Claims Journal - March 12, 2024
The Fifth Circuit added to the emerging body of case law addressing the recovery of business income losses in the cyber insurance coverage context to kick-start 2024 in Southwest Airlines Company v. Liberty Insurance.
In a case of first impression for the Fifth Circuit, a three-judge panel held that mitigation costs incurred by an insured following a cyber event were not barred from coverage as a matter of law, even though such costs were incurred voluntarily by the insured as a matter of business discretion.
The Emergence of Business Interruption Claims Under Cyber Policies
As insureds continue to navigate the consequences of cyber threats, courts across the country have begun to grapple with questions concerning what constitutes a covered business interruption loss under cyber policies.
In 2023 alone, IBM estimated the average cost of a data breach was $4.46 million. In fact, the cost of cybercrime, which Forbes estimated to be around $8 trillion in 2023, is predicted to hit $10.5 trillion by 2025. Accordingly, understanding what costs an insured may recover under a cyber policy are critical for both carriers and policyholders alike.
Traditionally, property insurance policies have provided coverage for certain financial losses while an insured is unable to operate its business due to a covered form of property damage. For instance, if storm-caused damage causes the temporary shutdown of an insured’s manufacturing facility, that insured may be entitled to recover the lost business income it would have earned in the absence of the shutdown.
Similarly, if a business is impacted by a data breach or cyber event, that business may be entitled to recover financial losses the business incurred as a result of that event under certain cyber policies. However, questions arise as to how closely must a loss be linked to a cyber event to trigger coverage, and when is a business truly interrupted by a cyber event?
Courts across the country have only recently begun to address these questions. In one notable case, the United States District Court for the District of Minnesota held that Fishbowl Solutions, Inc., a software company, was entitled to $148,000 in coverage for losses that Fishbowl’s insurer argued were only related to income-generating activities.
Fishbowl Solutions Inc. v. Hanover Ins. Co., 2022 WL 16699749 (D. Minn. Nov. 3, 2022). In that case, Fishbowl sued its insurer seeking coverage after an unknown bad actor gained access to the company’s email and sent fraudulent instructions to a client, which resulted in the client sending payment to the hacker by mistake. With respect to business income losses, the cyber policy provided:
We will pay actual loss of “business income” and additional “extra expense” incurred by you during the “period of restoration” directly resulting from a “data breach” which is first discovered during the “policy period” and which results in an actual impairment or denial of service of “business operations” during the “policy period.”
Even though Fishbowl was able to continue its business operations after the cyber event, the court found that the cyber policy’s use of the term “impairment” rather than “interruption” provided a broad grant in coverage. As a result, the court concluded the losses at issue were covered under the policy.
Similarly, in New England Systems Inc. v. Citizens Insurance Co. of America, an insured relied on virtually identical policy language to argue (like the insured in Fishbowl) that it was entitled to recover alleged business interruption losses, even though it was able to continue operations at all times after a cyberattack and related data breach. See 2022 WL 17585966 (D. Conn. Dec. 12, 2022).
The case ultimately settled, but not before the United States District Court for the District of Connecticut denied (in part) the insurers’ motion for summary judgment, holding that a fact issue existed as to whether the insured sustained covered business interruption losses as a result of the data breach. As in Fishbowl, the court concluded that the policy’s use of the term “impairment” as a trigger for business income coverage provided a broader grant of coverage than more common provisions requiring an “interruption” of the insured’s business.
Although the holdings in Fishbowl and New England Systems turned on policy-specific distinctions between the terms “impairment” and “interruption,” insureds and insurers have presented similar arguments in the absence of such policy language.
For example, in a recent Michigan case arising out of a two-week shutdown of the insured’s computer systems, an insurer sought summary judgment on its insured’s resulting business income claim, arguing that the insured sustained no compensable business income loss at all, because the insured—which conducted nearly all of its sales via telephone—was able to continue its business operations during the time its computer systems were inoperable. See Travelers Casualty and Surety of America Motion for Summary Judgment, 2022 WL 18456129 (E.D. Mich.). The case settled before the court ruled on the insurer’s motion for summary judgement; however, the parties’ briefing provides an insightful example of how litigants on both sides of the docket are attempting to achieve clarity regarding the requisite link between a cyber event and covered business income loss.
The Fifth Circuit Addresses the Scope of Business Income Loss in the Cyber Context
In the latest federal court opinion to address claimed business income losses arising from a cyber event, the Fifth Circuit reversed a lower court’s grant of summary judgment in favor of an insurer, holding that costs incurred by Southwest Airlines to compensate customers affected by a massive network failure were not barred from coverage simply because they were incurred at the business discretion of the insured.
On July 20, 2016, Southwest Airlines suffered a massive system failure that impacted its flight operations for approximately three days, ultimately causing 475,839 customers to experience flight cancellations and/or delays. Sw. Airlines Co. v. Liberty Ins. Underwriters, Inc., 90 F.4th 847 (5th Cir. Jan. 16, 2024). As a result of the system failure (and related impact on flight operations), Southwest Airlines compensated passengers with a several perks, aimed at maintaining customer loyalty and mitigating long-term income losses, including:
- Distributing FareSaver Promo Codes to customers whose flights were canceled or delayed two hours or more;
- Giving travel vouchers to customers whose flights were canceled or delayed two hours or more;
- Issuing refunds to customers (upon request) to compensate for alternate travel arrangements;
- Distributing Rapid Rewards Points to frequent flier program members whose flights were canceled or delayed two hours or more; and
- Advertising costs for a sale that was underway during the system failure, which was extended by one week.
Southwest Airlines sought to recoup these mitigation costs under the “System Failure Coverage” coverage afforded by its cyber policy, which stated the insurer would “pay all Loss . . . that an Insured incurs . . . solely as a result of a System Failure.” The Policy defined “Loss” as “costs that would not have been incurred but for a Material Interruption,” and it defined “Material Interruption” as “the actual and measurable interruption or suspension of an Insured’s business directly caused by . . . a System Failure.”
The lower court granted summary judgment for the insurer, holding that the costs claimed by Southwest Airlines were not solely caused by the system failure, but rather were the result of “‘various and purely discretionary customer-related rewards programs, practices and market promotions'” employed by Southwest Airlines.
On appeal, Southwest Airlines acknowledged that all five cost categories at issue were the result of business decisions made by Southwest Airlines but argued that they were covered under the plain terms of the cyber policy. The insurer—like the insurers in Fishbowl and New England Systems—argued that Southwest Airlines’ claimed losses stemmed from intervening factors, not the cyber event itself.
The Fifth Circuit reversed the lower court’s summary judgment in favor of the insurer, holding that the costs claimed by Southwest Airlines were not barred from coverage simply because they were discretionary. Applying the “lenient but-for causation standard” set forth in the cyber policy, the panel concluded that Southwest Airlines’ claimed costs were inextricably linked to the system failure and, therefore, constituted “losses” (as defined in the policy). The Fifth Circuit remanded the case to the lower court to determine whether the system failure was the sole cause of each cost category claimed by Southwest Airlines, thus triggering coverage.
The insurer argued that allowing Southwest Airlines to recover purely discretionary costs would permit Southwest Airlines to “literally dictate the amount of its own ‘loss;'” however, the Fifth Circuit rejected this contention, stating that the policy’s language and “basic insurance principles” would prohibit any “recovery that would put Southwest in a better position than it would have occupied without the interruption.” As the panel explained:
The policy still requires a causal nexus between the system failure and Southwest’s costs. Indeed, it even contains a provision to guide that causation inquiry, limiting coverage to only the costs that are deemed appropriate based on Southwest’s “probable business” if no system failure occurred.”
As the panel further noted, to resolve the coverage question on remand, the lower court would be required to consider the extent to which recovery for each category of loss at issue comports with these ‘basic insurance principles.’ The insurer “w[ill] need to explain how the cover refunds in particular would not qualify as recoverable mitigation costs that arose solely as a result of the system failure; just as Southwest w[ill] need to explain how its claims for a week of advertising (for a single-day interruption of its ad campaign) and for FareSaver Promo codes (which potentially allowed redemption for those who were not impacted by the cancelations) would not grant the company a windfall.”
The Fifth Circuit’s opinion in Southwest Airlines demonstrates the limited guidance currently available to courts when interpreting and applying cyber policies in the business interruption context. Because cyber insurance is a relatively new area of insurance coverage, courts—like the Fifth Circuit—are often left to look outside the cyber context or rely on dictionary definitions for the plain meaning of words that, by their very nature, continue to develop as the law and technology rapidly evolve.
While it is difficult to draw bright-line line rules as to how future courts will define and value business income losses in the cyber context, cases like Southwest Airlines, Fishbowl, and New England Systems demonstrate the impact a single word or phrase in a policy can have in such a coverage dispute—especially when applied to the complex set of facts and resulting chain of events frequently accompanying a cyber event. And, as technology, policy language, and the substantive law on these matters continue to evolve, courts and practitioners must take a fact-intensive and case-specific approach to the novel issues presented by claims for business income losses resulting from a cyber event.
