Insurer, Tech Services Firm Settle Claim for Business Lost While Helping Clients Recover From Breach

A technology and cybersecurity services firm and its insurer have settled a business interruption claim linked to a data breach one month after a federal judge denied the insurer’s bid to have the claim dismissed.

The claim involved business losses New England Systems (NES) said it incurred while it was busy restoring the systems of its clients that were affected by its data breach.

Citizens Insurance had maintained that NES did not suffer any disruption to its business activities and did not lose any income as a result of the data breach.

Judge Sarala V. Nagala of the U.S. District for Connecticut reported that the two reached a settlement on January 26 after an almost six hour hearing before another judge. Terms of the settlement were not disclosed.

In December, Judge Nagala found that a reasonable jury could find that NES suffered business interruption losses during the time it took to restore its clients’ systems after the breach. She therefore denied Citizens’ bid for summary judgment and cleared the claim to proceed to trial, which has now been avoided due to the settlement.

As a result of a June 2019 data breach, bad actors were able to access some of NES’ clients’ systems. The data breach impacted only one of the NES’ own systems.

NES decided to remediate the clients’ issues on its own rather than involve an outside firm because, according to its testimony, retaining another company would cause “more work than less” and would not “speed up the process” of remediation.

Judge Permits Claim for Business Lost While Helping Clients Recover From Data Breach

Six months after the breach, NES asserted a first-party claim for damages and demanded that Citizens pay up to the full $250,000 limit under the policy’s data breach provision. NES claimed it suffered business losses as a result of contract cancellations and non-renewals, cancelled or lost projects, and lost subscription fees.

NES sued after Citizens denied its claim.

Citizens contended that NES did not lose any income as a result of the data breach. The insurer pointed to figures indicating that the insured’s total income was higher than in the past between 2018 and 2019 and for the three months following the breach. Citizens further argued that the breach did not require NES to remediate the effects on its clients all by itself but it made a business decision to do so.

Over Citizens’ objection, the court found that NES provided sufficient evidence to withstand summary judgment on the issue of damages, including evidence that it could not perform some of the projects it had anticipated completing for clients.

The court also concluded that the policy’s term “actual impairment” was broad enough to include the plaintiff’s reallocation of resources from its regular services to efforts to remediate the effects on its clients, although a jury could also reasonably find that the reallocation did not constitute impairment.

The court acknowledged that this case presents a “unique situation in which the steps an insured party took to remediate a data breach look similar to the work the insured party typically performs.”

In the same December ruling, the judge dismissed a bad faith complaint brought by NES against Citizens. The judge said there was no evidence that Citizens acted in bad faith; rather the evidence suggested that the claim was fairly debatable.