As previously reported, on November 3, 2022, the federal district court for Minnesota, applying Minnesota substantive law, ruled that an insured was entitled to coverage under a Cyber Business Interruption clause for money lost in a fraudulent wire transfer incident. Fishbowl Sols., Inc. v. Hanover Ins. Co., No. 21CV00794SRNDJF, 2022 WL 16699749 (D. Minn. Nov. 3, 2022).
In December 2019, Fishbowl, a technical consulting and software development company, lost approximately $148,000 in a fraudulent wire transfer incident. A month earlier, an unknown bad actor had gained unauthorized access to the email account of Fishbowl’s Senior Staff Accountant, Wendy Williams. The bad actor then sent emails to and from Ms. Williams’ account, at times impersonating her and at times impersonating Fishbowl’s clients. The bad actor also created “rules” within Ms. Williams’ account that interfered with the proper receipt of incoming emails, including one rule that redirected emails with keywords such as “invoice,” “wire transfer,” or “payment” to an email account unaffiliated with Fishbowl. The rules impacted Ms. Williams’ ability to communicate with certain Fishbowl clients.
While these rules were in place, Fishbowl issued two invoices totaling approximately $177,000 to one of its clients. The bad actor, posing as Ms. Williams, then emailed the client and provided it with fraudulent billing details. Relying on the fraudulent information, the client sent the full balance of the two invoices to what it thought was Fishbowl’s bank account. The account, in actuality, was controlled by the bad actor.
Fishbowl was able to recover some but not all of the diverted payments and submitted a claim for the lost funds under its Technology Professional Liability Policy (the TPL Policy). The insurer denied coverage and litigation ensued.
The court’s ruling
The TPL Policy contained a Data Breach Coverage Form with the following Cyber Business Interruption and Extra Expense clause:
We will pay actual loss of “business income” and additional “extra expense” incurred by you during the ‘period of restoration’ directly resulting from a “data breach” which is first discovered during the “policy period” and which results in an actual impairment or denial of service of ‘business operations’ during the “policy period”.
In granting Fishbowl’s motion for summary judgment, and denying the insurer’s motion, the court held that Fishbowl’s claim was covered by the clause.
The court found that the rules imposed in Ms. Williams’ email account amounted to an “impairment” of Fishbowl’s business operations, reasoning that, “[i]n essence, the ordinary meaning of impairment is an inability to function at full capacity.” It then stated:
The Court finds that the ordinary meaning of “impairment” is sufficiently broad to encompass the impact here of the bad actor’s interference with Ms. Williams’ email. . . . [A]fter the breach, Ms. Williams retained the ability to communicate with and send invoices to Fishbowl’s clients; in fact, she sent Federated the Invoices while the bad actor’s rules were in place and even emailed Federated after the bad actor began to interfere with their communications. . . . But the bad actor’s interference meant that Ms. Williams could not reliably, at all times, communicate and send invoices. . . . The bad actor intercepted her emails before she could read them and sent out fraudulent emails impersonating her. . . . Hanover’s representative agreed that “impairment” does not require the business to cease functioning entirely and acknowledged that Fishbowl’s system had been “altered” by the bad actor. . . . While Fishbowl’s ability to communicate with its clients may not have been debilitatingly disrupted, it was certainly diminished. Accordingly, the Court finds that the bad actor’s data breach resulted in an “impairment” to Fishbowl’s business operations.
The court rejected the insurer’s contention that a finding of coverage would contradict the overall purpose of the TPL Policy and business interruption insurance, noting the policy did not insure against loss resulting from a business interruption, but instead covered losses from an impairment or denial of service. The court also rejected the insurer’s argument, based on the alleged intervening negligence of Fishbowl and its customer, that the loss did not result directly from a data breach. Because the loss “would not have occurred without the bad actor accessing Ms. William’s email and sending fraudulent communications,” the court ruled that it directly resulted from the data breach.
Despite being labelled as a Cyber Business Interruption and Extra Expense clause, the triggering mechanism in the Fishbowl clause was an actual impairment or denial of service of business operations caused by a data breach. The clause did not expressly limit coverage to income loss caused by an interruption or failure of an insured computer system or network. Nevertheless, cyber insurers should review the business interruption provisions in their policies in light of the Fishbowl decision to ensure that the coverage is in line with the underwriters’ intent.