Opinion
21-cv-00794 (SRN/DJF)
11-03-2022
Daniel A. Ellerbrock, Joseph A. Nilan, and Nicholas J. Sideras, Gregerson, Rosow, Johnson & Nilan, for Plaintiff. Erica Ramsey, Robins Kaplan LLP, Rebecca Zadaka and Scott G. Johnson, Robins Kaplan LLP, for Defendant.
Daniel A. Ellerbrock, Joseph A. Nilan, and Nicholas J. Sideras, Gregerson, Rosow, Johnson & Nilan, for Plaintiff.
Erica Ramsey, Robins Kaplan LLP, Rebecca Zadaka and Scott G. Johnson, Robins Kaplan LLP, for Defendant.
ORDER ON DEFENDANT'S AND PLAINTIFF'S MOTIONS FOR SUMMARY JUDGMENT
SUSAN RICHARD NELSON, UNITED STATES DISTRICT JUDGE
This matter is before the Court on Defendant The Hanover Insurance Company's (“Hanover”) Motion for Summary Judgment [Doc. No. 51] and Plaintiff Fishbowl Solutions, Inc.'s (“Fishbowl”) Motion for Summary Judgment [Doc. No. 57]. For the reasons set forth below, Plaintiff's Motion is granted and Defendant's Motion is denied.
I. BACKGROUND
A. Fishbowl's Operations and Email Breach
Fishbowl is a technical consulting and software development company. (Nilan Aff. [Doc. No. 60], Ex. 1 (Gruidl Dep. Tr.) at 11:21-12:1.) When projects are completed, Fishbowl's Accounting Department generates and sends its clients an invoice for the work performed via email. (Id. at 14:12-23.) Fishbowl's clients can pay through check, debit card, or ACH deposit (wire transfer). (Id. at 16:5-6.)
In November 2019, an unknown bad actor gained unauthorized access to the email account of Fishbowl's Senior Staff Accountant, Wendy Williams. (Id. at 15:6-13, 32:112.) The bad actor created multiple “rules” within Ms. Williams' account that interfered with the proper receipt of incoming emails. (Id. at 33:16-34:25.) Among them, one rule redirected incoming emails with keywords such as “invoice,” “wire transfer,” or “payment” to an email account unaffiliated with Fishbowl. (Id.) Another rule diverted emails from Ms. Williams' inbox to a subfolder and marked them as read. (Id. at 38:2-16.) The rules impacted Ms. Williams' ability to communicate with certain Fishbowl clients. (Nilan Aff., Ex. 2 (Maschino Dep. Tr.) at 122:21-124:3.) In addition, the bad actor sent emails to and from Ms. Williams' account, at times impersonating her and at times impersonating Fishbowl's clients. (Gruidl Dep. Tr. at 37:17-22, 42:1-22.)
Fishbowl issued two invoices (the “Invoices”) to its client Federated Insurance (“Federated”) while these rules were in place. (Gruidl Dep. Tr. at 21:15-23:4; Johnson Decl. [Doc. No. 54], Exs. C (Nov. 13, 2019 Invoice), D (Dec. 18, 2019 Invoice).) The first, issued on November 13, invoiced Federated $137,000 for its services; the second, issued on December 18, invoiced Federated an additional $39,962. (Gruidl Dep. Tr. at 21:1524:4; Nov. 13, 2019 Invoice; Dec. 18, 2019 Invoice.)
On December 11, the bad actor emailed Federated, posing as Ms. Williams, and wrote that Fishbowl had “recently changed banks and our previous account . . . has been closed, hence, all payments effective immediately will be made directly to our new bank account in compliance with the policy of the company.” (Johnson Decl., Ex. G (Fishbowl-Federated Email Chain) at Fishbowl_000453.) The bad actor requested confirmation as to when Federated would pay the first invoice “so we can forward our new bank account details.” (Id.) The next day, Federated responded that it had sent the payment. (Id. at Fishbowl_000452-53; Gruidl Dep. Tr. at 42:23-43:5.) Because the payment never arrived in Fishbowl's account, Ms. Williams reached out to Federated on December 16 to confirm the payment. (Fishbowl-Federated Email Chain at Fishbowl_000451-52; Gruidl Dep. Tr. at 43:15-20.) The bad actor, posing as Federated, responded on December 17 saying that payment had been initiated and would appear in Fishbowl's account on December 18. (Gruidl Dep. Tr. at 44:3-13.) In fact, Federated had sent its payment to an account controlled by the bad actor. (Id. at 43:21-23.)
On December 18, after receiving a message from its bank, Federated reached out to Fishbowl to confirm the correct routing number for the payments. (Fishbowl-Federated Email Chain at Fishbowl_000451.) Later that day, the bad actor, posing as Ms. Williams, intercepted the email and responded confirming the fraudulent routing number. (Id. at Fishbowl_000450.) Federated remitted payment for the second invoice to the same fraudulent account around December 23. (Gruidl Dep. Tr. at 45:5-12, 61:23-62:9.) In total, Federated sent the bad actor the full balance of the two invoices: $176,962. (Id. at 45:512.)
Fishbowl discovered the bad actor's conduct on January 17, 2020. (Id. at 44:14-21.) With assistance from the United States Secret Service, Federated recovered $29,077.79 and remitted it to Fishbowl. (Id. at 27:1-9.) The remaining $147,926.21 has not been recovered. (Compl. [Doc. No. 1] ¶ 26).
B. Fishbowl's Insurance Claim
Hanover insured Fishbowl under a Technology Professional Liability Policy (“TPL Policy”) for the period of July 17, 2019 to July 17, 2020. (Nilan Aff., Ex. 4 (TPL Policy).) The TPL Policy incorporates a Data Breach Coverage Form, which includes a “Cyber Business Interruption and Extra Expense” clause (the “Clause”). (Id. at HAN0000572-73.) The Clause provides:
We will pay actual loss of “business income” and additional “extra expense” incurred by you during the “period of restoration” directly resulting from a “data breach” which is first discovered during the “policy period” and which results in an actual impairment or denial of service of “business operations” during the “policy period”.(Id. at HAN0000573.)
Fishbowl submitted a claim to Hanover on January 20, 2020, seeking coverage under the Clause for the money lost to the bad actor. (Nilan Aff., Ex. 3 (Hanover Admissions) at 2.) Hanover denied Fishbowl's claim for coverage on November 19, 2020. (Johnson Decl., Ex. F (Nov. 19, 2020 Letter).)
C. This Lawsuit
Fishbowl initiated this action on March 24, 2021, alleging that Hanover's denial of coverage breached the TPL Policy. (Compl. ¶ 71-76.) Fishbowl seeks a declaratory judgment that its loss is covered under the Clause as well as damages for the unrecovered amount that Federated paid, $147,926.21, plus attorney's fees and prejudgment interest. (Id. ¶ 71-81.)
Both parties move for summary judgment. The underlying facts of this case are not in dispute; rather, the parties debate the correct legal interpretation of the Clause. Hanover argues that, as a matter of law, the Clause does not provide coverage for the loss occasioned by the bad actor's conduct; Fishbowl argues that it does provide coverage as a matter of law.
II. STANDARD OF REVIEW
Summary judgment is appropriate if “the movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law.” Fed.R.Civ.P. 56(a). “A fact is ‘material' if it may affect the outcome of the lawsuit.” TCF Nat'l Bank v. Mkt. Intelligence, Inc., 812 F.3d 701, 707 (8th Cir. 2016). And a factual dispute is “genuine” only if “the evidence is such that a reasonable jury could return a verdict for the nonmoving party.” Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986). In evaluating a motion for summary judgment, the Court must view the evidence and any reasonable inferences drawn from the evidence in the light most favorable to the nonmoving party. Matsushita Elec. Indus. Co. v. Zenith Radio Corp., 475 U.S. 574, 587 (1986).
Although the moving party bears the burden of establishing the lack of a genuine issue of fact, the party opposing summary judgment may not “rest on mere allegations or denials but must demonstrate on the record the existence of specific facts which create a genuine issue for trial.” Krenik v. Cnty. of Le Sueur, 47 F.3d 953, 957 (8th Cir. 1995) (internal quotation marks omitted); see Celotex Corp. v. Catrett, 477 U.S. 317, 323 (1986). Moreover, summary judgment is properly entered “against a party who fails to make a showing sufficient to establish the existence of an element essential to that party's case, and on which that party will bear the burden of proof at trial.” Celotex Corp., 477 U.S. at 322.
III. DISCUSSION
Fishbowl argues that, consistent with the definitions in the Data Breach Coverage Form and the plain meaning of the TPL Policy language, this loss should be covered under the Clause. (Pl.'s Mem. [Doc. No. 59] at 10-17.) Hanover disagrees, arguing that Fishbowl's interpretation of the Clause contradicts the overall purpose of the TPL Policy and renders other provisions meaningless. (Def.'s Mem. [Doc. No. 53] at 9-26.)
State law determines the interpretation of insurance policies. Nat'l Union Fire Ins. Co. of Pittsburg v. Terra Indus., Inc., 346 F.3d 1160, 1164 (8th Cir. 2003). In Minnesota, the interpretation of an insurance policy is a question of law governed by general contract interpretation principles. Travelers Indem. Co. v. Bloomington Steel & Supply Co., 718 N.W.2d 888, 894-95 (Minn. 2006). The goal is to “ascertain and give effect to the intentions of the parties as reflected in the terms of the policy.” King's Cove Marina, LLC v. Lambert Com. Constr., LLC, 958 N.W.2d 310, 316 (Minn. 2021) (citation omitted).
The policy must be construed as a whole, and if possible, to give effect to all provisions. Id.; Midwest Fam. Mut. Ins. Co. v. Wolters, 831 N.W.2d 628, 636 (Minn. 2013). Moreover, policies must be construed “according to the terms the parties have used.” Dairyland Ins. Co. v. Implement Dealers Ins. Co., 199 N.W.2d 806, 811 (Minn. 1972). When terms or phrases are not specifically defined, they are given their “plain, ordinary, and popular meaning.” Mattson Ridge, LLC v. Clear Rock Title, LLP, 842 N.W.2d 622, 632 (Minn. 2012).
“Because most insurance policies are preprinted forms drafted solely by insurance companies-basically contracts of adhesion-policy words of inclusion will be broadly construed, and words of exclusion are narrowly considered.” Gen. Cas. Co. of Wis. v. Wozniak Travel, Inc., 762 N.W.2d 572, 575 (Minn. 2009). Though the insured bears the burden of demonstrating coverage, ambiguous language is generally resolved in the insured's favor. Midwest Fam. Mut. Ins. Co., 831 N.W.2d at 636. Language is ambiguous if it is susceptible to more than one reasonable interpretation, “as determined from the viewpoint of a layperson, not a lawyer.” Mut. Serv. Cas. Ins. Co. v. Wilson Twp., 603 N.W.2d 151, 153 (Minn.Ct.App. 1999). However, courts must not “read an ambiguity into the plain language of a policy in order to provide coverage.” Farkas v. Hartford Accident & Indem. Co., 173 N.W.2d 21, 24 (Minn. 1969) (citations omitted). “The language must be considered within its context, and with common sense.” Mut. Serv. Cas. Ins. Co., 603 N.W.2d at 153.
A. Terms of the Clause
The Cyber Business Interruption and Extra Expense Clause requires Fishbowl to demonstrate: 1) an actual loss of “business income;” 2) which occurred during the “period of restoration;” 3) directly resulting from a “data breach;” 4) that it discovered during the “policy period;” and 5) which resulted in an actual impairment or denial of service of “business operations” during the “policy period.” (TPL Policy at HAN0000573.) It is undisputed that Fishbowl both experienced a “data breach” and that it was discovered during the “policy period.” (See July 19, 2022 Hr'g Tr. [Doc. No. 75] at 24:15-17; Nilan Aff., Ex. 5 (Cormier Dep. Tr.) at 59:2-17, 65:1-6.)
1. Actual Loss of “Business Income”
The Data Breach Coverage Form defines “business income” as:
a. Net Income (Net Profit or Loss before income taxes) that would have been earned or incurred if there had been no impairment or denial of “business operations” due to a covered “data breach” and
b. Continuing normal operating expenses incurred, including payroll.(TPL Policy at HAN0000580.)
Fishbowl argues that the money Federated paid to the bad actor constitutes “Net Income . . . that would have been earned” because sending invoices is part of its “business operations.” (Pl.'s Mem. at 11-12.) Hanover argues that there was no loss of “business income” on two related grounds: first, because “business operations” only refers to incomegenerating activities, and invoicing clients does not generate income for Fishbowl; and second, because Fishbowl seeks recovery of money already earned, rather than money that “would have been earned.” (Def.'s Mem. at 11-17, 20-21.)
a. “Business Operations”
The Data Breach Coverage Form defines “business operations” as an insured's “usual and regular business activities.” (TPL Policy at HAN0000580.) Hanover urges the Court to ignore this definition, pointing to the phrase “business operations” in other provisions of the TPL Policy that purportedly restrict its meaning to only “incomegenerating” business activities. (Def.'s Mem. at 11-17.) Specifically, Hanover highlights the Clause itself, the definition of “business income,” the definition of “Extra Expense,” the definition of “Period of Restoration,” and the Cyber Business Interruption Waiting Period Deductible (“Waiting Period Deductible”). (Id.)
Hanover highlights the Waiting Period Deductible, to which losses payable under the Clause are subject. (Def.'s Mem. at 15-16; TPL Policy at HAN0000576.) Because the Data Breach Coverage Form Schedule defines the Waiting Period Deductible as 24 hours, Hanover contends that the “first 24 hours of the income lost because of the interruption of the insured's income-generating activities” must be deducted from any claim. (Def.'s Mem. at 16; TPL Policy at HAN0000572.) Separately, Hanover asserts that finding coverage here would render the Waiting Period Deductible meaningless because Fishbowl does not identify any losses experienced within the first 24 hours to deduct from its claim. (Def.'s Mem. at 18-19; Def.'s Reply [Doc. No. 70] at 12-13.) For its part, Fishbowl argues that Hanover's interpretation leads to an absurd result: a policy under which the insured must sustain a loss within the first 24 hours, otherwise coverage is never triggered. (Pl.'s Reply [Doc. No. 71] at 16-17.)
The TPL Policy does not define “Waiting Period Deductible.” Hanover argues that the ordinary meaning of “deductible” is “a monetary amount that is borne by the insured and deducted from any payment by the insurer.” (Def.'s Reply at 12 (citing Glossary of Insurance and Risk Management Terms 92 (13th ed. 2016) and Black's Law Dictionary 501 (10th ed. 2014)).) For the generic phrase, “waiting period deductible,” Hanover offers the following definition: “[a] deductible provision sometimes used in business interruption (BI) and other time element policies, in lieu of a dollar amount deductible, that establishes that the insurer is not responsible for loss suffered during a specified period (such as hours) immediately following a direct damage loss.” (Def.'s Mem. at 16 (quoting Glossary of Insurance and Risk Management Terms 320 (13th ed. 2016)).)
Minnesota courts have described a “deductible” as “exempt[ing] the insurer from paying a specified amount in the event of a claim.” Minn. Teamsters Pub. & L. Enf't Emps. Union, Loc. 320 v. Cnty. of St. Louis, 726 N.W.2d 843, 846 n.1 (Minn.Ct.App. 2007) (quoting The American Heritage College Dictionary 369 (4th ed. 2002)); see also City of Owatonna v. Rare Aircraft, Ltd., No. A08-1642, 2009 WL 1684479, at *2 (Minn.Ct.App. June 16, 2009) (quoting the same definition). This definition aligns with Hanover's suggested ordinary meaning for “deductible” and demonstrates that it has provided a reasonable interpretation of the term. However, the TPL Policy contains a “waiting period” deductible, which, as Hanover's own definition of “waiting period deductible” underscores, focuses on deducting an amount of time rather than money. (TPL Policy at HAN0000572.)
Moreover, the variety of data breaches covered by the Clause makes it plausible that an insured could experience an impairment of “business operations,” unrelated to income generation, that does not result in any losses within the first 24 hours. (TPL Policy at HAN0000580 (defining seven types of data breach).) For instance, one type of “data breach” covered is the “loss, theft, accidental release, or accidental publication of ‘private personal data' entrusted to [the insured] as respects one or more ‘potentially-identified persons'” that could “reasonably result in the fraudulent use of such information.” (Id.)
“Private personal data” is defined as a natural person's first and last name in combination with other variables, such as a financial account number, credit card numbers, or employment information, “which is intended to be accessible only by natural persons or entities you have specifically authorized to have such access.” (TPL Policy at HAN0000582.)
The definition does not restrict this type of data breach to the theft of “private personal data” related to an insured's clients: “potentially-identified persons” includes employees. (Id. at HAN0000582.) In other words, the Clause covers losses from the theft of such data regardless of whether it pertains to an income-generating activity or is merely being stored by the insured as part of an employee's personnel file.
In addition, losses might not accrue from the theft of “private personal data” (like a financial account number) within the first 24 hours; to conceal the breach, the thief may not use the data for weeks. Yet the Clause covers impairment from such data breaches, too. Although in such circumstances the Waiting Period Deductible would be $0, an undesirable outcome for Hanover, that does not render the provision meaningless.
The data breaches covered suggest that Fishbowl's interpretation of “Waiting Period Deductible” is as equally reasonable as Hanover's. Faced with two reasonable interpretations, the Court must construe “Waiting Period Deductible” in Fishbowl's favor. Gen. Cas. Co. of Wis., 762 N.W.2d at 575 (“If undefined terms are reasonably susceptible to more than one interpretation, the terms must be interpreted liberally in favor of finding coverage.”). The Court finds that the Waiting Period Deductible does not constrain “business operations” to income-generating activities only.
Finally, because the Court must construe the TPL Policy “according to the terms the parties have used,” it cannot insert “income-generating” into the TPL Policy's definition of “business operations.” Dairyland Ins. Co., 199 N.W.2d at 811; see also Telex Corp. v. Data Products Corp., 135 N.W.2d 681, 687 (Minn. 1965) (“It is not ordinarily the function of courts to rewrite, modify, or set aside contract provisions fully considered and agreed upon between the parties.”). Insurance policies “are contracts of adhesion between parties not equally situated.” Canadian Universal Ins. Co., Ltd. v. Fire Watch, Inc., 258 N.W.2d 570, 574-75 (Minn. 1977). If Hanover wanted to restrict “business operations” to include only the “income-generating” subset of Fishbowl's “usual and regular business activities,” it had the responsibility as drafter to write the governing contractual definition accordingly.
Thus, while “usual and regular business activities” may be broad, the phrase is not ambiguous. “[A] reasonable person in the position of the insured would have understood [usual and regular business activities] to mean” all business activities performed with a certain frequency and consistency. Midwest Fam. Mut. Ins. Co., 831 N.W.2d at 636. The definition of “business operations” makes no distinction based on the type of business activity.
Neither party argues that “usual and regular business activities” is ambiguous, perhaps because the ordinary meaning of these terms is plain enough.
Fishbowl communicates with its clients daily and sends them invoices for every project it completes. (Gruidl Dep. Tr. at 14:12-15:13.) Fishbowl's practices fit the broad description of “usual and regular business activities.” Therefore, the Court finds that the definition of “business operations” encompasses Fishbowl's communication with, and invoicing of, its clients.
b. “Would Have Been Earned”
Hanover's second ground for arguing that Fishbowl did not suffer a loss of “business income” focuses on the phrase “would have been earned” in the “Net Income” portion of the “business income” definition. (Def.'s Mem. at 20-21.) Hanover contends that because Fishbowl uses an accrual accounting system, “income is ‘earned' when Fishbowl performs the work and issues an invoice, not when it receives payment on invoices.” (Id. at 20.) Consequently, Hanover submits, Fishbowl is seeking money that it would have “received,” not “earned,” but for the conduct of the bad actor. (Id.)
Fishbowl's accounting method is not relevant to the terms of the TPL Policy. Coverage provisions must be construed based on the expectations of the insured. Travelers Indem. Co., 718 N.W.2d at 894. No language in the TPL Policy, or any other evidence in the record, demonstrates that the parties intended to define “earned” based on the insured's method of accounting.
Additionally, “earn” does not have as narrow a definition as Hanover argues. See, e.g., Oxford English Dictionary Online, https://www.oed.com/view/Entry/58995? rskey=irgH0j&result=3#eid (last visited Oct. 27, 2022) (defining “earn” as “to receive or be entitled to (money . . .) through work or another activity”). This definition supports finding that Fishbowl “would have [] earned” the income from Federated because it would have received, or at minimum would have been entitled to, Federated's payments if there had been no data breach.
Most importantly, Hanover's Property Claims Director, Jason Cormier, admitted that Fishbowl sustained an “actual loss of business income” under the TPL Policy. (Cormier Dep. Tr. at 57:3-17 (“Q: So you would agree that there is an actual loss of business income, correct? A: Yes.”).) Hanover attempts to undercut this admission by noting that Mr. Cormier had no knowledge of Fishbowl's accounting methods and that, just prior to this question, Mr. Cormier described Fishbowl's loss as “a loss of collections from a third party.” (Id. at 57:5; Def.'s Opp'n [Doc. No. 69] at 21.) The fact remains that Mr. Cormier did not qualify his statement in any way and he is in the best position to opine as to whether this in fact was a loss of business income.
The portions of Mr. Cormier's deposition included in the record reveal that Mr. Cormier worked at Hanover for six years as a claims adjuster before transitioning into a management role, and, in his current capacity as Property Claims Director, he oversaw the unit that assessed Fishbowl's claim. (See Nilan Aff., Ex. 5 (Cormier Dep. Tr.) at 6:219:25.)
The broad definition of “business operations” and the ordinary meaning of “earn” support finding that Fishbowl suffered an “actual loss of business income.” Fishbowl lost $147,926.21 that it “would have earned” because it could not perform its “usual and regular business activities” of emailing and invoicing its clients. The testimony of Hanover's corporate representative undermines its arguments to the contrary. As such, the Court finds that Fishbowl suffered an “actual loss of business income” within the meaning of the TPL Policy as a matter of law.
2. “Period of Restoration”
As defined in the TPL Policy, the “Period of Restoration” begins, “[f]or the loss of ‘Business Income,' after 24 hours or the number of hours shown as the Cyber Business Interruption Waiting Period Deductible in the SCHEDULE on this Coverage Forms [sic], whichever is greater, immediately following the time the actual impairment or denial of ‘business operations' first occurs.” (TPL Policy at HAN0000581.) The Period of Restoration ends either when “‘business operations' are restored” or 60 days after the impairment or denial of “business operations” first occurs, whichever is earlier. (Id.)
The Cyber Business Interruption Waiting Period Deductible is 24 hours. (TPL Policy at HAN0000572.)
Fishbowl asserts that its loss occurred within the defined “Period of Restoration” because the bad actor gained access to Ms. Williams' account in November 2019 and Federated made its erroneous payments in December 2019. (Pl.'s Mem. at 12-13.) That is, Fishbowl experienced the loss more than 24 hours after the initial unauthorized access and before the end of the sixty-day period. (Id.)
Hanover does not directly contest the timing of the alleged Period of Restoration. Instead, Hanover argues that there was no loss of “business income” during the Period of Restoration because there was “no interruption in [Fishbowl's] revenue-generating activities.” (Def.'s Opp'n at 22.) As the Court finds that there was a loss of business income, it also finds that Fishbowl sustained its loss within the “Period of Restoration” as defined by the TPL Policy.
3. “Directly Resulting From” Data Breach
The parties do not dispute that Fishbowl suffered a data breach within the meaning of the TPL Policy. (July 19, 2022 Hr'g Tr. at 24:15-17; Cormier Dep. Tr. at 59:2-17.) The debate concerns whether Fishbowl's loss “directly” resulted from the data breach. (TPL Policy at HAN0000573 (emphasis added).) The TPL Policy does not define the phrase, “directly resulting.”
Hanover contends that Fishbowl's loss did not “directly result[]” from the conduct of the bad actor, but rather resulted from an “intervening agency or determining influence-Federated's negligence and breach of contract.” (Def.'s Opp'n at 26.) Hanover asserts that Federated breached its contract with Fishbowl because the contract requires that payment be directed to Fishbowl's corporate offices. (Id. at 26-28; Johnson Decl., Ex. B (Fishbowl-Federated Contract) at 6.) Federated acted negligently, Hanover argues, by failing to notice warning signs in the fraudulent emails and the changed payment instructions. (Def.'s Opp'n at 26-28.) Hanover notes that another Fishbowl client caught these warning signs and consequently did not pay the bad actor. (Id. at 26-27.)
To support its interpretation, Hanover submits dictionary definitions for “directly” and “resulting.” (Def.'s Mem. at 23-24 (citing Websters Third New International Dictionary 641, 1937 (1993)).) In response, Fishbowl urges the Court to follow the Eighth Circuit's interpretation of “loss resulting directly from” under Minnesota law in the context of a standardized financial institution bond. (Pl.'s Opp'n [Doc. No. 67] at 21 (citing BancInsure, Inc. v. Highland Bank, 779 F.3d 565 (8th Cir. 2015)).) However, this Court's interpretation of “directly resulting from” is largely immaterial because Hanover cannot show that Federated's actions constitute an “intervening agency” as a matter of law.
Hanover cites to two cases, Jetcrete N. Am. LP v. Austin Truck & Equip., Ltd., 484 F.Supp.3d 915 (D. Nev. 2020) and JPMorgan Chase Bank, N.A. v. Freyberg, 171 F.Supp.3d 178 (S.D.N.Y 2016), in support of its position. While these cases involve losses resulting from the interference of a bad actor, the similarities end there. Rather, these cases address legal claims unrelated to insurance contracts that are analyzed under the respective state's version of the Uniform Commercial Code. Jetcrete N. Am. LP, 484 F.Supp.3d (analyzing claim of breach of contract for the sale of goods under Nevada's Uniform Commercial Code); Freyberg, 171 F.Supp.3d (analyzing claims of breach of bank account contract and equitable estoppel under New York's Uniform Commercial Code). These cases, therefore, provide no support for Hanover's position that there is no coverage here.
The factual record in this case is not sufficiently developed to determine that Federated breached its contract or acted negligently as a matter of law. Hanover asserts that Federated's contract with Fishbowl required it to remit payment to Fishbowl's corporate offices. (Def.'s Mem. at 24.) Though it never says so explicitly, Hanover seems to suggest that the contract obligated Fishbowl to pay by check. (Id.) While the contract states that Federated “shall send payments to [Fishbowl's corporate address],” it does not specify a payment method. (Fishbowl-Federated Contract at 6.) As Fishbowl's representative testified, clients are permitted to pay by check, debit card, or wire transfer. (Gruidl Dep. Tr. at 16:5-6.) Additionally, the Invoices merely restate the same language found in the contract. (Nov. 13, 2019 Invoice; Dec. 18, 2019 Invoice.) Nothing in the contract, or in Fishbowl and Federated's course of performance or dealing, demonstrates that Federated breached its contract by not physically remitting payment to the corporate offices.
As for negligence, Hanover contends that Federated should have called Fishbowl to verify the change in payment. (Def.'s Mem. at 24-25.) The Federated-Fishbowl contract does not require a phone call and the Invoices state that Federated can contact Fishbowl with questions via phone or email. (See Federated-Fishbowl Contract; Nov. 13, 2019 Invoice; Dec. 18, 2019 Invoice.) That Federated chose to reach out directly to Ms. Williams, rather than to Fishbowl's general Accounting Department email account, does not demonstrate that it was negligent in doing so as a matter of law.
Hanover further argues that Federated should have been alerted to the scam by “several grammatical errors” in one of the fraudulent emails from Ms. Williams' account. (Def.'s Mem. at 25.) The grammatical errors in question are indeed noticeable, but minor: one improper capitalization of “Scheduled” and one use of “sometimes” instead of “some time.” (Fishbowl-Federated Email Chain at Fishbowl_000453.) The typos are simply insufficient to establish that Federated acted negligently as a matter of law. And the Court cannot draw any inferences about Federated's behavior based on the fact that some of Fishbowl's clients caught the scam before making payments. The record contains no evidence about the behavior of the bad actor or the responses of the clients in those transactions.
In sum, Hanover speculates about Federated's conduct without testimony from Federated, without attempting to implead or join Federated to this action, and without a full evidentiary record. Given the paucity of evidence, the Court cannot rule as a matter of law that Federated's actions constituted an “intervening agency.” Because Fishbowl's loss would not have occurred without the bad actor accessing Ms. Williams's email and sending fraudulent communications, the Court finds that Fishbowl's loss “directly result[ed] from” the data breach.
4. Impairment of Business Operations
Fishbowl argues that because the TPL Policy does not define “impairment,” the Court must apply its ordinary meaning. (Pl.'s Mem. at 15-17 (providing definitions from Black's Law Dictionary (11th ed. 2019) and American Heritage Dictionary of the English Language 904 (3d ed. 2019)).) It contends that the rules imposed in Ms. Williams' email impaired Fishbowl's business operations by preventing her from communicating with Fishbowl's clients and by preventing Fishbowl from receiving payment for the work it had performed. (Id. at 16.)
In response, Hanover asserts that there was no “impairment” or interruption of Fishbowl's “business operations” because Fishbowl continued to conduct its incomegenerating activities (consulting, reselling software, selling maintenance contracts) while the bad actor accessed Fishbowl's email system. (Def.'s Mem. at 17-18.) It agrees with Fishbowl's definitions as to the ordinary meaning of the word “impairment.” (Def.'s Opp'n at 28.) Even so, Hanover argues that the data breach did not impair Fishbowl's ability to communicate with or send invoices to Federated and “just allowed a bad actor to also communicate” with Federated. (Def.'s Reply at 16.)
The definition of “impairment” is relatively consistent across dictionaries. Compare Black's Law Dictionary (“[t]he quality, state, or condition of being damaged, weakened, or diminished”), with American Heritage Dictionary of the English Language 904 (defining “impair” as “[t]o cause to diminish as in strength, value, or quality”), and Oxford English Dictionary Online, https://www.oed.com/view/Entry/92049?rskey=aJerwP &result=3&isAdvanced=false#eid (last accessed Oct. 27, 2022) (defining “impair” as “to make worse, less valuable, or weaker”). In essence, the ordinary meaning of impairment is an inability to function at full capacity.
The Court finds that the ordinary meaning of “impairment” is sufficiently broad to encompass the impact here of the bad actor's interference with Ms. Williams' email. As Hanover rightly notes, after the breach, Ms. Williams retained the ability to communicate with and send invoices to Fishbowl's clients; in fact, she sent Federated the Invoices while the bad actor's rules were in place and even emailed Federated after the bad actor began to interfere with their communications. (Nov. 13, 2019 Invoice; Dec. 18, 2019 Invoice; Gruidl Dep. Tr. at 43:15-20.) But the bad actor's interference meant that Ms. Williams could not reliably, at all times, communicate and send invoices. (Gruidl Dep. Tr. at 32:1-5, 33:2234:25, 36:3-7, 37:20-22, 38:2-19, 42:7-43:23; Maschino Dep. Tr. at 122:13-124:3.) The bad actor intercepted her emails before she could read them and sent out fraudulent emails impersonating her. (Gruidl Dep. Tr. 33:16-34:25, 38:2-19; Fishbowl-Federated Email Chain.) Hanover's representative agreed that “impairment” does not require the business to cease functioning entirely and acknowledged that Fishbowl's system had been “altered” by the bad actor. (Cormier Dep. Tr. at 66:15-22, 68:9-19.) While Fishbowl's ability to communicate with its clients may not have been debilitatingly disrupted, it was certainly diminished. Accordingly, the Court finds that the bad actor's data breach resulted in an “impairment” to Fishbowl's business operations.
B. Purpose and Context of the TPL Policy
Hanover argues that a finding of coverage here contradicts the overall purpose of the TPL Policy and of business interruption insurance. (Def.'s Mem. at 9-11.)
The Court acknowledges that, historically, the purpose of business interruption insurance may have been to “protect the prospective earnings of the insured business only to the extent that they would have been earned if no interruption occurred, not to exceed the per diem limits of the policy.” (Id. at 9 (quoting Metalmasters of Minneapolis, Inc. v. Liberty Mut. Ins. Co., 461 N.W.2d 496, 499-500 (Minn.Ct.App. 1990)).) In the cases cited by Hanover, manufacturing businesses invoked such insurance when their production was allegedly interrupted by physical accidents at their facilities. Metalmasters, 461 N.W.2d at 498 (describing flooding from a ruptured water pipe); Great N. Oil Co. v. St. Paul Fire & Marine Ins. Co., 227 N.W.2d 789, 791 (Minn. 1975) (describing a crane collapsing into a construction area). And the Court largely agrees with Hanover that Fishbowl's attempt to distinguish the data breaches covered under the TPL Policy from coverage for physical destruction creates “a distinction without a difference.” (Def.'s Reply at 18.) In fact, the Court does not distinguish these cases based on the type of interruption that was experienced.
However, a close reading of Metalmasters and Great N. Oil Co. reveals that they are distinguishable because of the specific language of the policies at issue. The contested provisions in these cases insured the plaintiff against losses from an “interruption” of business. Metalmasters, 461 N.W.2d at 499 (insuring against “loss resulting from necessary interruption”) (emphasis added); Great N. Oil Co., 227 N.W.2d at 271 (insuring against losses “directly resulting from such interruption of business”) (emphasis added). Here, the Clause insures against losses from “actual impairment or denial of service.” (TPL Policy at HAN0000573.)
Minnesota law instructs that “[w]here explicit language indicates a purpose different from that thought to be the main purpose of the agreement, the language must be given its obvious meaning and cannot be overruled.” Reliable Metal, Inc. v. Shakopee Valley Printing, Inc., 407 N.W.2d 684, 687 (Minn.Ct.App. 1987); see also Frauendorfer v. Meridian Sec. Ins. Co., No. 27-cv-15-20388, 2017 WL 1316110, at *3 (Minn.Ct.App. Apr. 10, 2017) (“[I]n contract law, even if it looks like a duck and quacks like a duck, it is not a duck if the parties sign an agreement that expressly says it is not.”). Thus, notwithstanding the general purpose of business interruption insurance, the Court must pay heed to the actual language of the TPL Policy. The use of “impairment” rather than “interruption” in the Clause itself demonstrates that the TPL Policy specifically grants coverage when a business suffers something less than a total suspension of operations.
Moreover, although the Cyber Business Interruption and Extra Expense Clause contains “interruption” in its title, the TPL Policy prohibits the Court from deriving meaning from this fact. The TPL Policy addresses the use of section titles under its “Conditions” heading: “15. Section Titles. The titling of sections and paragraphs within this policy is for convenience only and shall not be interpreted as a term or condition of this policy.” (TPL Policy at HAN0000561.) Hanover argues that this provision has no effect here because it appears in the beginning of the TPL Policy, under the general “Technology Professional Advantage Plus” heading and not within the Data Breach Coverage Form. (Def.'s Reply at 16-17.) It argues that the Data Breach Coverage Form has its own “Conditions” that do not contain a restriction on giving meaning to the section titles. (TPL Policy at HAN0000577-79.)
The Court must construe the TPL Policy as a whole. Midwest Fam. Mut. Ins. Co., 831 N.W.2d at 636. The overall structure of the TPL Policy demonstrates that the “Technology Professional Advantage Plus” pages are the base of the TPL Policy, with the endorsements that follow modifying its terms. The Data Breach Coverage Form is prefaced by: “THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY.” (TPL Policy at HAN0000572.) Every other form following the “Technology Professional Advantage Plus” pages contains the same warning. (TPL Policy at HAN0000567 (Exclusion - Electromagnetic Radiation), HAN0000568 (Exclusion -Fungi or Bacteria), HAN0000569 (Exclusion - Multiple Retroactive Date for “Anomalies”), HAN0000571 (Minnesota Amendatory Endorsement), HAN0000583 (Minnesota Changes - Data Breach Coverage Form).) The consistent use of this preface demonstrates that the provisions outlined in the “Technology Professional Advantage Plus” pages apply to the endorsements except as expressly modified by them. See also Frauendorfer, 2017 WL 1316110, at *2-3 (interpreting an identical endorsement preface to mean that the endorsement modifies the overall policy). Thus, the lack of an equivalent “Sections” provision among the “Conditions” in the Data Breach Coverage Form does not prohibit the Court from applying the provision here.
The Court finds that Fishbowl's loss meets every element of the Cyber Business Interruption and Extra Expense Clause. Moreover, finding coverage here conforms to the type of business interruption contemplated by the explicit terms of the TPL Policy and gives effect to all its provisions. The TPL Policy therefore covers the loss. Accordingly, the Court grants summary judgment to Fishbowl on its claim that Hanover breached the TPL Policy by denying coverage under the Clause.
Hanover also insists that the existence of insurance specifically covering invoice manipulation supports finding that the TPL Policy does not provide such coverage. (Def.'s Mem. at 21-23.) Hanover cites blog posts suggesting that invoice manipulation schemes are a growing problem inadequately addressed by most insurance policies. (Id.) Be that as it may, the TPL Policy lacks any reference to an exclusion for invoice manipulation coverage, making it improper to use the general availability of another type of coverage for interpretive purposes. Even if there were a question of ambiguity on this point, the Court construes insurance policy language in favor of coverage and reads exclusions narrowly. King's Cove Marina, LLC, 958 N.W.2d at 316. The insurer has the burden of establishing the applicability of an exclusion. Id. Hanover admitted that it does not now offer Invoice Manipulation Coverage and did not offer it as of July 17, 2019, when Hanover issued the TPL Policy to Fishbowl. (Second Nilan Aff. [Doc. No. 68], Ex. 6 (Hanover Admissions 20-21).) Hanover also admitted that the TPL Policy does not expressly exclude Invoice Manipulation Coverage. (Id.) The Court therefore finds that Hanover has not carried its burden to establish that the TPL Policy excludes invoice manipulation coverage as a matter of law.
IV. CONCLUSION
Based on the submissions and the entire file and proceedings herein, IT IS HEREBY ORDERED that:
1. Plaintiff's Motion for Summary Judgment [Doc. No. 57] is GRANTED as to all claims;
2. Defendant's Motion for Summary Judgment [Doc. No. 51] is DENIED as to all claims;
3. The Court awards Fishbowl $147,926.21 in damages;
4. To the extent Fishbowl contends that it is entitled to prejudgment interest and/or attorneys' fees, it must submit briefing no later than November 17, 2022 (no longer than five pages) identifying the legal basis of that contention as well as a calculation as to any amounts owed.
LET JUDGMENT BE ENTERED ACCORDINGLY.