Coverage for “Social Engineering” losses is a growing issue in the crime and cyber insurance spheres. Social Engineering losses include a broad category of frauds perpetrated using email communication, sometimes in combination with telephone discussions and other media.
In a typical Social Engineering scam, the fraudster creates an illegitimate email address that looks legitimate, in order to manipulate the improper transfer of funds from a target.
For the past several years, crime carriers have resisted paying Social Engineering losses under traditional Computer Fraud coverage afforded via standard Crime policies. When presented with Social Engineering claims, crime carriers typically take the position that Computer Fraud coverage requires a “wrongful entry” or “hack,” i.e., a directed breach of the insured’s computer systems to trigger coverage. Crime carriers have been largely successful in legally defending this position. In fact, over the past several years, courts in California, New York, Georgia and Texas have generally accepted the “hack” interpretation of the crime coverage offered by insurers, and upheld denials of coverage by crime carriers for Social Engineering losses.
On July 21st, in a widely anticipated decision, a federal court applying New York law broke with these prior cases and found coverage under the Computer Fraud provision of a Chubb crime policy for a Social Engineering loss. The court held that Medidata Solutions was entitled to coverage for an email “spoofing” scam. (In a spoofing scam, the fraudster masks its identity by using a fake email address that includes a computer coded mask, making the source of the email appear legitimate.) The court determined that transmission of the masked email qualified as a wrongful entry into the insured’s computer system.
This case is an important development in the law controlling coverage for Social Engineering losses. Note, the court did not clearly indicate how it would have held in other classic Social Engineering scenarios where the email address is not “masked,” but is simply spelled differently or otherwise camouflaged using less sophisticated means. Nonetheless, this decision is meaningful because it is the second instance in the past several years where a court found coverage under a crime policy for a Social Engineering loss.