How cyber risks can reshape business interruption coverage
Under Connecticut law, ‘actual impairment' could be interpreted to include the reallocation of resources following a cyberattack.
Though business interruption insurance coverage has existed for more than a century, the rise of cyber liability insurance policies has led courts to take another look at business interruption coverage as it intersects with this evolving industry.
In a recent example, the December 2022 decision of New England Systems, Inc. v. Citizens Insurance Company of America used the term “impairment” in the business interruption coverage section of a cyber-risk policy, to potentially broaden the scope of business interruption coverage well beyond its prior interpretations.
Business interruption coverage has existed at least since the turn of the 20th Century, when it was developed to cover lost earnings from the loss of use of covered buildings due to fires, and it later applied to other environmental conditions such as lightning strikes, earthquakes and explosions.
Standard commercial property policy forms now provide coverage for “actual loss of business income” sustained due to the “necessary suspension of your operations during the period of restoration,” caused by “direct physical loss of or damage to property.”
New York courts have consistently construed business interruption coverage provisions that use the standard “direct physical loss of or damage to” language narrowly, finding coverage only when there is physical damage or loss causing suspension of operations.
In New England Systems, Inc. v. Citizens Insurance Company of America, the U.S. Court of Appeals for the Second Circuit heard arguments relating to the availability of business interruption coverage, under a cyber-risk policy when the insured, an IT company, suffered a cyber breach related to encryption of its clients’ data.
The policyholder did not need to suspend its operations but only had to reallocate resources to combat the effects of this breach, rather than to its regular client services. The policy in New England Systems provided the following cyber business interruption coverage:
[Defendant] will pay actual loss of “business income” and additional “extra expense” incurred by [Plaintiff] during the “period of restoration” directly resulting from a “data breach” which is first discovered during the “policy period” and which results in an actual impairment or denial of service of “business operations” during the “policy period.”
The court denied summary judgment to the defendant-insurer, determining that under Connecticut law “actual impairment” an undefined term in the policy, could be interpreted to include this reallocation of resources.
The court noted that “the ordinary meaning of the term ‘impairment’… is broad enough to include the partial disruption or diminishment of an insured’s business activities.”
The court also noted, however, that a jury may determine that the losses associated with the reallocation of efforts were not covered, as the reallocation was a business decision by the insured, rather than a necessary response to the breach. It wrote that the insured’s position as an IT company was especially relevant to its decision, describing the circumstances of the case as presenting a “unique situation in which the steps an insured party took to remediate a data breach look similar to the work the insured party typically performs.”
The court also noted that the case is “unique because the plaintiff may have been independently responsible for remedying the effects of the data breach on its clients, even if the breach had originated from another source.”
The court in New England Systems was not faced with the standard language restricting coverage to physical loss, but instead centered its discussion on what constitutes “impairment.”
In all three instances, “impairment” was interpreted broadly, and insureds were found to have experienced impairment when, as illustrated by the referenced cases, the credit card processor for the insured required a “Case Management Fee” following a data breach, a bad actor utilized an employee’s email, and the insured had to reallocate resources to combat the effects of a cyber breach.
These cases generally stand for the proposition that “impairment” is a lower bar and requires less pause in work when compared to an “interruption.” Indeed, the court in Fishbowl wrote: “The use of ‘impairment’ rather than ‘interruption’ in the clause itself demonstrates that the TPL Policy specifically grants coverage when a business suffers something less than a total suspension of operations.”
Likewise, the court in New England Systems determined that a finding of impairment could be appropriate when a party was merely “unable to function at full capacity.”
There is no New York case law making such a distinction between business “interruption” and “impairment.” New York cases involving “impairment” have almost exclusively been decided along “physical damage” lines.
Though some cases have touched on specific types of impairment, such as impairment of ingress/egress, the courts in these cases have eschewed any discussion as to what constitutes “impairment,” and whether it is distinct from interruption. As a result, it is not clear that New York courts would reach the same determinations as those discussed above.
Given the relative dearth of case law in New York surrounding the application of business interruption coverage to cyber policies using the “impairment” language, New York courts may contemplate a multitude of factors in determining whether business interruption coverage is applicable under a scenario like that presented in New England Systems.
Parties should be aware of the individual language of policies, as well as the specific role of insureds. Insurers and insureds should make sure to retain competent insurance coverage legal counsel when dealing with these developing issues.
Eric B. Stern is a partner at Kaufman, Dolowich & Voluck. Jack Eyers is an associate at the firm. Both are members of the firm’s insurance coverage and data privacy & cybersecurity practice groups.
Opinions expressed here are the authors’ own.
Related: