1 2 3
4 5 UNITED STATES DISTRICT COURT 6 WESTERN DISTRICT OF WASHINGTON AT SEATTLE 7 CONNELLY LAW OFFICES, PLLC, CASE NO. 25-cv-00302-JHC 8
Plaintiff, ORDER 9 v. 10 COWBELL CYBER, INC., SPINNAKER 11 INSURANCE COMPANY,
12 Defendants. 13
14 I 15 INTRODUCTION 16 This matter comes before the Court on Defendants’ motion to dismiss. Dkt. # 18. 17 Plaintiff, Connelly Law Offices, PLLC, claims that Defendants, Cowbell Cyber Inc. (Cowbell) 18 and Spinnaker Insurance Company (Spinnaker), breached their duty to indemnify under a 19 Commercial Cyber Insurance Policy. Dkt. # 1. Plaintiff further claims common law bad faith, 20 violation of the Washington Consumer Protection Act (CPA), and noncompliance with the 21 Washington Insurance Fair Conduct Act (IFCA). Id. Defendants now seek partial dismissal 22 under Federal Rule of Civil Procedure 12(b)(6). Dkt. # 18. For the reasons below, the Court 23 GRANTS in part and DENIES in part the motion to dismiss. 24 1 II 2 BACKGROUND 3 A. Factual Background
4 This factual background is based on the allegations in the Complaint, which the Court 5 accepts as true on a Rule 12(b)(6) motion to dismiss. Dkt. # 1. 6 1. The Cyber Attack 7 Cary Woods II (Woods) is a personal injury attorney in Miami, Florida, and the owner of 8 Cary Woods II, P.A d/b/a Law Offices of Cary Woods II (Woods Law) (collectively, the Woods 9 Claimants). Dkt. # 1 at 3. Woods Law and Plaintiff worked together to litigate a case in Pierce 10 County Superior Court on behalf of Darell and Tamicia McCutcheon, McCutcheon v. Town of 11 Steilacoom, Case No. 23-2-04528-4 (McCutcheon). Id. In April 2024, this lawsuit resolved for 12 $15,000,000. Id. These funds were then deposited into Plaintiff’s trust account for distribution.
13 Id. Under the fee agreement, the Woods Claimants were to receive $1,500,000 for attorney fees 14 and $1,885.55 for costs—a total payment of $1,501,885.55. Id. 15 Unbeknownst to Plaintiff, in June 2024, it suffered a security breach that allowed hackers 16 to obtain unauthorized access to the security codes and passwords of its employees’ email 17 accounts. Id. at 3. These hackers accessed financial information unavailable to the public, 18 including undisclosed details about the McCutcheon settlement. Id. at 4. The hackers also used 19 their access to create “rules” that diverted emails from Woods to Plaintiff’s employees about 20 McCutcheon, and then they created a spoofed email account to impersonate Woods. Id. at 3–4. 21 The hackers were thus able to intercept and delete emails sent by Woods to Plaintiff’s 22 employees, and they were able to email Plaintiff’s employees impersonating Woods. Id.
23 Plaintiff acknowledges this occurred because of its own failure to prevent unauthorized access to 24 the security codes and passwords of its employees’ email accounts. Id. 1 Around the same time, one of Plaintiff’s employees—Micah LeBank—emailed Woods at 2 cwoods@carywoodslaw.com and asked for tax information about his firm. Id. at 4. Later in 3 June 2024, LeBank again emailed Woods and asked where he should mail his attorney fees from
4 the McCutcheon settlement. Id. The same day, LeBank received an email from 5 cwoods@carywoodlaw.com (the hackers’ spoofed email account, which does not have an “s” in 6 the domain name) that said, “I am in Europe for vacation, please will you be able wire the 7 funds?” Id. LeBank did not notice this message came from a different email account and he 8 responded, “Send us wiring instructions and we can set it up.” Id. The hackers then sent wiring 9 instructions for a fraudulent CitiBank account to LeBank. Id. 10 Over the following weeks, the hackers continued to intercept emails sent from Woods, 11 delete them, and then resend them from the spoofed email account. Id. at 5. The hackers also 12 used their access to send Woods messages from LeBank’s email account impersonating LeBank.
13 Id. 14 In July 2024, Plaintiff’s office manager, Sarah Streck, emailed LeBank and asked for 15 Woods’s phone number so that she could call him and telephonically confirm the wiring 16 instructions. Id. The hackers intercepted this email too. Id. They then sent Streck a fake phone 17 number, so that they could impersonate Woods. Id. Streck called this number and unwittingly 18 “verified” the wiring instructions with the hackers. Id. Plaintiff then wired $1,501,885.55 to the 19 fraudulent CitiBank account. Id. at 6. Around the same time, the hackers used their access to 20 LeBank’s account to send Woods an email telling him that he would receive a check for his 21 money once Streck returned from vacation. Id. Because of this misdirection, Plaintiff did not 22 realize that it had been defrauded until nine days later. Id.
23 When the fraud was finally discovered, the Woods Claimants brought a claim against 24 Plaintiff for the loss of the money wired to the fraudulent account. Id. The claim alleged that 1 Plaintiff allowed the security breach to occur and that Plaintiff failed to prevent unauthorized 2 access to the security codes and passwords of its employees’ email accounts. Id. The claim 3 further alleged that Plaintiff’s failure to prevent this unauthorized access directly resulted in the
4 loss of the $1,501,855.55. Id. 5 2. The Policy 6 At the time of the cyber-attack, Plaintiff was insured under a Commercial Cyber 7 Insurance Policy, Prime Cyber Risk Insurance Policy No. FLY-CB-DU1RCVKXK-003 (the 8 Policy). Dkt. # 1 at 2; see Dkt. # 1-1. Plaintiff purchased this insurance from Defendants to 9 protect itself in the event of a cyber-attack or computer security breach. Dkt. # 1 at 3. The 10 Policy provides coverage on a claims-made and reported basis and applies only to claims made 11 and reported during the policy period. Id. 12 During the policy period, Plaintiff tendered the claim from the Woods Claimants to
13 Defendants. Id. at 6. The Woods Claimants demanded that Defendants pay the Policy limit of 14 $1,000,000 to settle this claim. Id. Defendants agreed to defend the claim under a reservation of 15 rights. Id. 16 Citibank was contemporaneously able to recover $379,592.52 lost in the fraud and 17 returned this money to Plaintiff. Id. at 6. This reduced the total amount lost to $1,122,293.03. 18 Id. 19 Charles River Associates (CRA) also conducted a forensic computer analysis around this 20 time and determined the credentials for LeBank’s email account were compromised. Id. at 6–7. 21 CRA determined these credentials were used to set up unauthorized rules and send unauthorized 22 emails from his account. Id. Plaintiff provided Defendants with the results of CRA’s analysis.
23 Id. at 7. Plaintiff likewise alleges that Defendants had the opportunity to fully explore the details 24 of CRA’s investigation. Id. 1 Although Defendants maintained that no coverage was available for the claim, Plaintiff 2 nonetheless sought to settle with the Woods Claimants. Id. In November 2024, Plaintiff 3 informed Defendants of its intention to settle. Id. Defendants responded and reiterated that they
4 denied any indemnity obligation. Id. But Defendants agreed that they would not raise lack of 5 consent or that the payment constituted a voluntary payment so long as the settlement was for no 6 more than $1,122,263.03 plus accrued interest. Id. Plaintiff then entered an “Agreement, 7 Release, and Assignment of Claims with Cary Woods II and the Law Offices of Cary Woods, II” 8 (Settlement Agreement) for $1,501,885.55. Id. at 7–8. 9 The next month, Plaintiff informed Defendants that it intended to sue them for denying 10 the claim and thereby violating IFCA. Id. at 8; see RCW 48.30.015(8). Defendants responded 11 by once again denying the claim because there was no evidence that hackers gained access to 12 LeBank’s email password. Dkt. # 1 at 8. In any event, Defendants did eventually pay $100,000
13 towards the claim under the Policy’s Social Engineering Endorsement. Id. at 9. 14 B. Procedural History 15 Plaintiff brings four causes of action against Defendants. Id. at 10–14. First, Plaintiff 16 claims a breach of the duty to indemnify as required by the terms and conditions of the Policy. 17 Id. at 10. Second, Plaintiff claims Defendants have engaged in common law bad faith for their 18 failure to appropriately investigate and handle the claim. Id. at 10–12. Third, Plaintiff says 19 Defendants’ unfair and deceptive acts have violated the CPA. Id. at 13. Fourth, Plaintiff asserts 20 that Defendants have violated IFCA because they have refused to provide the benefits owed to 21 Plaintiff under the Policy. Id. at 14. Plaintiff seeks damages, attorney fees and costs, and all 22 other just and proper relief. Id. at 15.
23 Pursuant to Rule 12(b)(6), Defendants move to dismiss Plaintiff’s first cause of action; 24 Defendants also seek dismissal of the first, third, and fourth causes of action against Defendant 1 Cowbell. Dkt. # 18. Defendants argue that they have paid the full Social Engineering Sublimit 2 of $100,000, defended Plaintiff against the claim brought by the Woods Claimants, and helped 3 Plaintiff to recover $379,592.52 from Citibank. Id. Because there is about a $1,000,000
4 shortfall between the amount paid in the Settlement Agreement and the amount it wired to the 5 fraudulent bank account, according to Defendants, Plaintiff now seeks to manufacture coverage 6 that is not owed under the Policy. Id. 7 III 8 DISCUSSION 9 A. Motion to Dismiss Standards 10 “To survive a motion to dismiss, a complaint must contain sufficient factual matter, 11 accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 12 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). Upon
13 such a motion, a court accepts all factual allegations in the complaint as true and construes them 14 in the light most favorable to the nonmoving party. Chubb Custom Ins. Co. v. Space Sys./Loral, 15 Inc., 710 F.3d 946, 956 (9th Cir. 2013). But a “court need not . . . accept as true allegations that 16 contradict matters properly subject to judicial notice or by exhibit. Nor is the court required to 17 accept as true allegations that are merely conclusory, unwarranted deductions of fact, or 18 unreasonable inferences.” In re Gilead Scis. Sec. Litig., 536 F.3d 1049, 1055 (9th Cir. 2008). 19 (quoting Sprewell v. Golden State Warriors, 266 F.3d 979, 988 (9th Cir. 2001)). 20 // 21 // 22 //
23 // 24 // 1 B. Duty to Indemnify 2 In Washington, insurance policies are construed as contracts and the language of a policy 3 is interpreted as a matter of law.1 Findlay v. United Pac. Ins. Co., 129 Wash.2d 368, 378, 917 4 P.2d 116 (1996); Expedia, Inc. v. Steadfast Ins. Co., 180 Wash. 2d 793, 802, 329 P.3d 59 (2014). 5 The policy must be construed as a whole and given a “fair, reasonable, and sensible construction 6 as would be given to the contract by the average person purchasing insurance.” Am. Nat. Fire 7 Ins. Co. v. B & L Trucking & Const. Co., 134 Wash. 2d 413, 427, 951 P.2d 250 (1998) (internal 8 citation omitted). If the language of the policy is unambiguous, “the court must enforce it as 9 written and may not modify it or create ambiguity where none exists.” Id. (internal citation 10 omitted). But “[u]nresolved ambiguities are resolved against the drafter-insurer and in favor of 11 the insured. Queen City Farms, Inc. v. Cent. Nat. Ins. Co. of Omaha, 126 Wash. 2d 50, 68, 882 12 P.2d 703 (1994) (internal citation omitted). “A clause is ambiguous when, on its face, it is fairly
13 susceptible to two different interpretations, both of which are reasonable.” Am. Nat. Fire Ins. 14 Co., 134 Wash. 2d at 428 (internal citation omitted). 15 1. Language of the Policy 16 The language of an insurance policy should be construed according to its ordinary 17 meaning. Queen City Farms, 126 Wash. 2d at 81. If the policy defines a term, “then the term 18 will be interpreted in accordance with that policy definition.” Black v. Nat’l Merit Ins. Co., 154 19 Wash. App. 674, 679, 226 P.3d 175 (2010). If the policy does not define a term, then it must be 20 given its “plain, ordinary, and popular meaning.” Id. at 680 (internal citation omitted). Courts 21 22
23 1 The parties do not dispute that Washington substantive law applies to this matter. Dkt. ## 18, 21, and 24; see Cuprite Mine Partners LLC v. Anderson, 809 F.3d 548, 554 (9th Cir. 2015) (“[F]ederal 24 courts sitting in diversity apply state substantive law.”). 1 look to the dictionary to determine the common meaning of an undefined term. Id. (internal 2 citation omitted). 3 The parties’ primary dispute centers on whether the settlement between the Woods
4 Claimants and Plaintiff is covered under the Policy’s Security Breach Liability insuring 5 provision. Defendants offer two grounds for denying coverage under this provision. First, they 6 assert that the funds at issue were owed under the fee agreement in McCutcheon, and a 7 preexisting contractual obligation cannot be considered a Loss as a result of a Claim for a 8 Wrongful Act. Dkt. # 18 at 15–17. Second, they say that the “Claim must be for a Wrongful 9 Act,” and that this denotes a strict causal connection between the Claim and the Wrongful Act. 10 Id. at 17–20. Defendants say Plaintiff cannot show the requisite causal nexus. Id. Plaintiff 11 responds that the settlement falls within the plain language of the Policy and argues that 12 coverage for liability caused by a third-party’s criminal conduct is not extinguished by the mere
13 existence of a contract. Dkt. # 21 at 14–20. Plaintiff also disputes that it has not adequately 14 alleged the requisite causal nexus between the Claim and the Wrongful Act. Id. at 20–21. It 15 says there “is a clear nexus between the security breach and the loss of funds” because “[w]ithout 16 the security breach[,] the cyber criminals would never have learned about the settlement and 17 funds transfer and the funds would not have been stolen.” Id. at 21. 18 In the Court’s view, the language of the Security Breach Liability insuring provision is, at 19 best for Defendants, ambiguous and thus must be construed in Plaintiff’s favor. This provision 20 covers, in pertinent part, “Loss . . . as a result of a Claim . . . for a Wrongful Act[.]” Dkt. # 1-1 21 at 9. And the Policy provides the following definitions for these terms: 22 • Loss: “Compensatory damages, settlement amounts and costs awarded pursuant to
23 judgments or settlements[.]” 24 1 • Claim: “A written demand for monetary or nonmonetary damages, including but not 2 limited to injunctive relief[.]” 3 • Wrongful Act: “[A]ny actual or alleged: a. Security Breach; b. Failure to prevent
4 unauthorized access to, or use of, electronic or non-electronic data containing 5 Personal Information.” 6 Dkt. # 1-1 at 9–14. According to these definitions, the $1,501,885.55 Plaintiff tendered to the 7 Woods Claimants as part of their Settlement Agreement qualifies as a Loss because Plaintiff 8 alleges this money is a “settlement amount[] . . . awarded pursuant to . . . settlement[.]” Dkt. # 1 9 at 6–7; Dkt. # 1-1 at 9. Plaintiff further alleges it entered the Settlement Agreement with the 10 Woods Claimants as a result of the claim they brought against it. Dkt. # 1 at 6–8. This claim 11 was for the security breach that “directly resulted in the loss of $1,501,885.55.” Id. at 6. This 12 claim also meets the definition of a Claim under the Policy because it was a “written demand for
13 monetary . . . damages[.]” Id.; Dkt. # 1-1 at 10. Finally, for the purposes of the instant motion 14 only, Defendants do not deny that Plaintiff’s failure to prevent the unauthorized acquisition of its 15 employee’s email password and surreptitious access to his email account is a Wrongful Act. 16 Dkt. # 24 at 7 n.1. 17 The ambiguity in this provision, if any, arises from the word “for,” as it is used in the 18 clause “Claim . . . for a Wrongful Act.” Dkt. # 1-1 at 9 (italics emphasis added). This word is 19 not defined in the Policy, so the Court looks to a dictionary to determine its “plain, ordinary, and 20 popular” meaning. Black, 154 Wash. App. at 680. One definition of “for” is “a function word to 21 indicate the object or recipient of a[n] . . . activity.” Merriam-Webster’s Dictionary (11th ed. 22 2025), https://www.merriam-webster.com/dictionary/for. Under this definition, although it
23 seems to be a stretch, it could be understood that Plaintiff’s Claim is not for a Wrongful Act. 24 That is, Plaintiff does not allege the Woods Claimants issued a written demand for money 1 damages simply because Plaintiff failed to prevent hackers from accessing its employees’ email 2 accounts—there were the intervening acts of the hackers in the causal chain. See generally Dkt. 3 # 1. The Woods Claimants filed suit because hackers obtained access to the employees’ email
4 accounts, spoofed messages between Woods and Plaintiff, impersonated Woods over the 5 telephone, and only then diverted the funds intended to satisfy the fee agreement into a 6 fraudulent CitiBank account. Id. at 4–6. In Defendants’ view, this means the Wrongful Act does 7 not form the basis of the relief sought and there is too remote a connection between the Claim 8 and Wrongful Act to qualify for coverage under the Security Breach Liability insuring provision. 9 Dkt. # 18 at 17–18. 10 Regardless of whether the foregoing rises to the level of a reasonable interpretation, there 11 is another definition of “for,” which the Court deems reasonable here: “because of.” Merriam- 12 Webster’s Dictionary (11th ed. 2025), https://www.merriam-webster.com/dictionary/for.2 And 13 Plaintiff does allege that because of its failure to prevent hackers from accessing one of its 14 employee’s email accounts, the Woods Claimants issued a written demand for money damages. 15 Dkt. # 1 at 6. Said differently, Plaintiff alleges its failure to prevent unauthorized access to an 16 employee’s email account directly resulted in the loss of the money Plaintiff intended to pay the 17 Woods Claimants under the fee agreement and the subsequent written demand for money 18 damage. Id. This interpretation of the Security Breach Liability insuring provision is reasonable 19 because it employs a common meaning of “for,” as found in the dictionary. Assuming the 20 Security Breach Liability insuring provision is ambiguous, it must be construed in favor of 21 Plaintiff. Queen City Farms, 126 Wash. 2d at 68. 22
2 Defendants look to the American Heritage Dictionary to define “for” as, “used to indicate the 23 object or purpose of an action or activity,” Dkt. # 18 at 17; this source also defines “for” as, “[a]s a result of; because of.” American Heritage Dictionary (5th ed. 2022), 24 https://ahdictionary.com/word/search.html?q=for. 1 Defendants raise two arguments that urge the Court to reach a different interpretation of 2 this provision. First, they say that an agreement compelling an insured to pay money it was 3 already required to pay under a contract cannot be considered a Loss as a result of a Claim for a
4 Wrongful Act. Dkt. # 18 at 15. Second, they say that the term “for” denotes a strict causal 5 connection in the context of insurance grants. Id. at 18. This Order next considers these 6 arguments. 7 a. Loss as a result of a Claim for a Wrongful Act 8 Defendants say Sauter v. Houston Cas. Co. controls the outcome here because it 9 establishes that an agreement compelling an insured to pay money it was already obligated to 10 pay under a contract cannot be a Loss as a result of a Claim for a Wrongful Act.3 168 Wn. App. 11 348, 349, 276 P.3d 358 (2012); Dkt. # 18 at 15. In Sauter, S-J Management, LLC (SJM) entered 12 a business loan agreement with The Commerce Bank of Washington, N.A. (Commerce Bank) 13 and Commerce Bank extended SJM a $3.5 million line of credit. Id. at 350. Michael Sauter, 14 SJM’s CEO and manager, signed the loan agreement and promissory note in his official capacity 15 on behalf of SJM. Id. To comply with the loan agreement, Sauter then guaranteed payment of 16 SJM’s indebtedness to Commerce Bank (the guaranty), and he secured the guaranty with deeds 17 of trust on real property owned by him and his wife. Id. SJM thereafter failed to pay its 18 indebtedness to Commerce Bank, and the bank sought payment in full on the guaranty, a sum 19 greater than $2.8 million. Id. When Sauter demanded indemnification from SJM for the amount 20 he owed Commerce Bank, SJM could not indemnify Sauter for the same reason it could not 21 repay its loan—it was insolvent. Id. at 351. Commerce Bank sent multiple notices of default to 22
3 Defendants cite several other cases to support a similar argument, but these cases are of little 23 persuasive value because none apply Washington law, and, as noted above, it is undisputed that Washington law controls the interpretation of the Security Breach Liability insuring provision. See Dkt. # 24 18 at 16-18. 1 Sauter and informed him that failure to cure the default on the guaranty could result in the sale of 2 his real properties. Id. Counsel for SJM provided the demand on the guaranty from Commerce 3 Bank, Sauter’s indemnification letter to SJM, and the notices of default on Sauter’s properties to
4 Houston Casualty Company (Houston Casualty). Id. But Houston Casualty informed SJM that 5 coverage was unavailable under the directors’ and officers’ (D & O) liability policy that insured 6 SJM’s members and officers because no act by Sauter was a Wrongful Act and because Sauter 7 did not suffer a Loss. Id. at 353. 8 Among other arguments, Sauter contended that the obligation to Commerce Bank 9 pursuant to the guaranty was a Loss that the Houston Casualty policy provided coverage for. Id. 10 at 359. Conversely, Houston Casualty urged the court to conclude that the repayment of a loan is 11 not a Loss and, more generally, that liability insurance does not insure against this sort of 12 obligation. Id. As the court acknowledged, “Washington courts have not previously addressed
13 whether a voluntary contractual obligation, such as an obligation to repay a loan, constitutes a 14 ‘Loss’ that may be insured against,” but elected not to reach this issue. Id. at 360. Instead, the 15 court said that it “need not look beyond the explicit language of the Houston Casualty policy in 16 order to determine that Sauter’s purported ‘Loss’ [was] not covered by that policy, regardless of 17 whether his obligations pursuant to the guaranty constitute[d] a ‘Loss’ as defined therein.” Id. 18 This was because the policy provided it would only cover “Loss resulting from any Claim . . . for 19 a Wrongful Act,” so coverage was only available for Sauter’s guaranty obligation if that 20 obligation resulted from Commerce Bank’s demand for payment on the guaranty. Id. But 21 Sauter’s obligation to Commerce Bank did not result from the bank’s demand on the guaranty, 22 his obligation resulted from the guaranty itself. Id. at 361. The court thus concluded the
23 guaranty was not a Loss resulting from any Claim for a Wrongful Act and this obligation was not 24 covered under the policy. Id. 1 The allegations here are markedly different. Plaintiff does not allege it was unable or 2 unwilling to pay the money it owed the Woods Claimants under the fee agreement in 3 McCutcheon, and Plaintiff does not seek coverage under the Security Breach Liability agreement
4 for this monetary obligation. But Plaintiff does allege that it negligently allowed hackers to 5 access an employee’s email account, the hackers intercepted and spoofed emails between Woods 6 and Plaintiff, and then the hackers convinced Plaintiff’s office manager to wire the money 7 intended to satisfy the fee agreement to the wrong bank account. Dkt. # 1 at 3–6. Plaintiff 8 further claims that it settled with the Woods Claimants for $1,501,855.55 after Woods and 9 Woods Law sued Plaintiff and alleged Plaintiff’s failure to prevent unauthorized access to its 10 employee’s email account directly resulted in the loss of this money. Id. at 6–7. So, unlike 11 Sauter, Plaintiff does not allege that it seeks coverage for money owed under a contractual 12 obligation (the fee agreement in McCutcheon). Rather, Plaintiff claims it seeks coverage for the
13 settlement entered with the Woods Claimants after the money intended to satisfy their fee 14 agreement was wired to the wrong bank account. Id. at 9. Plaintiff also says it entered this 15 settlement because it failed to prevent the unauthorized access of an employee’s email account 16 that directly resulted in the loss of this money. Id. Of course, the dollar value Plaintiff owed 17 under the fee agreement and the money it seeks coverage for are the same because it intended to 18 satisfy the fee agreement at the time the money was stolen. Id. at 6. But unlike Sauter, Plaintiff 19 does not allege its duty to pay the Woods Claimants arises from a preexisting contractual 20 obligation. To the contrary, Plaintiff seeks coverage for the security breach that caused funds to 21 be transferred to the wrong bank account and the subsequent settlement between Plaintiff and the 22 Woods Claimants for failing to prevent this security breach. Id. at 8–9.
23 The Court can also conclude Sauter does not control the outcome here because the Sauter 24 court confined its analysis to the Houston Casualty insurance policy at issue there. Sauter, 168 1 Wash. App. at 360 (“we need not look beyond the explicit language of the Houston Casualty 2 policy in order to determine that Sauter’s purported ‘Loss’ is not covered by that policy”). Also, 3 the Sauter court decided not to set forth a broader rule that, generally, liability insurance does not
4 insure against money owed under a preexisting contractual obligation. Id. at 359. (“Houston 5 Casualty urges us to determine that the repayment of a loan does not constitute a ‘Loss’ and that 6 more generally, liability insurance is not intended to insure against such an obligation. Here, 7 however, the policy language itself resolves the issue of coverage[.]”). 8 b. Strict Causal Connection 9 Defendants also say, “Courts have uniformly determined that ‘for’ denotes a narrow 10 causal connection” in the context of insurance grants. Dkt. # 18 at 18. But they cite no 11 Washington authority for this proposition.4 Id. What is more, the Washington Supreme Court 12 has instructed that “[i]f the portion of the policy being considered is an inclusionary clause in the 13 insurance policy, the ambiguity should be liberally construed to provide coverage whenever 14 possible.” Ross v. State Farm Mut. Auto. Ins. Co., 132 Wash. 2d 507, 515–16, 940 P.2d 252 15 (1997) (emphasis removed); see Diaz v. Kubler Corp., 785 F.3d 1326, 1329 (9th Cir. 2015) 16 (federal courts are bound to follow the decision of the state’s highest court when interpreting 17 state law) (internal citation omitted). An inclusionary clause defines those to whom coverage is 18 extended. See State Farm Mut. Auto. Ins. Co. v. Ruiz, 134 Wash. 2d 713, 718, 952 P.2d 157 19 (1998). 20 The Security Breach Liability insuring provision is an inclusionary clause because it 21 defines those to whom coverage is provided. Dkt. # 1-1 at 6. To be sure, as acknowledged 22
23 4 Defendant does cite Washington authority for the proposition that “arising out of” would not tether the Claim to the Wrongful Act. Dkt. # 24 at 8. But this argument misses the mark because the 24 Policy does not use the words “arising out of”—it uses the word “for.” Dkt. # 1-1 at 9. 1 above, this provision might be interpreted to denote a narrow causal connection between the 2 Claim and the Wrongful Act. Dkt. # 18 at 18–20; see Section III.B.1, supra. But this provision 3 can also be reasonably interpreted to denote a broader, “because of,” connection between the
4 Claim and the Wrongful Act. See Section III.B.1., supra. Because the Security Breach Liability 5 insuring provision is an inclusionary clause, it must be construed liberally to provide coverage— 6 i.e., with the “because of” connection between the Claim and the Wrongful Act. Ross, 132 7 Wash. 2d at 515–16. 8 In addition, another defined Policy term belies Defendants’ proposed construction. The 9 Security Breach liability insuring grant applies to “a Claim . . . for a Wrongful Act or a series of 10 Interrelated Wrongful Acts.” Dkt. # 1-1 at 9. “Interrelated Wrongful Acts” are defined as 11 “all Wrongful Acts that have as a common nexus any: i) fact, circumstance, situation, event, 12 transaction or cause; or ii) a series of casually [sic] connected facts, circumstances, situations,
13 events, transactions or causes.” Id. at 12. So, along with covering “a Claim . . . for a Wrongful 14 Act,” the Security Breach liability insuring grant covers a Claim for any number of Wrongful 15 Acts that are appropriately connected to one another. Id. at 9. This expansive language suggests 16 the parties contemplated and accepted that the Security Breach liability insuring grant should 17 apply to a broad set of circumstances that ultimately lead to a Claim. Yet Defendants’ proposed 18 definition of “for” is “used to indicate the object or purpose of an action or activity.” Dkt. # 18 19 at 17. This proposed definition would only provide coverage if a Claim were for a singular 20 “action” or “activity,” and would render the defined term “Interrelated Wrongful Acts” 21 superfluous to the Security Breach Liability insuring provision. Dkt. # 1-1 at 12. Thus, this 22 interpretation would conflict with the maxim that the preferred interpretation of a contract, such
23 as an insurance policy, gives effective meaning to all provisions of the agreement and does not 24 1 render any part meaningless. See Pub. Util. Dist. No. 1 of Lewis Cnty. v. Washington Pub. 2 Power Supply Sys., 104 Wash. 2d 353, 374, 705 P.2d 1195 (1985) (internal citation omitted). 3 2. Policy as a Whole
4 Next, the Court considers whether its interpretation of the Security Breach Liability 5 insuring provision gives the whole Policy a “fair, reasonable, and sensible construction as would 6 be given to the contract by the average person purchasing insurance.” Key Tronic Corp. v. Aetna 7 (CIGNA) Fire Underwriters Ins. Co., 124 Wash. 2d 618, 627, 881 P.2d 201 (1994) (internal 8 citation omitted). 9 Defendants argue that the foregoing interpretation of the Security Breach Liability 10 insuring provision does not give the whole Policy a fair, reasonable, and sensible construction for 11 two reasons. Dkt. # 18 at 20–24. First, they say that the parties contracted for a Social 12 Engineering Endorsement in the Policy, and Plaintiff’s claim falls squarely within the Social
13 Engineering Endorsement. Id. at 20–22. They say that allowing Plaintiff to recover under the 14 Security Breach Liability insuring provision when it should only be allowed to recover under the 15 Social Engineering Endorsement would render the Social Engineering Endorsement superfluous. 16 Id. Defendants add that the Policy makes clear they need not pay under any other insuring grant 17 if a claim falls within and exhausts the Social Engineering sublimit. Dkt. # 24 at 11. Second, 18 they say, reading the Policy as a whole, the Security Breach Liability insuring provision is 19 intended to cover third-party claims by data-breach victims. Id. at 23–24. Plaintiff responds by 20 saying Defendants are attempting to rewrite the Policy. Dkt. # 21 at 21. According to Plaintiff, 21 when a loss is covered by more than one part of an insurance policy, the insured is entitled to the 22 full coverage available under each part—unless the policy has language to the contrary. Dkt. #
23 21 at 21–23. Plaintiff also says the Washington Supreme Court has held that an insured can 24 1 proceed under multiple grants of coverage and the insured is not required to choose a single 2 coverage provision to bring a claim under. Id. at 23–24. 3 a. Social Engineering Endorsement
4 As Defendants recognize, the first issue to be resolved is not whether one incident can 5 implicate two insuring grants in the Policy or whether Washington requires an insured to choose 6 a single coverage to bring a claim under. Dkt. # 24 at 9–10. The Policy recognizes that a single 7 incident can fall within two insuring grants. Dkt. # 1-1 at 6. And the Washington Supreme 8 Court has found “no authority for the proposition that an insured must elect which coverage it 9 chooses if it has been furnished with overlapping coverage in a policy.” Kitsap Cnty. v. Allstate 10 Ins. Co., 136 Wash. 2d 567, 581, 964 P.2d 1173 (1998). To resolve Defendants’ first argument, 11 the Court must instead determine whether its interpretation of the Security Breach Liability 12 insuring provision renders the Policy’s Social Engineering Endorsement superfluous. The Court
13 must also evaluate whether Plaintiff’s claim falls within the Social Engineering Endorsement 14 and, if necessary, whether it exhausts the Social Engineering sublimit. 15 The Social Engineering Endorsement covers “Social Engineering Loss resulting directly 16 from a Social Engineering Incident[.]” Dkt. 1-1 at 33. The Policy defines Social Engineering 17 Loss as “the loss of Money as a result of a Social Engineering Incident.” Id. at 34. Money in 18 this context means “currency, coins or bank notes in current use and having a face value, 19 travelers’ checks, register checks and money orders held for sale to the public. The term Money 20 does not include digital currency or other negotiable and nonnegotiable instruments or contracts 21 representing either Money or property.” Id. at 33. A Social Engineering Incident is defined as: 22 the intentional misleading of an Insured to transfer Money to a person, place or account beyond the Named Insured’s control resulting directly from the Named 23 Insured’s employee’s good faith reliance upon an instruction transmitted via email, purporting to be from: 24 1 i. a natural person or entity who exchanges, or is under contract to exchange, goods or services with the Named Insured for a fee (other than a 2 financial institution, asset manager, broker-dealer, armored motor vehicle “named insured” or any similar entity); or 3 ii. an employee of the Named Insured; but which contained a fraudulent and material misrepresentation and was sent by 4 an imposter. Id. at 33. To be eligible for the Social Engineering Endorsement, the Policy also requires the 5 insured to “have an established and documented funds transfer request verification procedure and 6 that procedure must have been followed before acting upon any instruction.” Id. at 34. 7 This language from the Social Engineering Endorsement can be easily harmonized with 8 the Court’s interpretation of the Security Breach Liability insuring provision. This is because the 9 Court’s interpretation of the Security Breach Liability insuring provision still requires a Claim to 10 be brought against the insured because of a Wrongful Act. See Section III.B.1, supra. But the 11 Social Engineering Endorsement does not require a Wrongful Act to take place—it requires a 12 Social Engineering Incident to occur—before coverage can be provided. Dkt. # 1-1 at 33–34. 13 The Court similarly notes that a Wrongful Act occurs if there is “a privacy breach that includes 14 the acquisition of Personal Information held within a Computer System” or “unauthorized access 15 to, or use of, electronic or non-electronic data containing Personal Information,” while a Social 16 Engineering incident can occur without bad actors acquiring or obtaining access to Personal 17 Information. Dkt. # 1-1 at 13–14, 33. 18 Thus, if a Social Engineering Incident takes place but a Wrongful Act does not, coverage 19 may be provided under the Social Engineering Endorsement but not under the Security Breach 20 Liability insuring provision. On the other hand, if there is a Wrongful Act but no Social 21 Engineering Incident, coverage may be provided under the Security Breach Liability insuring 22 provision but not under the Social Engineering Endorsement. That being so, an incident can 23 implicate the Social Engineering Endorsement without falling under the Security Breach 24 1 Liability insuring provision. Consider a scenario in which a cyber criminal impersonated one of 2 Plaintiff’s employees and urgently demanded via email that another employee send U.S. 3 currency to a fraudulent bank account. If the duped employee followed Plaintiff’s established
4 and documented funds transfer request verification procedure before sending the money, then 5 coverage would likely be available under the Social Engineering Endorsement because a Social 6 Engineering Incident occurred. But coverage would not likely be available under the relevant 7 provisions of the Security Breach Liability insuring provision because the fraudster did not 8 acquire or access Personal Information, so no Wrongful Act took place. It follows that the 9 Court’s interpretation of the Security Breach Liability insuring provision does not render the 10 Social Engineering Endorsement superfluous. 11 What is more, the language of the Social Engineering Endorsement contradicts 12 Defendants’ assertion that the “social engineering attack on [Plaintiff] fits squarely within
13 section i.” Dkt. # 18 at 22. This is because Plaintiff alleges in part that it seeks coverage for the 14 Settlement Agreement it entered with the Woods Claimants. Dkt. # 1 at 10. And settlement 15 agreements are contracts. See, e.g., Hamblin v. Castillo Garcia, 9 Wash. App. 2d 78, 91, 441 16 P.3d 1283 (2019) (“Settlement agreements are contracts.”). So the Settlement Agreement is not 17 considered Money under the Social Engineering Endorsement. Dkt. # 1-1 at 33 (“The term 18 Money does not include . . . contracts representing either Money or property.”). Because 19 Plaintiff does not seek coverage for the loss of Money, Plaintiff’s claim cannot be considered a 20 Social Engineering Loss. Thus, it is apparent from the Complaint that the Social Engineering 21 Endorsement does not cover Plaintiff’s claim because Plaintiff does not seek to recover for what 22 can be considered a Social Engineering Loss.
23 In sum, the Court’s interpretation of the Security Breach Liability insuring provision does 24 not render the Social Engineering Endorsement superfluous because this interpretation gives 1 meaning and effect to both parts of the Policy. And since Plaintiff’s claim does not fall within 2 the Social Engineering Endorsement, it is not relevant whether “the Social Engineering 3 Endorsement excludes coverage under other insuring grants for a Loss subject to the Social
4 Engineering sublimit.” Dkt. # 24 at 10–11. 5 b. Data-Breach Victims 6 Defendants next argue that “reading the Policy as a whole demonstrates that the Security 7 Breach Liability insuring agreement covers third-party claims by data-breach victims.” Dkt. # 8 18 at 23. Defendants contend that the Security Breach Liability and Expense insuring 9 agreements are complementary. Id. And they contend that when these complementary grants 10 are read together, the applicable definitions of Wrongful Act in the Security Breach Liability 11 provision apply “to third-party claims filed by individuals who have suffered injury because 12 [Plaintiff] failed to prevent their Personal Information from being acquired.” Id. Defendants
13 also say that Woods Law could not sue Plaintiff for a violation of any privacy law because it 14 does not have Personal Information that could be accessed, and Woods Law would not have 15 standing to sue Plaintiff because its employee’s email account was accessed. Id. at 24. Thus, 16 they contend, it would be unreasonable to construe the Security Breach Liability insuring 17 provision to afford coverage for a claim that is not legally cognizable under privacy laws. Id. 18 Plaintiff responds that Defendants are attempting to re-write the Policy, and that there is no 19 language limiting the Security Breach Liability insuring provision to third-party claims brought 20 by data-breach victims. Dkt. # 21 at 24. 21 The Court agrees with Plaintiff. Attorney argument cannot replace the plain language of 22 the Policy when that language is unambiguous. See Am. Nat. Fire Ins. Co., 134 Wash. 2d at 427.
23 The Security Breach Liability and Expense insuring agreements, as Defendants acknowledge, 24 define Loss to cover significantly different expenses. Dkt. # 1-1 at 6–7, 9–10; Dkt. # 18 at 23. 1 These provisions also do not reference one another. Dkt. # 1-1 at 6–10. And an Insured can 2 recover under neither, one, or both agreements. Dkt. # 1-1 at 6; see Dkt. # 24 at 9–11. So the 3 Court cannot agree they “are complementary.” Dkt. # 18 at 23.
4 Moreover, the applicable definitions of Wrongful Act in the Security Breach Liability 5 insuring provision indicate broader coverage than just third-party claims by data-breach victims 6 because Plaintiff failed to prevent the theft of their Personal Information. The Policy defines a 7 Wrongful Act as “any actual or alleged: a. Security Breach; b. Failure to prevent unauthorized 8 access to, or use of, electronic or non-electronic data containing Personal Information; . . . by, 9 or asserted against, an Insured.” Dkt. # 1-1 at 14 (italics emphasis added). Security Breach 10 means “a privacy breach that includes the acquisition of Personal Information[.]” Id. at 13 11 (italics emphasis added). The choice of the words “containing” and “that includes” in these 12 definitions illustrates that a Wrongful Act is not limited to the theft of a third-party’s Personal
13 Information. Id. at 13, 14. Rather, these definitions show an event qualifies as a Wrongful Act 14 under broader circumstances, so long as Personal Information is among the data acquired or 15 accessed. 16 Defendants similarly misconstrue the Complaint and Settlement Agreement to argue 17 “Woods Law could not sue [Plaintiff] for a violation of any privacy law given that it, as a 18 company, does not have Personal Information that could be accessed.” Dkt. # 18 at 24. In the 19 Complaint, Plaintiff says, “Cary Woods II is a personal injury attorney in Miami Florida and is 20 the owner of Cary Woods II, P.A d/b/a Law Offices of Cary Woods II.” Dkt. # 1 at 3. Plaintiff 21 also says it “entered into an Agreement, Release, and Assignment of Claims with Cary Woods II 22 and the Law Offices of Cary Woods, II.” Id. at 7. And the Settlement Agreement provides
23 “Cary Woods II and Cary Woods II, P.A. d/b/a the Law Offices of Cary Woods II has asserted a 24 Claim against Connelly Law Offices for the Loss of $1,501,885.55 as a result of the Cyber 1 Incident, Security Breach, and Wire Fraud” and “Cary Woods II and Cary Woods II, P.A. d/b/a 2 the Law Office of Cary Woods II alleges that Connelly Law Offices engaged in a Wrongful Act 3 whereby it allowed a Security Breach to occur and failed to prevent unauthorized access to, and
4 use of Personal Information including security codes and passwords.” Dkt. # 1-2 at 4. 5 Consequently, Plaintiff does not merely allege it was sued by Woods Law; it alleges that Cary 6 Woods—a person with Personal Information—also brought a claim. Plaintiff likewise alleges it 7 entered the Settlement Agreement with Woods. So the Court’s construction of the Security 8 Breach Liability insuring provision does not afford coverage for third-party claims that are not 9 legally cognizable under privacy law. Contra Dkt. # 18 at 24. 10 In short, the Court’s interpretation of the Security Breach Liability insuring provision 11 gives the whole Policy a fair, reasonable, and sensible construction because it does not render 12 any portion of the Policy superfluous and is consistent with the plain language of the Policy.
13 *** 14 To sum up, the “duty to indemnify exists only if the policy actually covers the insured’s 15 liability.” Am. Best Food, Inc. v. Alea London, Ltd., 168 Wash. 2d 398, 404, 229 P.3d 693 16 (2010). Plaintiff plausibly claims the Policy covers its liability under the Security Breach 17 Liability insuring provision. Dkt. # 1 at 2–9; see Section III.B, supra. But Defendants have 18 refused to indemnify Plaintiff for its claim under this provision of the Policy. Id. at 6, 9. Thus, 19 Plaintiff adequately states a claim for a breach of the duty to indemnify against Defendants. 20 C. Causes of Action Against Defendant Cowbell Cyber, Inc. 21 Finally, Defendants ask the Court to dismiss Plaintiff’s first, third, and fourth causes of 22 action against Defendant Cowbell because it is an insurance administrator, not an insurer. Dkt. #
23 18 at 24–25. 24 1 Plaintiff’s first cause of action for breach of the duty to indemnify must be dismissed 2 with respect to Defendant Cowbell because this Defendant is not listed on the Policy. See Woo 3 v. Fireman’s Fund Ins. Co., 161 Wash. 2d 43, 53, 164 P.3d 454 (2007) (duty to indemnify
4 “hinges on the insured’s actual liability to the claimant and actual coverage under the policy”) 5 (internal citation omitted). In fact, the words “Cowbell Cyber Inc.” do not appear in the Policy. 6 See generally Dkt. # 1-1. Plaintiff’s argument that the Policy’s declarations page lists Cowbell 7 as the “Producer” is incorrect. Id. The declarations page lists Cowbell Insurance Agency 8 LLC—not Cowbell Cyber Inc.—as the producer. Dkt. # 1-1 at 3. 9 Plaintiff’s third and fourth causes of action for violation of the Washington Consumer 10 Protection Act (CPA) and Insurance Fair Conduct Act (IFCA) against Cowbell must likewise be 11 dismissed. Plaintiff alleges that Defendants “violated multiple provisions of WAC 284-30-330” 12 and these “are per se violations” of the CPA. Dkt. # 1 at 13. But WAC 284-30-330 applies only
13 to insurers because “that regulation defines only unfair acts or practices of the insurer.” 14 Keodalah v. Allstate Ins. Co., 194 Wash. 2d 339, 350, 449 P.3d 1040 (2019). Similarly, “IFCA 15 claims require that the insurer’s unreasonable act or acts result in the unreasonable denial of the 16 insured's claim, and any IFCA damages must be caused by that denial.” Beasley v. GEICO Gen. 17 Ins. Co., 23 Wash. App. 2d 641, 667, 517 P.3d 500 (2022) (emphasis added). Thus, as alleged, 18 Cowbell can be liable under Plaintiff’s third and fourth causes of action only if it is an insurer. 19 But Plaintiff does not plausibly allege that Cowbell is an insurer. Under Washington law, 20 an insurer is “every person engaged in the business of making contracts of insurance, other than 21 a fraternal benefit society.” See RCW 48.01.050. That Cowbell sells insurance, it performed the 22 coverage evaluations, and denied coverage for Plaintiff’s claim does not show Cowbell is an
23 insurer. Contra Dkt. # 21 at 25. These functions say nothing about whether Cowbell is in the 24 business of making contracts of insurance. In fact, these arguments suggest that rather than l being an insurer, Cowbell is an “Adjuster” or “Insurance producer.” See RCW 48.17.010 (an 2 “Adjuster” is “any person who either investigates and negotiates settlement relative to insurance 3 claims, or applies the factual circumstances of an insurance claim to the insurance policy 4 || provisions, or both”); id. (an “Insurance producer” is “a person required to be licensed under the 5 laws of this state to sell, solicit, or negotiate insurance”). 6 Consequently, Plaintiff's first, third, and fourth causes of action must be dismissed 7 against Defendant Cowbell. 8 IV 9 CONCLUSION
10 For all these reasons, the Court GRANTS in part and DENIES in part the motion to
dismiss. Dkt. # 18. Plaintiff's first, third, and fourth causes of action against Defendant Cowbell
D are dismissed without prejudice. Plaintiff does not alternatively request that the Court grant
3 leave to amend the complaint; nor do the parties address whether such an amendment would be
4 futile. Plaintiff may timely move for leave to file an amended complaint
5 Dated this 7th day of August, 2025.
16 C fake Chur John H. Chun 17 United States District Judge 18 19 20 21 22 23 24