judgment to Plaintiff-Appellant Medidata Solutions Inc. in this insurance coverage dispute, and awarding Medidata $5,841,787.37 in damages and interest. We assume the parties' familiarity with the underlying facts, procedural history, and specification of issues for review.

"Our review of a district court's grant of summary judgment is de novo." Globecon Grp., LLC v. Hartford Fire Ins. Co., 434 F.3d 165, 170 (2d Cir. 2006). "An insurance contract is interpreted to give effect to the intent of the parties as expressed in the clear language of the contract." Beazley Ins. Co., Inc. v. ACE Am. Ins. Co., 880 F.3d 64, 69 (2d Cir. 2018) (brackets omitted). "As with any contract, unambiguous provisions of an insurance contract must be given their plain and ordinary meaning." White v. Cont'l Cas. Co., 9 N.Y.3d 264, 267 (Ct. App. 2007). Generally, under New York law, if "the terms of an insurance policy are doubtful or uncertain as to their meaning, any ambiguity must be resolved in favor of the insured and against the insurer." Edwards v. Allstate Ins. Co., 792 N.Y.S.2d 504, 505 (2d Dep't 2005); see also Tonkin v. California Ins. Co. of San Francisco, 294 N.Y. 326, 328-29 (Ct. App. 1945).¹

Medidata brought suit, claiming that its losses from an email "spoofing" attack² were covered by, inter alia, a computer fraud provision in its insurance policy with Federal Insurance. The provision covered losses stemming from any "entry of Data into" or "change to Data elements or program logic of" a computer system. J. App'x at 207. Federal Insurance asserts that the spoofing attack was not covered, because the policy instead applies to only hacking-type intrusions.

We agree with the district court that the plain and unambiguous language of the policy covers the losses incurred by Medidata here. While Medidata concedes that no hacking occurred, the fraudsters nonetheless crafted a computer-based attack that manipulated Medidata's email system, which the parties do not dispute constitutes a "computer system" within the meaning of the policy. The spoofing code enabled the fraudsters to send messages that inaccurately appeared, in all respects, to come from a high-ranking member of Medidata's organization. Thus the attack represented a fraudulent entry of data into the computer system, as the spoofing code was introduced into the email system. The attack also made a change to a data element, as the email system's appearance was altered by the spoofing code to misleadingly indicate the sender. Accordingly, Medidata's losses were covered by the terms of the computer fraud provision.

Federal Insurance argues that Universal Am. Corp. v. Nat'l Union Fire Ins. Co. of Pittsburgh, Pa., 25 N.Y.3d 675 (Ct. App. 2015), requires a different outcome. However, in ourview, Universal in fact supports Medidata's claim. Universal dealt with a medical claim fraud, where the perpetrators submitted false claims for services that were never rendered. The Court of Appeals found that such a fraud was not covered by a similar computer fraud provision, because the fraud was not on the "computer system qua computer system," and did not entail a "violation of the integrity of the computer system through deceitful and dishonest access." Id. at 681. Rather, the fraud at issue there only incidentally involved the use of computers, because the company processed its claims using computers (as opposed to on paper). Here, by contrast, the fraud clearly implicates the "computer system qua computer system," since Medidata's email system itself was compromised. Id. Further, it seems to us that the spoofing attack quite clearly amounted to a "violation of the integrity of the computer system through deceitful and dishonest access," since the fraudsters were able to alter the appearance of their emails so as to falsely indicate that the emails were sent by a high-ranking member of the company. Id. Accordingly, Universal is of little assistance to Federal Insurance here.

...