Judge Permits Claim for Business Lost While Helping Clients Recover From Data Breach

A federal judge has dismissed a complaint leveled against an insurer alleging bad faith in the handling of a data breach claim but has advanced the underlying dispute of whether the insured suffered business interruption losses from the breach.

Judge Sarala V. Nagala of the U.S. District Court for Connecticut said there was no evidence that Citizens Insurance Company of America acted in bad faith in handling the claim. Rather the evidence suggested that the claim was fairly debatable as it involved business the insured, New England Systems, allegedly lost while it restored the systems of its clients that were affected by the data breach.

However, the judge did not dismiss the loss portion of the complaint because she found that there remain questions of material fact surrounding the loss claimed by New England Systems. The judge found that a reasonable jury could find that the company suffered business interruption losses during the time it took to restore its clients’ systems after the breach. The court denied Citizens Insurance Co.’s bid for summary judgment on that issue because the court said it could not conclude, as a matter of law, that the plaintiff did not suffer business interruption losses covered by the policy.

New England Systems provides partial and full outsourced information technology support and consulting, as well as cybersecurity services. As a result of a June 19, 2019 data breach, bad actors were able to access some of the firm’s clients’ systems and send a virus and malware that encrypted the clients’ data. The data breach impacted only one of the insured’s own systems.

Upon learning of the data breach, New England Systems began responding to its clients’ requests to remedy the issues caused by the breach. The firm made the decision to remediate the issues on its own rather than involve an outside firm to assist because, according to its testimony, retaining another company would cause “more work than less” and would not “speed up the process” of remediation.

The policy’s data breach coverage form has an aggregate limit of $250,000 for losses. The form includes a provision titled “Cyber Business Interruption and Extra Expense,” which provides for payment of actual loss of “business income” and additional “extra expense” incurred during the “period of restoration” directly resulting from a data breach. Business income is defined as net income that “would have been earned or incurred if there had been no impairment or denial of business operations due to a covered ‘data breach'” and “continuing normal operating expenses incurred, including payroll.”

In addition, the form defines “extra expense” in part as “the reasonable and necessary expenses” the plaintiff incurs during the period of restoration in an attempt to continue business operations and that are over and above the expenses the insured would have incurred if no loss had occurred. The “period of restoration” ends on the earlier of the date business operations are restored or 60 days after the date the actual impairment or denial of business operations first occurs. Also, business operations is defined as “usual and regular business activities.”

Six months after the breach, New England Systems asserted a first-party claim for damages and demanded that Citizens pay up to the full $250,000 limit under the policy’s data breach provision. Citizens denied there was a covered business loss. The insured filed its lawsuit in Connecticut Superior Court in October of 2020 and it was later transferred to the federal district court.

The insured claims it suffered business losses because it could not serve its clients’ usual needs while it was preoccupied with restoring their systems. The company contends that, for more than six months after the data breach, it was able to provide only very limited “emergency service” to clients that were not impacted by the data breach, although it concedes it did not refund service agreement charges to any of these clients.

New England Systems claims that, as a result of six contract cancellations and non-renewals, it suffered $627,868 in covered losses. It further claims it lost $152,024 in three cancelled or lost projects and that it lost $134,162 in fees it charges its clients for subscription services. Without being specific, New England Systems contends that it also suffered additional losses.

Citizens Insurance contends that New England Systems did not present any evidence of any covered business loss and that it suffered no disruption to its business activities. In fact, Citizens argues that New England Systems did not lose any income as a result of the data breach. The insurer points to figures indicating that the insured’s total income increased by more than $60,000 between 2018 and 2019 and that net operating income was higher in June, July, and August of 2019, around the time of the breach, than it was in the same three-month period in 2018. Finally, Citizens provides evidence that plaintiff’s total revenue was only $30,479 lower during this three-month period in 2019 than it was for the same three-month period in 2018.

Citizens further argues that the breach did not require that New England Systems divert resources to remediate the effects on its clients all by itself but it made a business decision to do so. That decision, and not the breach, led to impairment of the business if there was any, the insurer maintains.

Over Citizens’ objection, the court found that New England Systems provided sufficient evidence to withstand summary judgment on the issue of damages, including evidence that it could not perform some of the projects it had anticipated completing for clients.

“Questions of material fact remain for the jury to decide with respect to the nature and extent of such possible impairment, as well as the losses, if any, resulting from the impairment,” the court ruled.

The court concluded that the policy’s term “actual impairment” is broad enough to include the plaintiff’s reallocation of resources from its regular services to efforts to remediate the effects on its clients. At the same time, the court noted that a jury could reasonably find that the plaintiff’s reallocation of resources did not constitute impairment because the reallocation was not necessitated by the data breach but, rather, resulted from another intervening factor—namely, the business decision by the plaintiff.

The court acknowledged that this case presents a “unique situation in which the steps an insured party took to remediate a data breach look similar to the work the insured party typically performs.” This case is “also unique because the plaintiff may have been independently responsible for remedying the effects of the data breach on its clients even if the breach had originated from another source,” the judge noted.

The judge said the court will set a trial date and deadlines for pretrial submissions.