Hanover's denial of Fishbowl claim goes belly up
Hanover did not dispute that Fishbowl had been the victim of a data breach, but claimed that the client had been negligent.
The federal district court for the District of Minnesota recently granted summary judgment in favor of Fishbowl Solutions, Inc. against Hanover Insurance Company for coverage of two fraudulent invoice payments. The case is called Fishbowl Sols., Inc. v. Hanover Ins. Co., 2022 U.S. Dist. LEXIS 200210 (D. Minn. 2022).
Facts
Fishbowl Solutions provides technological consulting and software development services for its clients and sends invoices, which may be paid via check, debit card, or wire transfer, when work is completed. In November 2019, an unknown bad actor implemented certain “rules” on the email account of Fishbowl’s senior staff accountant. These rules diverted emails that used payment-related keywords–invoice, wire transfer, and payment, for example–to an unaffiliated email account that the bad actor subsequently used to impersonate both Fishbowl clients and the senior staff accountant. The bad actor then diverted two invoices, from the same Fishbowl client, worth nearly $177,000 to an account under the bad actor’s control. The client was able to recover roughly $29,000 of the payment, but not the remaining funds.
Hanover had written a “Technology Professional Liability Policy” (TPL) for Fishbowl, with a policy period from July 17, 2019 to July 17, 2020. Fishbowl submitted a claim for the diverted invoices under the “Cyber Business Interruption and Extra Expense Clause” in its Hanover policy, which stated: “We will pay actual loss of business income and additional extra expense incurred by you during the period of restoration directly resulting from a data breach which is first discovered during the policy period and which results in an actual impairment or denial of service of business operations during the policy period.” (Quoting the TPL, internal quotes omitted). Hanover denied the claim. Fishbowl filed suit in March 2021, alleging breach of contract and requesting a declaratory judgment for coverage. Both Hanover and Fishbowl moved for summary judgment, arguing over the interpretation of the TPL policy’s cyber interruption clause.
Hanover’s arguments
Hanover maintained that Fishbowl had not actually lost any business income for two reasons: first, that “business operations” applied to revenue-generating activities, not client communications and billing, and second, that Fishbowl’s accrual accounting methods meant they were seeking indemnity not for money it would have earned (“incurred”), but for money that would have been received but for the bad actor. The policy definition of “business operations” made no reference to “revenue-generating activities,” but Hanover pointed to multiple places in the policy itself that allegedly connected the two. The court firmly refused to make this leap, because doing so would have added a term to an established definition, which is impermissible when interpreting a contract of insurance. The court also said Fishbowl’s accounting methods did not matter when interpreting the TPL policy. There was no evidence, either in the policy or otherwise, that Fishbowl’s accounting methods were determinative of “earned funds.”
In the same vein, Hanover contended that Fishbowl’s revenue-generating activities had not been “impaired” because Fishbowl continued to run its regular business while the bad actor was diverting payments. Fishbowl continued to communicate with the client, Hanover said; the bad actor was simply an additional communicator, albeit a fraudulent one. The court disagreed. The bad actor had interfered to the point where the owner of the stolen email address could communicate with clients in an effective, efficient manner.
Hanover did not dispute that Fishbowl had been the victim of a data breach. However, it claimed that the client had been negligent, which was a break in the chain of causation between the data breach and the loss. The court again disagreed. When Hanover contended that the client should have called about the payments, rather than email, the court pointed to an explicit statement in the client’s contract with Fishbowl that allowed questions via phone or email. Hanover said the client should have known something was wrong because one of the bad actor’s emails had multiple typos; the court agreed that the typos were obvious, but not so extraordinary as to cause suspicion.
When considering these facts within the scope of the policy, the judges for the District of Minnesota found both that Fishbowl’s loss was indeed covered by the TPL policy and that Hanover had breached the contract in denying coverage. Fishbowl’s motion for summary judgment was granted.
Editor’s note: Much of the language in this case was similar to other cases where it is an individual who sues an insurance carrier. Just because an insured is a corporation, as was the case here, does not mean the “reasonable expectations of the insured” are any different than those of an individual insured.