Court Finds Business Interruption Coverage for Losses Resulting From Fraudulent Email Scheme
A Minnesota federal district court has held that a software company is entitled to coverage for losses related to diverted billing emails under its business interruption coverage, rejecting the insurer’s argument that the phrase “business operations” in the insuring clause referred only to income-generating activities. Fishbowl Solutions, Inc. v. Hanover Ins. Co., No. 21-cv-00794 (D. Minn. Nov. 3, 2022).
In November 2019, an unauthorized third party gained access to the email account of an employee in the company’s accounting department. The bad actor diverted incoming emails to an unaffiliated account, ultimately duping one of the company’s clients into paying two legitimate invoices to the imposter’s bank account. After the fraud was discovered, the client recovered some of the funds but was unable to recover nearly $148,000. The insured company sought coverage under its cyber business interruption coverage after the client refused to pay on the invoices. The insurer denied coverage, and coverage litigation ensued.
The coverage action focused on the applicability of the policy’s “Cyber Business Interruption and Extra Expense” insuring clause, which afforded coverage for the “loss of ‘business income’ . . . directly resulting from a ‘data breach’ . . . which results in an actual impairment or denial of service of ‘busines operations’ during the policy period.” The insurer argued that there was no loss of “business income” because “business operations” refers only to income-generating activities such as consulting and selling maintenance contracts, and that the act of communicating with and invoicing clients does not generate income. The court rejected this argument, finding that these practices fit the broad definition of “business operations” in the policy—i.e., “usual and regular business activities”—and that if the insurer had wanted to “restrict ‘business operations’ to include only the ‘income-generating’ subset of [the company]’s ‘usual and regular business activities,’ it had the responsibility as drafter to write the governing contractual definition accordingly.”
The insurer also argued that the breach did not result in an “actual impairment” of business operations because the company could still communicate with and invoice clients while the bad actor had access to the email account. The court distinguished the term “impairment” from “interruption” and found that while the company’s ability to communicate with clients may not have been “debilitatingly disrupted” or totally suspended, the breach did diminish the insured’s ability to communicate with clients, which it deemed to be an actual impairment.
Finally, the court dismissed the insurer’s attempt to deny coverage on the basis that invoice manipulation coverage exists in the marketplace. The court pointed to the absence of any invoice manipulation exclusion in the policy at issue, and held that it would be “improper to use the general availability of another type of coverage for interpretive purposes.” Accordingly, the court found that the loss satisfied the parameters of the insuring clause and granted summary judgment in favor of the company.