Fairly Debatable Claim Defeats Bad Faith Amendment

Published July 19, 2022 6 Views

What is a Man in the Middle Attack?

After an unknown individual (“fraudster”) gained unauthorized access to Fishobowl’s accountant, Ms. Wendy Williams’ e-mail account. Once inside Ms. Williams’ e-mail account, the fraudster created certain “rules” to redirect certain e-mail communications within the e-mail system. One rule redirected e-mail communications containing certain keywords to an e-mail account that is not associated with Fishbowl. Another rule marked e-mail communications sent from “fedins.com” as having already been “read, ” and automatically stored them in the “RSS Subscriptions” folder. These rules prevented Ms. Williams from noticing certain e-mail communications, including e-mails from Federated Insurance regarding invoice payments.

In Fishbowl Solutions, Inc. v. The Hanover Insurance Company, No. 21-cv-00794 (SRN/BRT), United States District Court, D. Minnesota (May 9, 2022) it became clear that the purpose of the scheme was to trick Fishbowl’s customers into paying invoices to the fraudster without Fishbowl noticing. Pursuant to this scheme, the fraudster directed six of Fishbowl’s customers to change how and where to make their payments. By employing a variety of techniques to conceal the scheme, the fraudster posed as Ms. Williams when communicating by e-mail with Federated Insurance. The fraudster also posed as Federated Insurance when communicating by e-mail with Ms. Williams. As a result of the scheme, Federated Insurance made two payments to the fraudster, totaling $176,962. The fraudster was a classic man in the middle who attacked Fishbowl to the tune of more than $176,962.

Fishbowl discovered the scheme and informed the six customers about the scheme, five of them were able to recall or redirect their payments. However, Federated Insurance was unable to do so. Although the United States Secret Service recovered $29,035.79 of the monies paid by Federated Insurance to the fraudster, Fishbowl suffered a loss of the difference, which totaled $147,926.21.

Fishbowl is a software company. It creates and customizes packaged software for its customers using the latest technologies. This software helps customers innovate and access information.
The Policy

Hanover issued a Technology Professional Liability Policy to Fishbowl. The Policy provides “Cyber Business Interruption and Extra Expense” coverage (the “Coverage”), as follows:

“We will pay actual loss of ‘business income’ and additional ‘extra expense’ incurred by you during the ‘period of restoration’ directly resulting from a ‘data breach’ which is first discovered during the ‘policy period’ and which results in an actual impairment or denial of service of ‘business operations’ during the ‘policy period.’”

The term “[b]usiness income” includes net income “that would have been earned or incurred if there had been no impairment or denial of ‘business operations’ due to a covered ‘data breach.’” “Business operations” means Fishbowl’s “usual and regular business activities.” “Data breach” is defined in seven different ways in the Policy.
The Insurance Claim

Hanover received Fishbowl’s insurance claim seeking reimbursement for business interruption and losses due to the fraudster’s conduct. Within a few weeks, Hanover denied the claim.
The Civil Suit

Fishbowl sued, alleging breach of contract and seeking declaratory and monetary relief. During discovery, Fishbowl deposed the claims manager Fishbowl alleged that claims manager testified that, as defined by the Policy, Fishbowl “sustained a data breach” and “had suffered an actual loss of business income.”
Plaintiff’s Motion to Amend

Fishbowl timely moved to amend the Complaint, seeking to add a claim for bad faith. Fishbowl contended that Hanover acted with bad faith by repeatedly ignoring, and by failing to properly investigate, its claim and by failing to cover its loss.
The Order

The magistrate judge denied the motion to amend as futile. In reaching that decision, the court analyzed whether Plaintiff had plausibly plead a claim for bad faith in the Proposed Amended Complaint.

The magistrate judge found that Fishbowl failed to plausibly plead the second prong of the test. The court concluded that it is an unresolved legal question whether the Coverage applied to losses caused by a “man in the middle” cyberattack. Because the law is unresolved, the court found the issue “fairly debatable,” and therefore, cannot serve as a basis for a claim of bad faith.

Federal Rules of Civil Procedure provides that “[t]he court should freely give leave [to amend a pleading] when justice so requires.” Fed.R.Civ.P. 15(a)(2). But “[a] district court may appropriately deny leave to amend where there are compelling reasons such as . . . futility of the amendment.”

The Amendment is futile where the proposed amended claim would not withstand a motion to dismiss for failure to state a claim. Although a complaint need not contain detailed factual allegations, it must allege facts with enough specificity to raise a right to relief above the speculative level. Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, are insufficient.

The Minnesota Legislature has created a private cause of action to penalize bad faith denial of benefits by insurance providers. Under the statute, a party, after commencing a civil suit, may make a motion to amend the pleadings to claim recovery of taxable costs. The applicable legal basis for establishing a claim under the statute is a two-prong test, which is as follows:

The court may award as taxable costs to an insured . . . if the insured can show:

(1) the absence of a reasonable basis for denying the benefits of the insurance policy; and

(2) that the insurer knew of the lack of a reasonable basis for denying the benefits of the insurance policy or acted in reckless disregard of the lack of a reasonable basis for denying the benefits of the insurance policy.

At this stage of the proceedings, plaintiff needs to plausibly plead facts that demonstrate each prong of the test.

First: the pertinent question is “whether a reasonable insurer under the circumstances would not have denied the insured the benefits of the insurance policy.”

A reasonable insurer would not have denied the benefits when there was a covered data breach. Accordingly, the Court found that Plaintiff has plausibly plead the first prong.

Second: the plaintiff must pass a subjective test, requiring a certain mens rea on the part of the insurer. Specifically, it requires an insured to prove that the insurer knew, or recklessly disregarded or remained indifferent to information that would have allowed it to know, that it lacked an objectively reasonable basis for denying the insured’s claim for benefits.

Even if Plaintiff is correct as to the failures of Hanover’s investigation, a district court will not grant a motion to amend the pleadings to add a bad faith claim where it is “fairly debatable” whether coverage applies.

Even if Plaintiff’s legal interpretation of the Policy might prevail, the fact that the issue is legally debatable precludes a bad faith claim. In the absence of any case law that controls whether a “man in the middle” attack constitutes a data breach on the Policy, the Court finds Hanover’s interpretation reasonable.

The Magistrate Judge’s April 6, 2022 Order was affirmed.

Bad faith requires a mens rea or an evil intent. When the law is unclear and the insurer fairly argues an issue that is debatable and where there is no dispositive case law, the issue is fairly debatable and there is no basis for seeking damages for damages due to the tort of bad faith .

Just published
Random Thoughts on Insurance Volume XIV: A Collection of Blog Posts from Zalma on Insurance —

(c) 2022 Barry Zalma & ClaimSchool, Inc.

Barry Zalma, Esq., CFE, now limits his practice to service as an insurance consultant specializing in insurance coverage, insurance claims handling, insurance bad faith and insurance fraud almost equally for insurers and policyholders. He practiced law in California for more than 44 years as an insurance coverage and claims handling lawyer and more than 54 years in the insurance business. He is available at http://www.zalma.com and zalma@zalma.com.

Subscribe and receive videos limited to subscribers of Excellence in Claims Handling at locals.com https://zalmaoninsurance.locals.com/subscribe.

Subscribe to Excellence in Claims Handling at https://barryzalma.substack.com/welcome.

Write to Mr. Zalma at zalma@zalma.com; http://www.zalma.com; http://zalma.com/blog; daily articles are published at https://zalma.substack.com. Go to the podcast Zalma On Insurance at https://anchor.fm/barry-zalma; Follow Mr. Zalma on Twitter at https://twitter.com/bzalma; Go to Barry Zalma videos at Rumble.com at https://rumble.com/c/c-262921; Go to Barry Zalma on YouTube- https://www.youtube.com/channel/UCysiZklEtxZsSF9DfC0Expg; Go to the Insurance Claims Library – https://zalma.com/blog/insurance-claims-library/

Loading comments...
BREAKING NEWS: Rumble Announces A Major Step Towards Merging with NASDAQ: $CFVI