Losses arising from email scams are usually covered, if at all, under a company’s crime policy. But a recent decision from The District Court in Minnesota suggests that recourse may also be found under an insured’s cyber or business interruption coverage. Importantly, the decision suggests that a “data breach” triggering cyber coverage may occur where a bad actor infiltrates and manipulates an insured’s email system.
In Fishbowl Sols., Inc. v. Hanover Ins. Co., 2022 U.S. Dist. LEXIS 200210 (D. Minn. Nov. 3, 2022), a bad actor gained unauthorized access to the email account of Fishbowl’s senior staff accountant, Wendy Williams. The bad actor then created multiple “rules” within Williams’ account that interfered with proper receipt of incoming emails.
Those rules also redirected emails with the words “invoice,” “wire transfer” or “payment” to an email account controlled by the bad actor. Another rule diverted emails from Williams’ inbox to a subfolder and marked them as read. The rules impacted Williams’ ability to communicate with certain Fishbowl clients. In addition, the bad actor sent emails to and from Williams’ account, at times impersonating her and at times impersonating Fishbowl clients.
While those rules were in place, Fishbowl issued two invoices to its customer Federated. Following the issuance of those invoices, the bad actor, impersonating Williams, emailed Federated and stated that Fishbowl had recently changed banks. The email directed Federal to make its payments to a bank account controlled by the bad actor.
Believing that the email was from Williams, Federated made payment to the account controlled by the bad actor. When Williams reached out to Federated to confirm payment of the invoices, the bad actor, now impersonating Federated, responded by saying that payment had been initiated and would appear in Fishbowl’s account. In fact, Federated had sent the payments to the bad actor’s account, resulting in a loss to Fishbowl of around $180,000.
Fishbowl’s insurer Hanover issued a policy which contained a “Cyber Business Interruption and Extra Expense” clause which provided as follows:
“We will pay actual loss of ‘business income’ and additional ‘extra expense’ incurred by you during the ‘period of restoration’ directly resulting from a ‘data breach,’ which is first discovered during the ‘policy period’ and which results in an actual impairment or denial of service of ‘business operations’ during the ‘policy period’.”
This language contains elements of both cyber coverage (“data breach”) and business interruption coverage (loss of “business income …during the period of restoration”). As such, some of the court’s determinations are relevant to both forms of coverage.
After Hanover denied Fishbowl's claim, Fishbowl sued. Both Fishbowl and Hanover filed cross motions for summary judgment. Finding coverage for Fishbowl’s loss under the foregoing policy language, the Court granted Fishbowl’s motion and denied Hanover’s motion.
At the threshold, Hanover did not dispute that the infiltration and manipulation of a Fishbowl’s email system was a “data breach.” This itself is notable because data breaches are normally understood as an instance in which cyber attackers gain access to personal information that is stored on a database. See, e.g., In Re Anthem, Inc. Data Breach Litig., 2018 U.S. Dist LEXIS 140137 (N.D. Cal. 2018). Nevertheless, and while the decision does not disclose how the policy defined “data breach,” the fact that this “spoofing” incident triggered coverage suggests that practitioners ought to look to their clients’ cyber coverages in seeking reimbursement for losses arising from email scams.
As revealed in the summary judgment briefing, the core disputes between Fishbowl and Hanover had to do with policy terms that frequently arise in business interruption coverage – whether the disruption of customer payments representing already completed work constituted “business income;” and whether the bad actor’s interference in the payment of Fishbowl’s invoices constituted the impairment of Fishbowl’s “business operations.”
As to the first issue, Hanover argued that as used in the context of business interruption policies, the term “business income” typically means forward looking income-generating activity that would have occurred but for the “interruption” event. See, e.g., Nat’l Union Fire Ins. Co. of Pittsburgh v. Transcanada Energy USA, Inc., 52 Misc. 3d 455 (N.Y. Sup. Ct. 2016). Hanover further argued that because payment on the Fishbowl invoices represented money already earned, rather than money that would have been earned, Fishbowl did not suffer a loss of “business income.” The Court rejected Hanover’s position on this point.
Similarly, the Court rejected Hanover’s position that the bad actor’s interference in Fishbowl’s collection of payments on its invoices constituted an “impairment” of its “business operations.” The Court noted that the policy’s use of the word “impairment” distinguished the case from those instances where the complete suspension of an insured’s business was required to trigger coverage. See, e.g., Buxbaum vs. Aetna Life and Casualty Company, 103 Cal. App. 4th 434 (2002) (complete suspension of all business operations was required for business interruption coverage to be triggered). The Court concluded that the use of the word “impairment” rather than “interruption” demonstrated that the pertinent clause in the policy “grants coverage when a business suffers something less than a total suspension of operations.” Id. at *27.
Finally, Hanover argued that because Fishbowl was allegedly negligent in failing to notice warning signs in the fraudulent emails and the charged payment instructions, the loss was not “directly resulting” from the data breach. Id. at *19. Importantly, this argument echoes similarly unsuccessful arguments about direct causation frequently made by insurers where a loss from an email scam is asserted under a crime policy. See, e.g., Am. Tooling Center, Inc. v. Travelers Cas. & Sun Co. of Am., 895 F.3d 455 (6th Cir. 20180 (“direct loss” requirement satisfied); Ernst & Haas Mgmt. Co. v. Hiscox, Inc., 23 F. 4th 1195 (9th Cir. 2022) (finding that the loss “result[ed] directly” from the email scam). While the Court in Fishbowl did not cite to the foregoing cases in rejecting Hanover’s causation argument, it found that because Fishbowl’s loss would not have occurred without the bad actor accessing Ms. Williams’s email and sending fraudulent communications, Fishbowl’s loss “directly result[ed] from” the data breach. Id. At *23.
This article was originally published in the Daily Journal.
- Partner
Peter S. Selvin, Chair of ECJ's Insurance Coverage and Recovery Department, is a business trial lawyer with more than 30 years of experience. While he specializes in the areas of insurance coverage and international litigation, his ...
Subscribe
Recent Posts
- “Prejudice” No Longer an Element to Determine Waiver of Right to Compel Arbitration | By: Jared W. Slater
- California Minimum Wage Increases for 2025 | By: Kelly O. Scott
- New Law Prohibits Discrimination on the Basis of Possessing a Driver's License | By: Tanner Hosfield
- LA City Council Approves $30 Minimum Wage for Hotel and LAX Workers | By: Pooja Nair
- New Law Mandates That Employees Can No Longer Be Required to Use Vacation Before Receiving Paid Family Leave Benefits | By: Tanner Hosfield
- Employer Alert: New Whistleblower Poster Required | By: Joanne Warriner
- New Law Expands Posting Requirements Regarding Workers’ Compensation Rights | By: Cate A. Veeneman
- Entertainment Vendors Must Certify Safety Training for Employees By: Jared W. Slater
- California Employers Prohibited from Mandatory Religious or Political Meetings | By: Jared W. Slater
- California Expands Reach Of Crown Act to Prevent Discrimination Based On Natural and Protective Hairstyles | By: Cate A. Veeneman
Blogs
Contributors
Archives
- December 2024
- November 2024
- October 2024
- September 2024
- August 2024
- July 2024
- June 2024
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- March 2019
- February 2019
- January 2019
- November 2018
- October 2018
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014