Fishbowl Solutions, Inc. v. Hanover Insurance Company, The
D. Minnesota11/3/2022
AI Case Brief
Generate an AI-powered case brief with:
đKey Facts
âïžLegal Issues
đCourt Holding
đĄReasoning
đŻSignificance
Estimated cost: $0.10â$0.50 per brief, depending on opinion length and retries
Full Opinion
UNITED STATES DISTRICT COURT DISTRICT OF MINNESOTA Fishbowl Solutions, Inc., Case No. 21-cv-00794 (SRN/DJF) Plaintiff, v. ORDER ON DEFENDANTâS AND The Hanover Insurance Company, PLAINTIFFâS MOTIONS FOR SUMMARY JUDGMENT Defendant. Daniel A. Ellerbrock, Joseph A. Nilan, and Nicholas J. Sideras, Gregerson, Rosow, Johnson & Nilan, 100 Washington Avenue S., Ste. 1550, Minneapolis, MN 55401, for Plaintiff. Erica Ramsey, Robins Kaplan LLP, 140 N. Philips Avenue, Sioux Falls, SD, 57104; Rebecca Zadaka and Scott G. Johnson, Robins Kaplan LLP, 800 LaSalle Avenue, Ste. 2800, Minneapolis, MN 55402, for Defendant. SUSAN RICHARD NELSON, United States District Judge This matter is before the Court on Defendant The Hanover Insurance Companyâs (âHanoverâ) Motion for Summary Judgment [Doc. No. 51] and Plaintiff Fishbowl Solutions, Inc.âs (âFishbowlâ) Motion for Summary Judgment [Doc. No. 57]. For the reasons set forth below, Plaintiffâs Motion is granted and Defendantâs Motion is denied. I. BACKGROUND A. Fishbowlâs Operations and Email Breach Fishbowl is a technical consulting and software development company. (Nilan Aff. [Doc. No. 60], Ex. 1 (Gruidl Dep. Tr.) at 11:21â12:1.) When projects are completed, Fishbowlâs Accounting Department generates and sends its clients an invoice for the work performed via email. (Id. at 14:12â23.) Fishbowlâs clients can pay through check, debit card, or ACH deposit (wire transfer). (Id. at 16:5â6.) In November 2019, an unknown bad actor gained unauthorized access to the email account of Fishbowlâs Senior Staff Accountant, Wendy Williams. (Id. at 15:6â13, 32:1â 12.) The bad actor created multiple ârulesâ within Ms. Williamsâ account that interfered with the proper receipt of incoming emails. (Id. at 33:16â34:25.) Among them, one rule redirected incoming emails with keywords such as âinvoice,â âwire transfer,â or âpaymentâ to an email account unaffiliated with Fishbowl. (Id.) Another rule diverted emails from Ms. Williamsâ inbox to a subfolder and marked them as read. (Id. at 38:2â16.) The rules impacted Ms. Williamsâ ability to communicate with certain Fishbowl clients. (Nilan Aff., Ex. 2 (Maschino Dep. Tr.) at 122:21â124:3.) In addition, the bad actor sent emails to and from Ms. Williamsâ account, at times impersonating her and at times impersonating Fishbowlâs clients. (Gruidl Dep. Tr. at 37:17â22, 42:1â22.) Fishbowl issued two invoices (the âInvoicesâ) to its client Federated Insurance (âFederatedâ) while these rules were in place. (Gruidl Dep. Tr. at 21:15â23:4; Johnson Decl. [Doc. No. 54], Exs. C (Nov. 13, 2019 Invoice), D (Dec. 18, 2019 Invoice).) The first, issued on November 13, invoiced Federated $137,000 for its services; the second, issued on December 18, invoiced Federated an additional $39,962. (Gruidl Dep. Tr. at 21:15â 24:4; Nov. 13, 2019 Invoice; Dec. 18, 2019 Invoice.) On December 11, the bad actor emailed Federated, posing as Ms. Williams, and wrote that Fishbowl had ârecently changed banks and our previous account . . . has been closed, hence, all payments effective immediately will be made directly to our new bank account in compliance with the policy of the company.â (Johnson Decl., Ex. G (Fishbowl- Federated Email Chain) at Fishbowl_000453.) The bad actor requested confirmation as to when Federated would pay the first invoice âso we can forward our new bank account details.â (Id.) The next day, Federated responded that it had sent the payment. (Id. at Fishbowl_000452â53; Gruidl Dep. Tr. at 42:23â43:5.) Because the payment never arrived in Fishbowlâs account, Ms. Williams reached out to Federated on December 16 to confirm the payment. (Fishbowl-Federated Email Chain at Fishbowl_000451â52; Gruidl Dep. Tr. at 43:15â20.) The bad actor, posing as Federated, responded on December 17 saying that payment had been initiated and would appear in Fishbowlâs account on December 18. (Gruidl Dep. Tr. at 44:3â13.) In fact, Federated had sent its payment to an account controlled by the bad actor. (Id. at 43:21â23.) On December 18, after receiving a message from its bank, Federated reached out to Fishbowl to confirm the correct routing number for the payments. (Fishbowl-Federated Email Chain at Fishbowl_000451.) Later that day, the bad actor, posing as Ms. Williams, intercepted the email and responded confirming the fraudulent routing number. (Id. at Fishbowl_000450.) Federated remitted payment for the second invoice to the same fraudulent account around December 23. (Gruidl Dep. Tr. at 45:5â12, 61:23â62:9.) In total, Federated sent the bad actor the full balance of the two invoices: $176,962. (Id. at 45:5â 12.) Fishbowl discovered the bad actorâs conduct on January 17, 2020. (Id. at 44:14â21.) With assistance from the United States Secret Service, Federated recovered $29,077.79 and remitted it to Fishbowl. (Id. at 27:1â9.) The remaining $147,926.21 has not been recovered. (Compl. [Doc. No. 1] ¶ 26). B. Fishbowlâs Insurance Claim Hanover insured Fishbowl under a Technology Professional Liability Policy (âTPL Policyâ) for the period of July 17, 2019 to July 17, 2020. (Nilan Aff., Ex. 4 (TPL Policy).) The TPL Policy incorporates a Data Breach Coverage Form, which includes a âCyber Business Interruption and Extra Expenseâ clause (the âClauseâ). (Id. at HAN0000572â73.) The Clause provides: We will pay actual loss of âbusiness incomeâ and additional âextra expenseâ incurred by you during the âperiod of restorationâ directly resulting from a âdata breachâ which is first discovered during the âpolicy periodâ and which results in an actual impairment or denial of service of âbusiness operationsâ during the âpolicy periodâ. (Id. at HAN0000573.) Fishbowl submitted a claim to Hanover on January 20, 2020, seeking coverage under the Clause for the money lost to the bad actor. (Nilan Aff., Ex. 3 (Hanover Admissions) at 2.) Hanover denied Fishbowlâs claim for coverage on November 19, 2020. (Johnson Decl., Ex. F (Nov. 19, 2020 Letter).) C. This Lawsuit Fishbowl initiated this action on March 24, 2021, alleging that Hanoverâs denial of coverage breached the TPL Policy. (Compl. ¶ 71â76.) Fishbowl seeks a declaratory judgment that its loss is covered under the Clause as well as damages for the unrecovered amount that Federated paid, $147,926.21, plus attorneyâs fees and prejudgment interest. (Id. ¶ 71â81.) Both parties move for summary judgment. The underlying facts of this case are not in dispute; rather, the parties debate the correct legal interpretation of the Clause. Hanover argues that, as a matter of law, the Clause does not provide coverage for the loss occasioned by the bad actorâs conduct; Fishbowl argues that it does provide coverage as a matter of law. II. STANDARD OF REVIEW Summary judgment is appropriate if âthe movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law.â Fed. R. Civ. P. 56(a). âA fact is âmaterialâ if it may affect the outcome of the lawsuit.â TCF Natâl Bank v. Mkt. Intelligence, Inc., 812 F.3d 701, 707 (8th Cir. 2016). And a factual dispute is âgenuineâ only if âthe evidence is such that a reasonable jury could return a verdict for the nonmoving party.â Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986). In evaluating a motion for summary judgment, the Court must view the evidence and any reasonable inferences drawn from the evidence in the light most favorable to the nonmoving party. Matsushita Elec. Indus. Co. v. Zenith Radio Corp., 475 U.S. 574, 587 (1986). Although the moving party bears the burden of establishing the lack of a genuine issue of fact, the party opposing summary judgment may not ârest on mere allegations or denials but must demonstrate on the record the existence of specific facts which create a genuine issue for trial.â Krenik v. Cnty. of Le Sueur, 47 F.3d 953, 957 (8th Cir. 1995) (internal quotation marks omitted); see Celotex Corp. v. Catrett, 477 U.S. 317, 323 (1986). Moreover, summary judgment is properly entered âagainst a party who fails to make a showing sufficient to establish the existence of an element essential to that partyâs case, and on which that party will bear the burden of proof at trial.â Celotex Corp., 477 U.S. at 322. III. DISCUSSION Fishbowl argues that, consistent with the definitions in the Data Breach Coverage Form and the plain meaning of the TPL Policy language, this loss should be covered under the Clause. (Pl.âs Mem. [Doc. No. 59] at 10â17.) Hanover disagrees, arguing that Fishbowlâs interpretation of the Clause contradicts the overall purpose of the TPL Policy and renders other provisions meaningless. (Def.âs Mem. [Doc. No. 53] at 9â26.) State law determines the interpretation of insurance policies. Natâl Union Fire Ins. Co. of Pittsburg v. Terra Indus., Inc., 346 F.3d 1160, 1164 (8th Cir. 2003). In Minnesota, the interpretation of an insurance policy is a question of law governed by general contract interpretation principles. Travelers Indem. Co. v. Bloomington Steel & Supply Co., 718 N.W.2d 888, 894â95 (Minn. 2006). The goal is to âascertain and give effect to the intentions of the parties as reflected in the terms of the policy.â Kingâs Cove Marina, LLC v. Lambert Com. Constr., LLC, 958 N.W.2d 310, 316 (Minn. 2021) (citation omitted). The policy must be construed as a whole, and if possible, to give effect to all provisions. Id.; Midwest Fam. Mut. Ins. Co. v. Wolters, 831 N.W.2d 628, 636 (Minn. 2013). Moreover, policies must be construed âaccording to the terms the parties have used.â Dairyland Ins. Co. v. Implement Dealers Ins. Co., 199 N.W.2d 806, 811 (Minn. 1972). When terms or phrases are not specifically defined, they are given their âplain, ordinary, and popular meaning.â Mattson Ridge, LLC v. Clear Rock Title, LLP, 842 N.W.2d 622, 632 (Minn. 2012). âBecause most insurance policies are preprinted forms drafted solely by insurance companiesâbasically contracts of adhesionâpolicy words of inclusion will be broadly construed, and words of exclusion are narrowly considered.â Gen. Cas. Co. of Wis. v. Wozniak Travel, Inc., 762 N.W.2d 572, 575 (Minn. 2009). Though the insured bears the burden of demonstrating coverage, ambiguous language is generally resolved in the insuredâs favor. Midwest Fam. Mut. Ins. Co., 831 N.W.2d at 636. Language is ambiguous if it is susceptible to more than one reasonable interpretation, âas determined from the viewpoint of a layperson, not a lawyer.â Mut. Serv. Cas. Ins. Co. v. Wilson Twp., 603 N.W.2d 151, 153 (Minn. Ct. App. 1999). However, courts must not âread an ambiguity into the plain language of a policy in order to provide coverage.â Farkas v. Hartford Accident & Indem. Co., 173 N.W.2d 21, 24 (Minn. 1969) (citations omitted). âThe language must be considered within its context, and with common sense.â Mut. Serv. Cas. Ins. Co., 603 N.W.2d at 153. A. Terms of the Clause The Cyber Business Interruption and Extra Expense Clause requires Fishbowl to demonstrate: 1) an actual loss of âbusiness income;â 2) which occurred during the âperiod of restoration;â 3) directly resulting from a âdata breach;â 4) that it discovered during the âpolicy period;â and 5) which resulted in an actual impairment or denial of service of âbusiness operationsâ during the âpolicy period.â (TPL Policy at HAN0000573.) It is undisputed that Fishbowl both experienced a âdata breachâ and that it was discovered during the âpolicy period.â (See July 19, 2022 Hrâg Tr. [Doc. No. 75] at 24:15â17; Nilan Aff., Ex. 5 (Cormier Dep. Tr.) at 59:2â17, 65:1â6.) 1. Actual Loss of âBusiness Incomeâ The Data Breach Coverage Form defines âbusiness incomeâ as: a. Net Income (Net Profit or Loss before income taxes) that would have been earned or incurred if there had been no impairment or denial of âbusiness operationsâ due to a covered âdata breachâ and b. Continuing normal operating expenses incurred, including payroll. (TPL Policy at HAN0000580.) Fishbowl argues that the money Federated paid to the bad actor constitutes âNet Income . . . that would have been earnedâ because sending invoices is part of its âbusiness operations.â (Pl.âs Mem. at 11â12.) Hanover argues that there was no loss of âbusiness incomeâ on two related grounds: first, because âbusiness operationsâ only refers to income- generating activities, and invoicing clients does not generate income for Fishbowl; and second, because Fishbowl seeks recovery of money already earned, rather than money that âwould have been earned.â (Def.âs Mem. at 11â17, 20â21.) a. âBusiness Operationsâ The Data Breach Coverage Form defines âbusiness operationsâ as an insuredâs âusual and regular business activities.â (TPL Policy at HAN0000580.) Hanover urges the Court to ignore this definition, pointing to the phrase âbusiness operationsâ in other provisions of the TPL Policy that purportedly restrict its meaning to only âincome- generatingâ business activities. (Def.âs Mem. at 11â17.) Specifically, Hanover highlights the Clause itself, the definition of âbusiness income,â the definition of âExtra Expense,â the definition of âPeriod of Restoration,â and the Cyber Business Interruption Waiting Period Deductible (âWaiting Period Deductibleâ). (Id.) Hanover highlights the Waiting Period Deductible, to which losses payable under the Clause are subject. (Def.âs Mem. at 15â16; TPL Policy at HAN0000576.) Because the Data Breach Coverage Form Schedule defines the Waiting Period Deductible as 24 hours, Hanover contends that the âfirst 24 hours of the income lost because of the interruption of the insuredâs income-generating activitiesâ must be deducted from any claim. (Def.âs Mem. at 16; TPL Policy at HAN0000572.) Separately, Hanover asserts that finding coverage here would render the Waiting Period Deductible meaningless because Fishbowl does not identify any losses experienced within the first 24 hours to deduct from its claim. (Def.âs Mem. at 18â19; Def.âs Reply [Doc. No. 70] at 12â13.) For its part, Fishbowl argues that Hanoverâs interpretation leads to an absurd result: a policy under which the insured must sustain a loss within the first 24 hours, otherwise coverage is never triggered. (Pl.âs Reply [Doc. No. 71] at 16â17.) The TPL Policy does not define âWaiting Period Deductible.â Hanover argues that the ordinary meaning of âdeductibleâ is âa monetary amount that is borne by the insured and deducted from any payment by the insurer.â (Def.âs Reply at 12 (citing Glossary of Insurance and Risk Management Terms 92 (13th ed. 2016) and Blackâs Law Dictionary 501 (10th ed. 2014)).) For the generic phrase, âwaiting period deductible,â Hanover offers the following definition: â[a] deductible provision sometimes used in business interruption (BI) and other time element policies, in lieu of a dollar amount deductible, that establishes that the insurer is not responsible for loss suffered during a specified period (such as 72 hours) immediately following a direct damage loss.â (Def.âs Mem. at 16 (quoting Glossary of Insurance and Risk Management Terms 320 (13th ed. 2016)).) Minnesota courts have described a âdeductibleâ as âexempt[ing] the insurer from paying a specified amount in the event of a claim.â Minn. Teamsters Pub. & L. Enfât Emps. Union, Loc. 320 v. Cnty. of St. Louis, 726 N.W.2d 843, 846 n.1 (Minn. Ct. App. 2007) (quoting The American Heritage College Dictionary 369 (4th ed. 2002)); see also City of Owatonna v. Rare Aircraft, Ltd., No. A08-1642, 2009 WL 1684479, at *2 (Minn. Ct. App. June 16, 2009) (quoting the same definition). This definition aligns with Hanoverâs suggested ordinary meaning for âdeductibleâ and demonstrates that it has provided a reasonable interpretation of the term. However, the TPL Policy contains a âwaiting periodâ deductible, which, as Hanoverâs own definition of âwaiting period deductibleâ underscores, focuses on deducting an amount of time rather than money. (TPL Policy at HAN0000572.) Moreover, the variety of data breaches covered by the Clause makes it plausible that an insured could experience an impairment of âbusiness operations,â unrelated to income generation, that does not result in any losses within the first 24 hours. (TPL Policy at HAN0000580 (defining seven types of data breach).) For instance, one type of âdata breachâ covered is the âloss, theft, accidental release, or accidental publication of âprivate personal dataâ entrusted to [the insured] as respects one or more âpotentially-identified personsââ that could âreasonably result in the fraudulent use of such information.â (Id.)1 1 âPrivate personal dataâ is defined as a natural personâs first and last name in combination with other variables, such as a financial account number, credit card numbers, The definition does not restrict this type of data breach to the theft of âprivate personal dataâ related to an insuredâs clients: âpotentially-identified personsâ includes employees. (Id. at HAN0000582.) In other words, the Clause covers losses from the theft of such data regardless of whether it pertains to an income-generating activity or is merely being stored by the insured as part of an employeeâs personnel file. In addition, losses might not accrue from the theft of âprivate personal dataâ (like a financial account number) within the first 24 hours; to conceal the breach, the thief may not use the data for weeks. Yet the Clause covers impairment from such data breaches, too. Although in such circumstances the Waiting Period Deductible would be $0, an undesirable outcome for Hanover, that does not render the provision meaningless. The data breaches covered suggest that Fishbowlâs interpretation of âWaiting Period Deductibleâ is as equally reasonable as Hanoverâs. Faced with two reasonable interpretations, the Court must construe âWaiting Period Deductibleâ in Fishbowlâs favor. Gen. Cas. Co. of Wis., 762 N.W.2d at 575 (âIf undefined terms are reasonably susceptible to more than one interpretation, the terms must be interpreted liberally in favor of finding coverage.â). The Court finds that the Waiting Period Deductible does not constrain âbusiness operationsâ to income-generating activities only. Finally, because the Court must construe the TPL Policy âaccording to the terms the parties have used,â it cannot insert âincome-generatingâ into the TPL Policyâs definition or employment information, âwhich is intended to be accessible only by natural persons or entities you have specifically authorized to have such access.â (TPL Policy at HAN0000582.) of âbusiness operations.â Dairyland Ins. Co., 199 N.W.2d at 811; see also Telex Corp. v. Data Products Corp., 135 N.W.2d 681, 687 (Minn. 1965) (âIt is not ordinarily the function of courts to rewrite, modify, or set aside contract provisions fully considered and agreed upon between the parties.â). Insurance policies âare contracts of adhesion between parties not equally situated.â Canadian Universal Ins. Co., Ltd. v. Fire Watch, Inc., 258 N.W.2d 570, 574â75 (Minn. 1977). If Hanover wanted to restrict âbusiness operationsâ to include only the âincome-generatingâ subset of Fishbowlâs âusual and regular business activities,â it had the responsibility as drafter to write the governing contractual definition accordingly. Thus, while âusual and regular business activitiesâ may be broad, the phrase is not ambiguous.2 â[A] reasonable person in the position of the insured would have understood [usual and regular business activities] to meanâ all business activities performed with a certain frequency and consistency. Midwest Fam. Mut. Ins. Co., 831 N.W.2d at 636. The definition of âbusiness operationsâ makes no distinction based on the type of business activity. Fishbowl communicates with its clients daily and sends them invoices for every project it completes. (Gruidl Dep. Tr. at 14:12â15:13.) Fishbowlâs practices fit the broad description of âusual and regular business activities.â Therefore, the Court finds that the definition of âbusiness operationsâ encompasses Fishbowlâs communication with, and invoicing of, its clients. 2 Neither party argues that âusual and regular business activitiesâ is ambiguous, perhaps because the ordinary meaning of these terms is plain enough. b. âWould Have Been Earnedâ Hanoverâs second ground for arguing that Fishbowl did not suffer a loss of âbusiness incomeâ focuses on the phrase âwould have been earnedâ in the âNet Incomeâ portion of the âbusiness incomeâ definition. (Def.âs Mem. at 20â21.) Hanover contends that because Fishbowl uses an accrual accounting system, âincome is âearnedâ when Fishbowl performs the work and issues an invoice, not when it receives payment on invoices.â (Id. at 20.) Consequently, Hanover submits, Fishbowl is seeking money that it would have âreceived,â not âearned,â but for the conduct of the bad actor. (Id.) Fishbowlâs accounting method is not relevant to the terms of the TPL Policy. Coverage provisions must be construed based on the expectations of the insured. Travelers Indem. Co., 718 N.W.2d at 894. No language in the TPL Policy, or any other evidence in the record, demonstrates that the parties intended to define âearnedâ based on the insuredâs method of accounting. Additionally, âearnâ does not have as narrow a definition as Hanover argues. See, e.g., Oxford English Dictionary Online, https://www.oed.com/view/Entry/58995? rskey=irgH0j&result=3#eid (last visited Oct. 27, 2022) (defining âearnâ as âto receive or be entitled to (money . . .) through work or another activityâ). This definition supports finding that Fishbowl âwould have [] earnedâ the income from Federated because it would have received, or at minimum would have been entitled to, Federatedâs payments if there had been no data breach. Most importantly, Hanoverâs Property Claims Director, Jason Cormier, admitted that Fishbowl sustained an âactual loss of business incomeâ under the TPL Policy. (Cormier Dep. Tr. at 57:3â17 (âQ: So you would agree that there is an actual loss of business income, correct? A: Yes.â).)3 Hanover attempts to undercut this admission by noting that Mr. Cormier had no knowledge of Fishbowlâs accounting methods and that, just prior to this question, Mr. Cormier described Fishbowlâs loss as âa loss of collections from a third party.â (Id. at 57:5; Def.âs Oppân [Doc. No. 69] at 21.) The fact remains that Mr. Cormier did not qualify his statement in any way and he is in the best position to opine as to whether this in fact was a loss of business income. The broad definition of âbusiness operationsâ and the ordinary meaning of âearnâ support finding that Fishbowl suffered an âactual loss of business income.â Fishbowl lost $147,926.21 that it âwould have earnedâ because it could not perform its âusual and regular business activitiesâ of emailing and invoicing its clients. The testimony of Hanoverâs corporate representative undermines its arguments to the contrary. As such, the Court finds that Fishbowl suffered an âactual loss of business incomeâ within the meaning of the TPL Policy as a matter of law. 2. âPeriod of Restorationâ As defined in the TPL Policy, the âPeriod of Restorationâ begins, â[f]or the loss of âBusiness Income,â after 24 hours or the number of hours shown as the Cyber Business Interruption Waiting Period Deductible in the SCHEDULE on this Coverage Forms [sic], 3 The portions of Mr. Cormierâs deposition included in the record reveal that Mr. Cormier worked at Hanover for six years as a claims adjuster before transitioning into a management role, and, in his current capacity as Property Claims Director, he oversaw the unit that assessed Fishbowlâs claim. (See Nilan Aff., Ex. 5 (Cormier Dep. Tr.) at 6:21â 9:25.) whichever is greater, immediately following the time the actual impairment or denial of âbusiness operationsâ first occurs.â4 (TPL Policy at HAN0000581.) The Period of Restoration ends either when ââbusiness operationsâ are restoredâ or 60 days after the impairment or denial of âbusiness operationsâ first occurs, whichever is earlier. (Id.) Fishbowl asserts that its loss occurred within the defined âPeriod of Restorationâ because the bad actor gained access to Ms. Williamsâ account in November 2019 and Federated made its erroneous payments in December 2019. (Pl.âs Mem. at 12â13.) That is, Fishbowl experienced the loss more than 24 hours after the initial unauthorized access and before the end of the sixty-day period. (Id.) Hanover does not directly contest the timing of the alleged Period of Restoration. Instead, Hanover argues that there was no loss of âbusiness incomeâ during the Period of Restoration because there was âno interruption in [Fishbowlâs] revenue-generating activities.â (Def.âs Oppân at 22.) As the Court finds that there was a loss of business income, it also finds that Fishbowl sustained its loss within the âPeriod of Restorationâ as defined by the TPL Policy. 3. âDirectly Resulting Fromâ Data Breach The parties do not dispute that Fishbowl suffered a data breach within the meaning of the TPL Policy. (July 19, 2022 Hrâg Tr. at 24:15â17; Cormier Dep. Tr. at 59:2â17.) The debate concerns whether Fishbowlâs loss âdirectlyâ resulted from the data breach. (TPL 4 The Cyber Business Interruption Waiting Period Deductible is 24 hours. (TPL Policy at HAN0000572.) Policy at HAN0000573 (emphasis added).) The TPL Policy does not define the phrase, âdirectly resulting.â Hanover contends that Fishbowlâs loss did not âdirectly result[]â from the conduct of the bad actor, but rather resulted from an âintervening agency or determining influenceâFederatedâs negligence and breach of contract.â (Def.âs Oppân at 26.) Hanover asserts that Federated breached its contract with Fishbowl because the contract requires that payment be directed to Fishbowlâs corporate offices. (Id. at 26â28; Johnson Decl., Ex. B (Fishbowl-Federated Contract) at 6.) Federated acted negligently, Hanover argues, by failing to notice warning signs in the fraudulent emails and the changed payment instructions. (Def.âs Oppân at 26â28.) Hanover notes that another Fishbowl client caught these warning signs and consequently did not pay the bad actor. (Id. at 26â27.) To support its interpretation, Hanover submits dictionary definitions for âdirectlyâ and âresulting.â (Def.âs Mem. at 23â24 (citing Websters Third New International Dictionary 641, 1937 (1993)).) In response, Fishbowl urges the Court to follow the Eighth Circuitâs interpretation of âloss resulting directly fromâ under Minnesota law in the context of a standardized financial institution bond. (Pl.âs Oppân [Doc. No. 67] at 21 (citing BancInsure, Inc. v. Highland Bank, 779 F.3d 565 (8th Cir. 2015)).) However, this Courtâs interpretation of âdirectly resulting fromâ is largely immaterial because Hanover cannot show that Federatedâs actions constitute an âintervening agencyâ as a matter of law.5 5 Hanover cites to two cases, Jetcrete N. Am. LP v. Austin Truck & Equip., Ltd., 484 F. Supp. 3d 915 (D. Nev. 2020) and JPMorgan Chase Bank, N.A. v. Freyberg, 171 F. Supp. 3d 178 (S.D.N.Y 2016), in support of its position. While these cases involve losses resulting from the interference of a bad actor, the similarities end there. Rather, these cases The factual record in this case is not sufficiently developed to determine that Federated breached its contract or acted negligently as a matter of law. Hanover asserts that Federatedâs contract with Fishbowl required it to remit payment to Fishbowlâs corporate offices. (Def.âs Mem. at 24.) Though it never says so explicitly, Hanover seems to suggest that the contract obligated Fishbowl to pay by check. (Id.) While the contract states that Federated âshall send payments to [Fishbowlâs corporate address],â it does not specify a payment method. (Fishbowl-Federated Contract at 6.) As Fishbowlâs representative testified, clients are permitted to pay by check, debit card, or wire transfer. (Gruidl Dep. Tr. at 16:5â6.) Additionally, the Invoices merely restate the same language found in the contract. (Nov. 13, 2019 Invoice; Dec. 18, 2019 Invoice.) Nothing in the contract, or in Fishbowl and Federatedâs course of performance or dealing, demonstrates that Federated breached its contract by not physically remitting payment to the corporate offices. As for negligence, Hanover contends that Federated should have called Fishbowl to verify the change in payment. (Def.âs Mem. at 24â25.) The Federated-Fishbowl contract does not require a phone call and the Invoices state that Federated can contact Fishbowl with questions via phone or email. (See Federated-Fishbowl Contract; Nov. 13, 2019 address legal claims unrelated to insurance contracts that are analyzed under the respective stateâs version of the Uniform Commercial Code. Jetcrete N. Am. LP, 484 F. Supp. 3d (analyzing claim of breach of contract for the sale of goods under Nevadaâs Uniform Commercial Code); Freyberg, 171 F. Supp. 3d (analyzing claims of breach of bank account contract and equitable estoppel under New Yorkâs Uniform Commercial Code). These cases, therefore, provide no support for Hanoverâs position that there is no coverage here. Invoice; Dec. 18, 2019 Invoice.) That Federated chose to reach out directly to Ms. Williams, rather than to Fishbowlâs general Accounting Department email account, does not demonstrate that it was negligent in doing so as a matter of law. Hanover further argues that Federated should have been alerted to the scam by âseveral grammatical errorsâ in one of the fraudulent emails from Ms. Williamsâ account. (Def.âs Mem. at 25.) The grammatical errors in question are indeed noticeable, but minor: one improper capitalization of âScheduledâ and one use of âsometimesâ instead of âsome time.â (Fishbowl-Federated Email Chain at Fishbowl_000453.) The typos are simply insufficient to establish that Federated acted negligently as a matter of law. And the Court cannot draw any inferences about Federatedâs behavior based on the fact that some of Fishbowlâs clients caught the scam before making payments. The record contains no evidence about the behavior of the bad actor or the responses of the clients in those transactions. In sum, Hanover speculates about Federatedâs conduct without testimony from Federated, without attempting to implead or join Federated to this action, and without a full evidentiary record. Given the paucity of evidence, the Court cannot rule as a matter of law that Federatedâs actions constituted an âintervening agency.â Because Fishbowlâs loss would not have occurred without the bad actor accessing Ms. Williamsâs email and sending fraudulent communications, the Court finds that Fishbowlâs loss âdirectly result[ed] fromâ the data breach. 4. Impairment of Business Operations Fishbowl argues that because the TPL Policy does not define âimpairment,â the Court must apply its ordinary meaning. (Pl.âs Mem. at 15â17 (providing definitions from Blackâs Law Dictionary (11th ed. 2019) and American Heritage Dictionary of the English Language 904 (3d ed. 2019)).) It contends that the rules imposed in Ms. Williamsâ email impaired Fishbowlâs business operations by preventing her from communicating with Fishbowlâs clients and by preventing Fishbowl from receiving payment for the work it had performed. (Id. at 16.) In response, Hanover asserts that there was no âimpairmentâ or interruption of Fishbowlâs âbusiness operationsâ because Fishbowl continued to conduct its income- generating activities (consulting, reselling software, selling maintenance contracts) while the bad actor accessed Fishbowlâs email system. (Def.âs Mem. at 17â18.) It agrees with Fishbowlâs definitions as to the ordinary meaning of the word âimpairment.â (Def.âs Oppân at 28.) Even so, Hanover argues that the data breach did not impair Fishbowlâs ability to communicate with or send invoices to Federated and âjust allowed a bad actor to also communicateâ with Federated. (Def.âs Reply at 16.) The definition of âimpairmentâ is relatively consistent across dictionaries. Compare Blackâs Law Dictionary (â[t]he quality, state, or condition of being damaged, weakened, or diminishedâ), with American Heritage Dictionary of the English Language 904 (defining âimpairâ as â[t]o cause to diminish as in strength, value, or qualityâ), and Oxford English Dictionary Online, https://www.oed.com/view/Entry/92049?rskey=aJerwP &result=3&isAdvanced=false#eid (last accessed Oct. 27, 2022) (defining âimpairâ as âto make worse, less valuable, or weakerâ). In essence, the ordinary meaning of impairment is an inability to function at full capacity. The Court finds that the ordinary meaning of âimpairmentâ is sufficiently broad to encompass the impact here of the bad actorâs interference with Ms. Williamsâ email. As Hanover rightly notes, after the breach, Ms. Williams retained the ability to communicate with and send invoices to Fishbowlâs clients; in fact, she sent Federated the Invoices while the bad actorâs rules were in place and even emailed Federated after the bad actor began to interfere with their communications. (Nov. 13, 2019 Invoice; Dec. 18, 2019 Invoice; Gruidl Dep. Tr. at 43:15â20.) But the bad actorâs interference meant that Ms. Williams could not reliably, at all times, communicate and send invoices. (Gruidl Dep. Tr. at 32:1â5, 33:22â 34:25, 36:3â7, 37:20â22, 38:2â19, 42:7â43:23; Maschino Dep. Tr. at 122:13â124:3.) The bad actor intercepted her emails before she could read them and sent out fraudulent emails impersonating her. (Gruidl Dep. Tr. 33:16â34:25, 38:2â19; Fishbowl-Federated Email Chain.) Hanoverâs representative agreed that âimpairmentâ does not require the business to cease functioning entirely and acknowledged that Fishbowlâs system had been âalteredâ by the bad actor. (Cormier Dep. Tr. at 66:15â22, 68:9â19.) While Fishbowlâs ability to communicate with its clients may not have been debilitatingly disrupted, it was certainly diminished. Accordingly, the Court finds that the bad actorâs data breach resulted in an âimpairmentâ to Fishbowlâs business operations. B. Purpose and Context of the TPL Policy Hanover argues that a finding of coverage here contradicts the overall purpose of the TPL Policy and of business interruption insurance. (Def.âs Mem. at 9â11.) The Court acknowledges that, historically, the purpose of business interruption insurance may have been to âprotect the prospective earnings of the insured business only to the extent that they would have been earned if no interruption occurred, not to exceed the per diem limits of the policy.â (Id. at 9 (quoting Metalmasters of Minneapolis, Inc. v. Liberty Mut. Ins. Co., 461 N.W.2d 496, 499â500 (Minn. Ct. App. 1990)).) In the cases cited by Hanover, manufacturing businesses invoked such insurance when their production was allegedly interrupted by physical accidents at their facilities. Metalmasters, 461 N.W.2d at 498 (describing flooding from a ruptured water pipe); Great N. Oil Co. v. St. Paul Fire & Marine Ins. Co., 227 N.W.2d 789, 791 (Minn. 1975) (describing a crane collapsing into a construction area). And the Court largely agrees with Hanover that Fishbowlâs attempt to distinguish the data breaches covered under the TPL Policy from coverage for physical destruction creates âa distinction without a difference.â (Def.âs Reply at 18.) In fact, the Court does not distinguish these cases based on the type of interruption that was experienced. However, a close reading of Metalmasters and Great N. Oil Co. reveals that they are distinguishable because of the specific language of the policies at issue. The contested provisions in these cases insured the plaintiff against losses from an âinterruptionâ of business. Metalmasters, 461 N.W.2d at 499 (insuring against âloss resulting from necessary interruptionâ) (emphasis added); Great N. Oil Co., 227 N.W.2d at 271 (insuring against losses âdirectly resulting from such interruption of businessâ) (emphasis added). Here, the Clause insures against losses from âactual impairment or denial of service.â (TPL Policy at HAN0000573.) Minnesota law instructs that â[w]here explicit language indicates a purpose different from that thought to be the main purpose of the agreement, the language must be given its obvious meaning and cannot be overruled.â Reliable Metal, Inc. v. Shakopee Valley Printing, Inc., 407 N.W.2d 684, 687 (Minn. Ct. App. 1987); see also Frauendorfer v. Meridian Sec. Ins. Co., No. 27-cv-15-20388, 2017 WL 1316110, at *3 (Minn. Ct. App. Apr. 10, 2017) (â[I]n contract law, even if it looks like a duck and quacks like a duck, it is not a duck if the parties sign an agreement that expressly says it is not.â). Thus, notwithstanding the general purpose of business interruption insurance, the Court must pay heed to the actual language of the TPL Policy. The use of âimpairmentâ rather than âinterruptionâ in the Clause itself demonstrates that the TPL Policy specifically grants coverage when a business suffers something less than a total suspension of operations. Moreover, although the Cyber Business Interruption and Extra Expense Clause contains âinterruptionâ in its title, the TPL Policy prohibits the Court from deriving meaning from this fact. The TPL Policy addresses the use of section titles under its âConditionsâ heading: â15. Section Titles. The titling of sections and paragraphs within this policy is for convenience only and shall not be interpreted as a term or condition of this policy.â (TPL Policy at HAN0000561.) Hanover argues that this provision has no effect here because it appears in the beginning of the TPL Policy, under the general âTechnology Professional Advantage Plusâ heading and not within the Data Breach Coverage Form. (Def.âs Reply at 16â17.) It argues that the Data Breach Coverage Form has its own âConditionsâ that do not contain a restriction on giving meaning to the section titles. (TPL Policy at HAN0000577â79.) The Court must construe the TPL Policy as a whole. Midwest Fam. Mut. Ins. Co., 831 N.W.2d at 636. The overall structure of the TPL Policy demonstrates that the âTechnology Professional Advantage Plusâ pages are the base of the TPL Policy, with the endorsements that follow modifying its terms. The Data Breach Coverage Form is prefaced by: âTHIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY.â (TPL Policy at HAN0000572.) Every other form following the âTechnology Professional Advantage Plusâ pages contains the same warning. (TPL Policy at HAN0000567 (Exclusion â Electromagnetic Radiation), HAN0000568 (Exclusion â Fungi or Bacteria), HAN0000569 (Exclusion â Multiple Retroactive Date for âAnomaliesâ), HAN0000571 (Minnesota Amendatory Endorsement), HAN0000583 (Minnesota Changes â Data Breach Coverage Form).) The consistent use of this preface demonstrates that the provisions outlined in the âTechnology Professional Advantage Plusâ pages apply to the endorsements except as expressly modified by them. See also Frauendorfer, 2017 WL 1316110, at *2â3 (interpreting an identical endorsement preface to mean that the endorsement modifies the overall policy). Thus, the lack of an equivalent âSectionsâ provision among the âConditionsâ in the Data Breach Coverage Form does not prohibit the Court from applying the provision here. The Court finds that Fishbowlâs loss meets every element of the Cyber Business Interruption and Extra Expense Clause. Moreover, finding coverage here conforms to the type of business interruption contemplated by the explicit terms of the TPL Policy and gives effect to all its provisions.6 The TPL Policy therefore covers the loss. Accordingly, the Court grants summary judgment to Fishbowl on its claim that Hanover breached the TPL Policy by denying coverage under the Clause. IV. CONCLUSION Based on the submissions and the entire file and proceedings herein, IT IS HEREBY ORDERED that: 1. Plaintiffâs Motion for Summary Judgment [Doc. No. 57] is GRANTED as to all claims; 2. Defendantâs Motion for Summary Judgment [Doc. No. 51] is DENIED as to all claims; 3. The Court awards Fishbowl $147,926.21 in damages; 4. To the extent Fishbowl contends that it is entitled to prejudgment interest and/or attorneysâ fees, it must submit briefing no later than November 17, 2022 (no longer 6 Hanover also insists that the existence of insurance specifically covering invoice manipulation supports finding that the TPL Policy does not provide such coverage. (Def.âs Mem. at 21â23.) Hanover cites blog posts suggesting that invoice manipulation schemes are a growing problem inadequately addressed by most insurance policies. (Id.) Be that as it may, the TPL Policy lacks any reference to an exclusion for invoice manipulation coverage, making it improper to use the general availability of another type of coverage for interpretive purposes. Even if there were a question of ambiguity on this point, the Court construes insurance policy language in favor of coverage and reads exclusions narrowly. Kingâs Cove Marina, LLC, 958 N.W.2d at 316. The insurer has the burden of establishing the applicability of an exclusion. Id. Hanover admitted that it does not now offer Invoice Manipulation Coverage and did not offer it as of July 17, 2019, when Hanover issued the TPL Policy to Fishbowl. (Second Nilan Aff. [Doc. No. 68], Ex. 6 (Hanover Admissions 20â21).) Hanover also admitted that the TPL Policy does not expressly exclude Invoice Manipulation Coverage. (Id.) The Court therefore finds that Hanover has not carried its burden to establish that the TPL Policy excludes invoice manipulation coverage as a matter of law. than five pages) identifying the legal basis of that contention as well as a calculation as to any amounts owed. LET JUDGMENT BE ENTERED ACCORDINGLY. Dated: November 3, 2022 s/ Susan Ricard Nelson SUSAN RICHARD NELSON United States District Judge
Case Information
- Court
- D. Minnesota
- Decision Date
- November 3, 2022
- Status
- Precedential