An article by attorneys at Barnes & Thornburg LLP discusses a court case that serves as a useful reminder of how provisions of cyber policies may be interpreted when it comes to coverage of cyber-related incidents — even when those incidents are not data breaches.
In 2016, Southwest Airlines suffered a computer system failure that resulted in $77 million in losses.
As Avedis Bekhloyan and Scott N. Godes describe it, Southwest received $50 million in reimbursement from its primary insurer and the first three layers of its excess insurance, but Liberty Insurance Underwriters denied excess coverage for five loss categories: “1) discount codes, 2) travel vouchers, 3) cover refunds (to compensate customers for alternate travel arrangements), 4) Rapid Rewards Points (redeemable for airline tickets for members of its frequent flyer program), and 5) advertising costs (incurred to extend a sale that Southwest was conducting at the time of the system failure).” Liberty argued that the losses were not incurred solely as a result of the system failure, but rather as a result of Southwest’s business decisions in the aftermath of that system failure.
Southwest filed suit against Liberty, and the U.S. District Court for the Northern District of Texas granted summary judgment for Liberty. On Jan. 16, 2024, however, the U.S. Court of Appeals for the Fifth Circuit reversed the district court’s decision. Bekhloyan and Godes write:
In coming to its conclusion, the court focused on the meaning of three key terms. First, the court concluded that the five categories of costs are “losses” under the policy’s “lenient but-for causation standard” (i.e., “costs that would not have been incurred but for a Material Interruption”). Second, the court also cited the dictionary definition of “incur” as “to bring down upon oneself” and concluded that the five categories of costs were “losses” that Southwest “incurred” because they were ones that Southwest brought upon itself. Third, the court disagreed with Liberty’s argument that “the system failure cannot be the sole cause of Southwest’s claimed costs because the ‘independent’ and ‘more direct’ cause of those losses was Southwest’s decision to incur them.” (emphasis added) (i.e., that the costs were purely discretionary and therefore not covered).
Read more about the case at The National Law Review. The authors provide a useful takeaway:
As we take off into 2024 and onward, the Fifth Circuit’s decision is a reminder that when seeking coverage under cyber insurance policies for system failures and other business interruption claims, a best practice when insurers deploy narrow policy interpretations is to review the status of the law. Sometimes, insurers force policyholders to go to court to get the coverage that policyholders thought that they bought in the first place.
The full decision can be found on FindLaw.