UNITED STATES DISTRICT COURT DISTRICT OF CONNECTICUT NEW ENGLAND SYSTEMS, INC., ) 3:20-CV-01743 (SVN) Plaintiff, ) ) v. ) ) CITIZENS INSURANCE COMPANY OF ) AMERICA, ) December 12, 2022 Defendant. ) RULING AND ORDER ON DEFENDANT’S MOTION FOR SUMMARY JUDGMENT Sarala V. Nagala, United States District Judge. Plaintiff New England Systems, Inc. has brought this action against its insurer, Defendant Citizens Insurance Company of America, alleging that Defendant failed to honor its obligation under an insurance policy to reimburse Plaintiff for business interruption losses Plaintiff sustained due to a data breach, misrepresented the coverage Defendant was required to provide Plaintiff, and failed to reasonably investigate Plaintiff’s insurance claim. Following the Court’s ruling on Defendant’s motion to dismiss, one claim for breach of contract and one claim for breach of the implied covenant of good faith and fair dealing remain in Plaintiff’s operative complaint. Defendant seeks summary judgment on both remaining counts of the complaint, asserting that Plaintiff did not suffer any business interruption losses due to the data breach at issue, that Plaintiff has not provided a basis for a jury to calculate the damages relating to any such losses, and that Plaintiff has not provided any evidence that Defendant acted in bad faith. Plaintiff argues that genuine issues of material fact preclude summary judgment on both of its remaining claims. For the reasons described below, the Court agrees with Plaintiff that genuine issues of material fact remain as to whether it sustained business interruption losses covered under its insurance policy and that it has offered sufficient evidence, for summary judgment purposes, regarding the calculation of the purported damages resulting from such losses. The Court agrees with Defendant, however, that Plaintiff has failed to provide sufficient evidence for a reasonable jury to find that Defendant acted in bad faith. Defendant’s motion for summary judgment is therefore GRANTED IN PART and DENIED IN PART.
I. FACTUAL BACKGROUND The parties’ dispute centers on a data breach that occurred on or around June 13, 2019, and impacted Plaintiff and several of its clients. Pl.’s L. R. 56(a)2 St., ECF No. 52-1, ¶ 23. In particular, the parties disagree about whether Defendant was required to pay Plaintiff for business interruption losses it purportedly sustained due to the data breach. See id. ¶¶ 54–62. Unless otherwise noted herein, the parties do not dispute the following facts. A. Plaintiff’s Operations Plaintiff is a managed services provider that provides its clients with partially or fully outsourced information technology (“IT”) support, IT strategy and consulting, and cybersecurity services. Id. ¶ 1. The tasks Plaintiff performs for its clients include fixing printers, changing
passwords, restoring backups, fixing servers, performing virus scans on machines, installing software patches, assisting with emails, addressing malware, helping clients recover from ransomware attacks, and helping clients recover from viruses. Id. ¶ 3. As of June of 2019, Plaintiff had approximately twenty employees spread across Plaintiff’s service, accounting, and sales departments. Id. ¶¶ 4–6, 11, 14. The majority of Plaintiff’s employees were service technicians. Id. ¶ 7. As of June of 2019, Plaintiff’s three departments functioned in the following manner. Plaintiff’s service department, which provided technical support and service for Plaintiff’s clients, relied primarily on two systems: a service management system called “ConnectWise,” and a system called “Continuum,” which related to Plaintiff’s remote monitoring and management tools. Id. ¶¶ 6, 8. When one of Plaintiff’s clients needed help, they would almost always be routed to Plaintiff’s helpdesk, which would in turn assign one of Plaintiff’s service technicians to address the client’s IT issue. Id. ¶ 10. The service department did not rely on any of Plaintiff’s servers to
perform work for clients. Id. ¶ 9. Plaintiff’s accounting department, which handled Plaintiff’s accounts receivable, accounts payable, and accounting services, utilized Connectwise, as well as Microsoft Dynamics, Microsoft Excel, email, and Plaintiff’s hardware and equipment, to perform its functions. Id. ¶¶ 12–13. Finally, Plaintiff’s sales department performed account management and business development services. Id. ¶ 15. It does not appear that the sales department relied on any particular systems relevant to this litigation to perform its duties, though the record on this point is not entirely clear. Id. ¶ 16. Plaintiff’s relationships with its clients were typically centered around service agreements, under which Plaintiff offered a variety of IT products and services for a term of months or years.
Id. ¶ 17. Such services might include, for example, email and network management, proactive maintenance, and server support. Id. ¶ 18. Certain service agreements also reflected that Plaintiff had committed to remediate viruses, ransomware, and malware attacks from its clients’ systems. Id. ¶ 19. Plaintiff’s chief executive officer, Tom McDonald, testified at his corporate representative deposition that Plaintiff’s service agreements were not limited to a certain number of work hours and that, even if a client had a large problem that occupied all of Plaintiff’s technicians, the client would not be charged extra under a service agreement. Id. ¶ 20. In addition to services performed under these service agreements, Plaintiff performed certain “one-off” projects that would not be covered by a client’s service agreement, such as purchasing and installing a printer for a client or converting a client to a new operating system. Id. ¶ 22. B. Plaintiff’s Data Breach Insurance Coverage At all times relevant to this action, Defendant insured Plaintiff under an insurance policy
with a term of May 15, 2019, to May 15, 2020. Id. ¶ 54; see generally Ex. J to Def.’s Mot. (the “Policy”), ECF No. 48-12. The Policy includes a Data Breach Coverage Form (the “Form”) with an aggregate limit of $250,000 for losses covered by the Form. Pl.’s L. R. 56(a)2 St. ¶ 55. Relevant here, the Form includes a provision titled “Cyber Business Interruption and Extra Expense,” which provides as follows: [Defendant] will pay actual loss of “business income” and additional “extra expense” incurred by [Plaintiff] during the “period of restoration” directly resulting from a “data breach” which is first discovered during the “policy period” and which results in an actual impairment or denial of service of “business operations” during the “policy period”.
Policy at 161. The Form defines several terms relevant to the parties’ dispute. First, the Form defines “business income,” in pertinent part, as Plaintiff’s “Net Income (Net Profit or Loss before income taxes) that would have been earned or incurred if there had been no impairment or denial of ‘business operations’ due to a covered ‘data breach’” and “[c]ontinuing normal operating expenses incurred, including payroll.” Id. at 168. Second, the Form defines “extra expense,” in pertinent part, as “the reasonable and necessary expenses [Plaintiff] incur[s] during the ‘period of restoration’ in an attempt to continue ‘business operations’ that have been interrupted due to a ‘data breach’ and that are over and above the expenses such [Plaintiff] would have incurred if no loss had occurred.” Id. at 169. Third, under the terms of the Form, the “period of restoration” begins for purposes of “extra expense” coverage “immediately after the actual or potential impairment or denial of ‘business operations’ occurs” and, for purposes of loss of “business income,” “after 24 hours . . . immediately following the time the actual impairment or denial of ‘business operations’ first occurs.” Id. The “period of restoration” ends on the earlier of “the date ‘business operations’ are restored, with due diligence and dispatch, to the condition that would
have existed had there been no impairment or denial,” or sixty days “after the date the actual impairment or denial of ‘business operations’ first occurs.” Id. Finally, “business operations” is defined as Plaintiff’s “usual and regular business activities.” Id. at 168. C. The Data Breach On June 13, 2019, multiple clients contacted Plaintiff after noticing encrypted items on their servers, which made Plaintiff aware that it had been impacted by a data breach. Id. ¶ 23. Though there is some dispute between the parties regarding the steps Plaintiff took to investigate the data breach, McDonald testified that Plaintiff determined “with a high degree of probability” that the breach originated with Plaintiff. Id. ¶ 24. As a result of the data breach, the bad actor or actors were able to access some of Plaintiff’s clients’ systems and send a virus and malware that
encrypted the clients’ data. Id. ¶ 25. The data breach impacted only one of Plaintiff’s own systems; specifically, the breach encrypted the data on the Microsoft Dynamics server utilized by Plaintiff’s accounting department. Id. ¶ 26. The parties do not agree on precisely when the issues with the server were remedied, but McDonald testified that he believed the Microsoft Dynamics server was restored the week after the data breach occurred. Id. ¶ 27. Upon learning of the data breach, Plaintiff began responding to its clients’ requests to remedy the issues caused by the breach. Id. ¶ 30. Plaintiff chose to remediate these issues on its own rather than involving an outside firm to assist in the process because, according to McDonald, retaining another company “would cause [Plaintiff] more work than less” and would not “speed up the process of getting [Plaintiff’s] clients remediated.” Id. ¶ 31. Plaintiff concedes that it did not need its own Microsoft Dynamics server to remediate the impacts of the data breach on its clients’ systems. Id. ¶ 28.
The parties dispute whether Plaintiff ever communicated to Defendant that, by electing to assist its impacted clients on its own, Plaintiff was electing not to do work for other clients. Id. ¶ 32. The parties further dispute the level of services Plaintiff was able to provide to clients that were not impacted by the data breach in the weeks and months following the breach. Id. ¶ 33. Although Plaintiff contends that, for more than six months after the data breach, it was able to provide only very limited “emergency service” to clients who were not impacted by the data breach, it concedes it did not refund service agreement charges to any of these clients. Id. D. The Parties’ Communications Following the Data Breach After the data breach, Plaintiff reported the incident to its insurance broker. Id. ¶ 34. The content of the parties’ communications regarding the claim that was subsequently submitted to
Defendant is a matter of disagreement in this litigation. The parties seem to agree, however, that at some point in the days after the data breach, McDonald spoke with Christopher Guittar, who was Defendant’s adjuster for any first-party damages Plaintiff may have sustained. Id. ¶ 35. Defendant has submitted evidence that it claims supports the proposition that Plaintiff did not report any first-party damages in the days following the data breach. Specifically, Defendant directs the Court to entries Guittar purportedly made between June 17 and June 27, 2019, in a file regarding Plaintiff’s claim, which state, among other things, that there was “no first party claim being made” and that there were “no first party expenses yet to address.” See id. ¶¶ 35–42; Ex. 1 to Cormier Decl., ECF No. 48-5, at 17–20; see also id. at 16 (noting that “[t]here are no first party expenses to complete this work”). Plaintiff disputes the truth of the assertions in these entries. In doing so, Plaintiff cites Guittar’s notes indicating that he was going to follow up with Plaintiff regarding any first-party claim, as well as McDonald’s testimony that he did not recall whether he discussed first-party damages with Defendant’s adjuster in the week following the data breach.
Pl.’s L. R. 56(a)2 St. ¶¶ 36, 43. On June 19, 2019, McDonald received an email from Guittar requesting information regarding Plaintiff’s claim. Id. ¶ 37. McDonald testified that he could not recall if he ever responded to Guittar’s email. Id. ¶ 41. Plaintiff concedes that it never provided Defendant with information regarding “data loss requiring recovery or reproduction” and that it did not initially forward Defendant a breakdown of damages and costs because it prioritized remediating its clients’ issues instead. Id. ¶¶ 39–40. Plaintiff further concedes that it never sent Defendant a repair estimate, but Plaintiff contends that it did not do so because it was its “own IT vendor” and “didn’t have an IT vendor” other than itself. Id. ¶ 38. On June 27, 2019, Guittar sent a follow-up email to McDonald requesting information from Plaintiff. Id. ¶ 44. The parties dispute precisely which
information, if any, Plaintiff provided in response to this request. Id. ¶¶ 45–46. On December 19, 2019, Plaintiff sent a letter to Defendant asserting a first-party claim for damages and demanding that Defendant pay Plaintiff up to the full $250,000 limit under the Form. Id. ¶¶ 47–48. The parties disagree on whether this was Plaintiff’s first attempt to make such a claim, and Plaintiff points to emails dated October 9 and 10, 2019, that purportedly include a discussion of first-party damages. Id. ¶ 47; Ex. F to Pl.’s Opp., ECF No. 57. On January 28, 2020, Defendant’s coverage counsel responded to Plaintiff’s December 19, 2019, letter, stating that the Policy did not provide coverage for Plaintiff’s claim. Pl.’s L. R. 56(a)2 St. ¶ 49; Ex. I to Pl.’s Opp., ECF No. 52-10. On April 20, 2020, Plaintiff’s counsel sent a reply, which stated that, during the sixty-day period of indemnity under the Form, Plaintiff needed to devote its full attention to restoring its system. Pl.’s L. R. 56(a)2 St. ¶ 52. In support of its damages claim, Plaintiff attached to its reply proposals and estimates for work that it was purportedly unable to perform due to the data breach. Id. ¶ 50. Defendant points out that these proposals and estimates were not signed by
Plaintiff or its clients. Id. ¶ 51. On June 8, 2020, Defendant responded to Plaintiff again, restating its position that the Form did not provide coverage for Plaintiff’s claim. Id. ¶ 53. E. Plaintiff’s Claimed Losses1 Plaintiff asserts that it lost business income because it was unable to perform work for six of its clients following the data breach. Id. ¶ 68. These six clients, all of which had term service agreements with Plaintiff, are: Albert Brothers, Inc./Cornerstone Realty (“Albert Brothers”); Avon Public Library; Community Housing Advocates, Inc. (“CHA”); Star Struck LLC (“Star Struck”); United Steel; and Wolcott Public Schools. Id. ¶¶ 21, 68. In support of its damages claim, Plaintiff has provided deposition testimony from agents of these clients indicating that the clients stopped working with Plaintiff at least in part due to the data breach. See id. ¶¶ 86–104. As set
forth in further detail below, Plaintiff’s claimed damages include losses for lost monthly service agreements, cancelled or lost projects, and lost subscriptions. Id. ¶ 69. With respect to lost monthly service agreements, Plaintiff claims that it suffered losses because each of the six clients ultimately cancelled or did not renew their service agreements, at least in part due to the data breach. First, Albert Brothers terminated its agreement with Plaintiff in August of 2019, with two months remaining on the agreement. Id. ¶ 70. Second, Avon Public Library terminated its agreement with Plaintiff in November of 2019, with twenty-six months remaining on the agreement. Id. Third, CHA and Wolcott Public Schools did not renew their
1 Plaintiff contends that the described losses do not constitute a full accounting of its damages but is not specific as to what other losses it claims. respective agreements with Plaintiff when the agreements expired in August of 2019. Id. Fourth, Star Struck terminated its agreement with Plaintiff in August of 2019, with thirty-two months remaining on the agreement, which was subject to automatic renewal. Id. Fifth and finally, United Steel terminated its agreement with Plaintiff in April of 2020, with twelve months remaining on
the agreement. Id. Plaintiff claims that, as a result of the termination of these relationships with its clients, it suffered $627,868.76 in covered losses. Id. With respect to cancelled or lost projects, Plaintiff claims that it was unable to perform four projects for United Steel, three projects for Wolcott Public Schools, two projects for Albert Brothers, and one project for CHA, because it spent its time attempting to remediate the effects of the data breach. Id. ¶ 71. These projects are separate from the services Plaintiff was obligated to perform for these clients under monthly service agreements. Id. Plaintiff claims that, as a result of these cancelled or lost projects, it suffered $152,024.00 in covered losses. Id. Finally, with respect to lost subscriptions, Plaintiff claims that it lost income attributable to fees it charges its clients in connection with the provision of subscription services. Id. ¶ 72. These
subscription services included Office 360 Advanced Threat Protection, Microsoft Azure, Barracuda cloud services, and Plaintiff’s “Backup TotalCare.” Id. Plaintiff asserts that, as a result of these lost subscriptions, it sustained $134,162.80 in covered losses. Id. Defendant contends that Plaintiff suffered no disruption to its business activities and did not, in fact, lose any income as a result of the data breach. Id. ¶¶ 73–78. In making this argument, Defendant points to financial figures indicating that Plaintiff’s total income increased by more than $60,000 between 2018 and 2019. Id. ¶ 75. Defendant also points to figures indicating that Plaintiff’s net operating income was higher in June, July, and August of 2019, around the time of the breach, than it was in the same three-month period in 2018. Id. ¶¶ 76–77. Finally, Defendant provides evidence that Plaintiff’s total revenue was only $30,479 lower during this three-month period in 2019 than it was for the same three-month period in 2018. Id. ¶ 78. II. PROCEDURAL BACKGROUND Plaintiff initiated this action by filing a complaint in Connecticut Superior Court in October
of 2020. Compl., ECF No. 1-1. After removal of the action to federal court and dismissal of one claim in May of 2021, two claims remain: breach of contract (Count One) and breach of the implied covenant of good faith and fair dealing (Count Three). ECF No. 1; New England Sys., Inc. v. Citizens Ins. Co. of Am., No. 3:20-CV-01743 (JAM), 2021 WL 1978691 (D. Conn. May 17, 2021). After an unsuccessful settlement conference, see ECF No. 33, this action was transferred to the undersigned, ECF No. 46. Defendant thereafter filed its pending motion for summary judgment, ECF No. 48, and the Court held oral argument on the motion. III. LEGAL STANDARD GOVERNING SUMMARY JUDGMENT Federal Rule of Civil Procedure 56(a) provides, in relevant part, that a court “shall grant summary judgment if the movant shows that there is no genuine issue as to any material fact and
the movant is entitled to judgment as a matter of law.” With respect to materiality, a fact is “material” only if a dispute over it “might affect the outcome of the suit under the governing law[.]” Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986). With respect to genuineness, “summary judgment will not lie if the dispute about a material fact is ‘genuine,’ that is, if the evidence is such that a reasonable jury could return a verdict for the nonmoving party.” Id. In considering a motion for summary judgment, a court “must construe the facts in the light most favorable to the non-moving party and must resolve all ambiguities and draw all reasonable inferences against the movant.” Kee v. New York, 12 F.4th 150, 158 (2d Cir. 2021) (citation and internal quotation marks omitted). In moving for summary judgment against a party who will bear the ultimate burden of proof at trial, the movant’s burden of establishing there is no genuine issue of material fact in dispute will be satisfied if the movant can point to an absence of evidence to support an essential element of the non-moving party’s claim. Celotex Corp. v. Catrett, 477 U.S. 317, 322–23 (1986).
The movant bears an initial burden of “informing the district court of the basis for its motion, and identifying those portions of ‘the pleadings, depositions, answers to interrogatories, and admissions on file, together with the affidavits, if any,’ which it believes demonstrate the absence of a genuine issue of material fact.” Id. at 323. A movant, however, “need not prove a negative when it moves for summary judgment on an issue that the [non-movant] must prove at trial. It need only point to an absence of proof on [the non-movant’s] part, and, at that point, [the non- movant] must ‘designate specific facts showing that there is a genuine issue for trial.’” Parker v. Sony Pictures Ent., Inc., 260 F.3d 100, 111 (2d Cir. 2001) (quoting Celotex Corp., 477 U.S. at 324). The non-moving party, in order to defeat summary judgment, must come forward with evidence that would be sufficient to support a jury verdict in its favor. Anderson, 477 U.S. at 249.
If the non-movant fails “to make a sufficient showing on an essential element of [its] case with respect to which [it] has the burden of proof,” then the movant will be entitled to judgment as a matter of law. Celotex Corp., 477 U.S. at 323. IV. COUNT ONE: BREACH OF CONTRACT The Court first finds that Defendant is not entitled to summary judgment with respect to Count One. Specifically, the Court concludes that a reasonable jury could find that Plaintiff suffered business interruption losses as a result of the data breach that affected its systems, and that Plaintiff has provided sufficient evidence to withstand summary judgment on the issue of damages. Defendant asserts that summary judgment is appropriate with respect to Count One for two reasons. First, Defendant asserts that Plaintiff did not suffer any covered business interruption losses due to the data breach it sustained, both because its business was not interrupted and because it did not suffer any financial loss. This first argument pertains to all three categories of damages
Plaintiff claims—namely, damages from lost monthly service agreements, damages from cancelled or lost projects, and damages from lost subscriptions. In short, Defendant contends that it was not obligated to pay Plaintiff for any of its purported losses and, thus, no breach of contract occurred. Second, Defendant contends that Plaintiff has failed to provide a basis for a jury to calculate its damages with respect to lost monthly service agreements. By confining this second argument to damages Plaintiff purportedly sustained due to lost monthly service agreements, Defendant essentially concedes that, if its first argument is unsuccessful, then triable issues of material fact remain with respect to any damages Plaintiff may have sustained due to cancelled or lost projects and lost subscriptions.
The Court disagrees with both of Defendant’s arguments and, therefore, denies Defendant’s motion to the extent it seeks summary judgment on Count One. The Court will address each of Defendant’s arguments in turn. A. Legal Standard A federal court exercising diversity jurisdiction “must apply the substantive law of the state in which it sits.” Pappas v. Philip Morris, Inc., 915 F.3d 889, 893 (2d Cir. 2019). The parties do not appear to dispute that the Court should look to Connecticut law when examining Plaintiff’s claims. Under Connecticut law, it is well-established that it is the function of the Court “to construe the provisions of [a] contract of insurance,” Springdale Donuts, Inc. v. Aetna Cas. & Sur. Co. of Ill., 724 A.2d 1117, 1119 (Conn. 1999), including at the summary judgment stage, see Boys v. Cont’l Cas. Co., 808 F. Supp. 2d 410, 414 (D. Conn. 2011). The interpretation of an insurance policy, like the interpretation of other written contracts, “involves a determination of the intent of the parties as expressed by the language of the policy.” Springdale Donuts, Inc., 724 A.2d at
1119–20. Thus, the determinative question when interpreting insurance policies is the intent of the parties—that is, “what coverage the insured expected to receive and what the insurer was to provide, as disclosed by the provisions of the policy.” Id. at 1120 (cleaned up). The policy “must be viewed in its entirety, and the intent of the parties for entering it derived from the four corners of the policy.” Id. Moreover, “policy words must be accorded their natural and ordinary meaning.” Id. If the terms of the policy are ambiguous, any ambiguity “must be construed in favor of the insured because the insurance company drafted the policy.” Id. B. Discussion 1. Whether Plaintiff Suffered Business Interruption Losses To begin, the Court cannot conclude, as a matter of law, that Plaintiff did not suffer
business interruption losses under the Form. As noted, the Form’s “Cyber Business Interruption and Extra Expense” provision states that Defendant “will pay actual loss of business income and additional extra expense” incurred by Plaintiff “during the period of restoration directly resulting from a data breach” that “results in an actual impairment or denial of service of business operations.” Ex. B. to Pl.’s Opp., ECF No. 52-2, at 2. The parties agree that a data breach, as defined under the Form, occurred and that the “denial of service” provision is inapplicable here. As a result, the operative question is whether the data breach “result[ed] in an actual impairment . . . of business operations.” After reviewing the record, the Court cannot conclude that the term “actual impairment” categorically excludes from coverage the losses Plaintiff claims it sustained from remediating the impacts the data breach had on its clients. In attempting to decipher what the parties meant by “actual impairment,” the Court must view the Policy in its entirety and accord its terms their natural and ordinary meaning. Springdale
Donuts, Inc., 724 A.2d at 1120. The specific issue presented here is whether the need for Plaintiff to expend significant efforts to remediate the impacts of a covered data breach on its clients—and, in doing so, take time away from other client services—presents an “actual impairment” of Plaintiff’s regular and usual business activities under the terms of the Policy. The Policy does not define “actual impairment,” and the parties do not provide any sources in their briefing from which the Court could glean a definition. As Plaintiff noted in earlier correspondence to Defendant, see Ex. J to Pl.’s Opp., ECF No. 52-11, at 4, the Merriam-Webster dictionary defines “impairment,” in part, as “diminishment or loss of function or ability.”2 Similarly, Black’s Law Dictionary defines “impairment,” in part, as “[t]he quality, state, or condition of being damaged, weakened, or diminished.”3 Neither the Policy nor these dictionary definitions provide a clear answer
regarding whether the Form should be read to exclude Plaintiff’s losses in this case, however. While the Court is aware of no Second Circuit or Connecticut Supreme Court authority addressing the precise question at issue here, there are two instructive cases in which district courts have considered whether an insured’s business operations were impaired as the result of a data breach. See Fishbowl Sols., Inc. v. Hanover Ins. Co., No. 21-cv-00794 (SRN/DJF), 2022 WL 16699749, at *8–9 (D. Minn. Nov. 3, 2022); P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., No. CV-15-01322-PHX-SMM, 2016 WL 3055111, at *7 (D. Ariz. May 31, 2016). Both cases counsel
2 Impairment, Merriam-Webster, https://www.merriam-webster.com/dictionary/impairment#:~:text=Definition% 20of%20impairment,loss%20of%20function%20or%20ability%20%E2%80%A6. 3 Impairment, Black’s Law Dictionary (11th ed. 2019). that the definition of “impairment” in the context of data breach insurance coverage is not as narrow as Defendant suggests. First, in P.F. Chang’s, the insured suffered a data breach when computer hackers obtained the credit card numbers of several thousand of the insured’s customers and posted them on the
internet. 2016 WL 3055111, at *2. In response to the breach, the processor of the insured’s credit card transactions required the insured to reimburse the processor for a “Case Management Fee.” Id. When the insured sought coverage from its insurer for this fee, the insurer argued that there was no evidence that the data breach caused an “actual or potential impairment or denial” of the insured’s business activities, which was a prerequisite for coverage under the insurance policy provision at issue. Id. at *7. The insured responded by arguing that its ability to operate was impaired because the processor would have terminated its agreement with the insured and eliminated the insured’s ability to process credit card transactions if it did not pay the fee. Id. The district court agreed with the insured, finding that “its ability to perform its regular business activities would be potentially impaired if it did not immediately pay the Case Management Fee
imposed by [the processor].” Id. In doing so, the court necessarily interpreted “impairment” broadly enough to include the potential results of an insured’s failure to pay a third party so that the insured’s business could continue to function. This suggests that impairment can mean more than simply, for example, that an insured is unable to access its own systems because they have been encrypted due to a data breach. More recently, in Fishbowl Solutions, the insured’s claim originated from a data breach in which a bad actor gained unauthorized access to the email account of the insured’s senior staff accountant, imposed “rules” within the account that interfered with the proper receipt of incoming emails and proper sending of outbound emails, and caused one of the insured’s clients to send payments to the bad actor, instead of the insured. 2022 WL 16699749, at *1–2. The insured was covered under a cyber business interruption provision identical to the one in the instant case. In arguing that it was covered under the applicable policy, the insured—which, like Plaintiff, was an IT services provider—argued that the “rules” imposed within the email account impaired its
business operations “by preventing [the senior staff accountant] from communicating with . . . clients and by preventing [the insured] from receiving payment for the work it had performed.” Id. at *2, *8. In response, the insurer argued that there was no impairment because the insured “continued to conduct its income-generating activities . . . while the bad actor accessed [its] email system.” Id. The district court rejected this argument and sided with the insured, noting that “impairment” is defined relatively consistently across dictionaries and ordinarily means “an inability to function at full capacity.”4 Id. at *9. The court concluded that the “ordinary meaning” of impairment was “sufficiently broad to encompass the impact . . . of the bad actor’s interference” with the insured’s email system. Id. In doing so, the court discussed how, although the insured’s senior staff accountant retained the ability to communicate with clients, the “bad actor’s
interference meant that [she] could not reliably, at all times, communicate and send invoices.” Id. Because the insured’s ability to communicate with clients, while not “debilitatingly disrupted,” was “certainly diminished,” the court found that the data breach resulted in an impairment of the insured’s business operations. Id. The Court finds the reasoning in both P.F. Chang’s and Fishbowl Solutions to be persuasive. First, the ordinary meaning of the term “impairment,” as explained in Fishbowl
4 In drawing this conclusion, the district court compared the Black’s Law Dictionary definition for “impairment,” discussed above, with the American Heritage Dictionary of the English Language and Oxford English Dictionary Online definitions for “impair.” See Fishbowl Sols., Inc., 2022 WL 16699749, at *9 (stating that the American Heritage Dictionary of the English Language defines “impair” as “[t]o cause to diminish as in strength, value, or quality,” while the Oxford English Dictionary Online defines the term as “to make worse, less valuable, or weaker” (alteration in original)). Solutions, is broad enough to include the partial disruption or diminishment of an insured’s business activities. This persuades the Court that Plaintiff does not need to demonstrate that it was completely unable to perform its typical business activities to claim the coverage it seeks under the Form. Rather, it is enough that Plaintiff was unable to function at full capacity. Second, P.F.
Chang’s supports the proposition that impairment can mean more than simply that a party is unable to access its own systems due to encryption resulting from a data breach. Taking into account this persuasive authority, and construing the ambiguity in the Policy’s language against the insurer, as required, see Springdale Donuts, Inc., 724 A.2d at 1120, the Court concludes that the term “actual impairment” in the Policy is broad enough to include the forced reallocation of resources, resulting from a covered data breach, from services Plaintiff planned to provide to clients, on one hand, to efforts Plaintiff took to remediate the effects the data breach had on its clients, on the other. In other words, Plaintiff’s business operations may have been impaired under the Policy if Plaintiff was unable to function at full capacity because it needed to dedicate its employees to client remediation work as a result of the data breach.
Simply put, the Court cannot conclude that the parties intended to exclude from coverage the type of “impairment”—i.e., the forced diversion of resources away from planned client services—Plaintiff claims it sustained in this case. Importantly, nothing in the Policy expressly limits the definition of “impairment” to the remediation of impacts on Plaintiff’s own systems. Nor does the Policy language suggest that the parties intended the term “impairment” to be narrowly construed. Accepting Defendant’s arguments to the contrary would substantially limit the reach of the coverage available to Plaintiff in a manner it is not clear the parties intended. Having determined that the meaning of impairment is broad enough to encompass the type of impairment Plaintiff claims it suffered in this case, the Court must next address Defendant’s assertion that summary judgment is nonetheless warranted because Plaintiff did not, in fact, suffer such an impairment or any resulting losses. Specifically, the Court must examine whether any genuine issues of material fact remain with respect to: whether a reallocation of resources from planned client services occurred; whether the reallocation was a result of the data breach; and
whether Plaintiff suffered any losses as a result. As detailed below, Plaintiff has directed the Court to evidence that, drawing all reasonable inferences in Plaintiff’s favor, is sufficient to create genuine disputes of material fact with respect to these issues. First, Plaintiff has provided evidence that it in fact could not perform some of the projects it had anticipated completing for the six clients at issue because it diverted resources to addressing the data breach. See Ex. R to Pl.’s Opp. (“Makkonen Depo.”), ECF No. 52-19, at 40:3–41:9 (noting that “as a result of the breach [Albert Brothers] did not continue with any of the services or projects with [Plaintiff]”); id. at 38:24–39:11 (stating that Albert Brothers did not move forward with a Microsoft Office 365 project because of the data breach); Ex. O to Pl.’s Opp., Godin Depo., ECF No. 52-16, at 55:22–56:1 (suggesting that Godin told Plaintiff to stop working on other
projects and to “focus completely on getting [United Steel] up and running again” after the breach); Ex. H to Def.’s Mot., ECF No. 48-10, at 6–22 (presenting proposals for projects Plaintiff claims it was unable to perform due to the data breach5); see also Ex. Q to Pl.’s Opp. (“Grube Depo.”), ECF No. 52-18, at 30:4–30:12 (Grube believed that Plaintiff pitched projects to Avon Public Library that did not move forward after the breach). Plaintiff’s inability to perform such projects could constitute an impairment of its business operations under the Policy. Questions of material fact
5 Defendant notes that these proposals are unsigned. While this fact might affect the weight that a jury would put in these proposals, Defendant has not argued that the proposals will be wholly inadmissible at trial. As a result, at this stage, the Court will not disregard the proposals as inadmissible evidence in the summary judgment record. The Court notes, however, that even if these proposals were not in the record, genuine issues of material fact would still remain with respect to whether Plaintiff suffered business interruption losses under the Policy. remain for the jury to decide with respect to the nature and extent of such possible impairment, as well as the losses, if any, resulting from the impairment. Indeed, drawing all inferences in favor of Plaintiff as the non-moving party, it would not be unreasonable for a jury to conclude that Plaintiff was unable to fully perform planned projects—that is, to function at its intended full
capacity—as a direct result of needing to focus on remediation work caused by the data breach. Accordingly, at this stage, the Court cannot conclude that Plaintiff did not suffer any losses due to projects it was unable to perform for clients after the data breach, as Defendant urges. Next, Plaintiff has provided testimony from several former clients suggesting that the clients terminated their relationships with Plaintiff due to the data breach. See Makkonen Depo. at 36:9–37:14 (stating that Makkonen “probably” did not have any reason to believe that Albert Brothers would have cancelled its contract with Plaintiff if the data breach had not occurred); Grube Depo. at 27:11–27:13, 33:1–33:15 (stating that Avon Public Library was “extremely disappointed” in the way Plaintiff handled the data breach and ultimately terminated its contract with Plaintiff); Ex. S to Pl.’s Opp., Shaw Depo., ECF No. 52-20, at 64:13–64:22 (stating that Shaw
believed CHA canceled its contract with Plaintiff because of the data breach); Ex. T to Pl.’s Opp., Sessler Depo., ECF No. 52-21, at 38:18–39:6 (stating that the data breach was the “main reason” that Star Struck terminated its relationship with Plaintiff); Ex. U to Pl.’s Opp., Gasper Depo., ECF No. 52-22, at 87:10–87:21 (stating that Wolcott Public Schools terminated a portion of its relationship with Plaintiff due to the data breach). Questions of material fact remain with respect to whether these terminations caused losses that are covered under the Form. For example, questions remain regarding whether any such losses directly resulted from the data breach, whether the losses occurred during the Form’s restoration period, and whether losses incurred due to unrenewed contracts are covered under the Form. Defendant itself has noted that several of these are issues for trial. Moreover, with respect to at least some of these clients, questions of material fact remain as to whether these terminations were due to Plaintiff’s inability to perform work for these clients, on one hand, or general discontent that the data breach occurred, on the other. These are questions for the factfinder, rather than the Court at summary judgment, to decide.
Finally, Plaintiff has produced profit and loss statements providing that its profits indeed declined—at least by certain metrics—from 2018 to 2019. Ex. P to Def.’s Mot., ECF No. 48-18; Ex. Q to Def.’s Mot., ECF No. 48-19.6 This evidence, when viewed alongside the other evidence discussed in this ruling, is sufficient to raise genuine questions of fact as to whether Plaintiff suffered covered losses resulting from the data breach and in what amount. Even if the jury were to find that Plaintiff’s net profits did not decline year-over-year from 2018 to 2019, a reasonable jury could still find that Plaintiff suffered a covered loss because its profits would have been even higher in 2019, but for the breach. See Ex. N to Pl.’s Opp. (“McDonald Depo.”), ECF No. 52-15, at 152:1–152:9 (suggesting that Plaintiff may have been growing and then suffered a loss due to the data breach). In light of this evidence, as well as the other evidence discussed above, a
reasonable jury could find that Plaintiff suffered a loss in business income due to the data breach. In sum, after reviewing the record, the Court cannot conclude that the parties intended for Plaintiff’s data breach coverage to be so limited as to categorically exclude the losses Plaintiff claims in this case. Similarly, construing the evidence in the light most favorable to Plaintiff, the Court cannot conclude that Plaintiff did not suffer a loss in business income due to the data breach. This does not mean that, because Plaintiff expended resources to remediate the effects of the data breach on its clients, the jury must find that Plaintiff’s business operations were impaired under
6 The Court is unconvinced by Defendant’s argument that this purported decline in profits constitutes a new theory of damages that Plaintiff did not previously assert in this action. To the contrary, Defendant argued that Plaintiff suffered no net losses, and Plaintiff rebutted that point. the Policy. A reasonable jury could conclude that Plaintiff was able to function at full capacity after the data breach, but it simply chose to prioritize data breach remediation and to neglect other planned client services. Moreover, the Policy provides that, in order for the losses at issue here to be covered, the impairment Plaintiff suffered must have resulted from the data breach. Thus, if
the jury finds that Plaintiff chose to divert resources to remediate the effects of the data breach when it did not need to do so, the jury could reasonably find that Plaintiff’s reallocation of resources did not constitute impairment under the terms of the Policy because the reallocation was not necessitated by the data breach but, rather, resulted from another intervening factor—namely, Plaintiff’s business decision. The Court acknowledges that this case presents a unique situation in which the steps an insured party took to remediate a data breach look similar to the work the insured party typically performs. This case is also unique because Plaintiff may have been independently responsible for remedying the effects of the data breach on its clients even if the breach had originated from another source. Plaintiff’s theory of coverage, however, is that it was forced to divert resources
from its normal business operations, and thereby suffered losses, due to the occurrence of a covered data breach. Defendant has not supplied the Court with evidence to establish, as a matter of law, that the parties intended that Plaintiff’s purported forced diversion of resources would not constitute an impairment of Plaintiff’s business operations under the terms of the Policy. Plaintiff, on the other hand, has put forth evidence creating genuine issues of material fact as to whether it suffered impairment of its business operations, as defined under the Form. Accordingly, the Court denies Defendant’s motion to the extent it seeks summary judgment on the ground that Plaintiff has not suffered business interruption losses. 2. Whether Plaintiff Has Provided Sufficient Evidence for a Jury to Calculate Damages
The Court is similarly unpersuaded by Defendant’s argument that Plaintiff has not provided sufficient evidence for a jury to calculate damages from lost monthly service agreements. Under Connecticut law, the elements of a breach of contract claim are “formation of an agreement, performance by one party, breach of the agreement by the other party, and damages.” CCT Commc’ns, Inc. v. Zone Telecom, Inc., 172 A.3d 1228, 1240 (Conn. 2017). With respect to the damages element of a breach of contract claim, “a plaintiff must prove damages with reasonable certainty, which means that a trier of fact must have a sufficient basis for estimating their amount in money.” Van Natta v. Great Lakes Reinsurance (UK) SE, 462 F. Supp. 3d 113, 136 (D. Conn. 2020), reconsideration denied, No. 3:18-CV-438 (SRU), 2020 WL 5215461 (D. Conn. Sept. 1, 2020). “Mathematical exactitude,” however, is not “a precondition to an award of damages.” Id. (cleaned up) (quoting Am. Diamond Exch., Inc. v. Alpert, 28 A.3d 976, 986–87 (Conn. 2011)). Accordingly, to survive summary judgment on the issue of damages, “the evidence must simply afford a ‘basis for a reasonable estimate’ by the trier of fact,” id. (quoting, in part, Paiva v. Vanech Heights Constr. Co., 271 A.2d 69, 72 (Conn. 1970)), and “a defendant is entitled to summary judgment based on a plaintiff’s failure make out a prima facie case for damages only when no reasonable jury could set the amount of damages,” id. (italicization added). Here, the record contains financial documents showing declines in Plaintiff’s profits, under
certain metrics, around the time of the data breach, see Ex. L to Pl.’s Opp., ECF No. 52-13; Ex. M to Pl.’s Opp., ECF No. 52-14, Exs. P & Q to Def.’s Mot., and testimony regarding contracts Plaintiff claims were terminated due to the data breach, see Pl.’s L. R. 56(a)2 St. ¶¶ 86–104. Defendant claims that summary judgment is warranted because Plaintiff has failed to present evidence of how much profit it would have made on each monthly service agreement it lost due to the data breach. But, in light of the financial documents and terminated agreements evidenced in the record, the Court cannot conclude that a jury would lack a sufficient basis to estimate Plaintiff’s purported damages. See Van Natta, 462 F. Supp. 3d at 136 (noting that “[m]athematical exactitude” is not “a precondition to an award of damages”). Accordingly, the Court finds that
Plaintiff has provided sufficient evidence of damages from purportedly lost monthly service agreements to avoid summary judgment on this issue. For the foregoing reasons, Defendant’s motion is denied to the extent it seeks summary judgment on Count One. V. COUNT THREE: BREACH OF THE IMPLIED COVENANT OF GOOD FAITH AND FAIR DEALING (BAD FAITH)
The Court next finds that, because Plaintiff has failed to provide sufficient evidence that Defendant acted in bad faith, Defendant is entitled to summary judgment on Count Three. A. Legal Standard Connecticut law recognizes a cause of action for breach of the covenant of good faith and fair dealing, which is also known as “bad faith.” Van Dorsten v. Provident Life & Acc. Ins. Co., 554 F. Supp. 2d 285, 287 (D. Conn. 2008). The covenant of good faith and fair dealing is implied in all contracts, including insurance contracts. Id. In other words, “every contract carries an implied duty requiring that neither party do anything that will injure the right of the other to receive the benefits of the agreement.” Geysen v. Securitas Sec. Servs. USA, Inc., 142 A.3d 227, 237 (Conn. 2016). The implied covenant of good faith and fair dealing “presupposes that the terms and purpose of the contract are agreed upon by the parties and that what is in dispute is a party’s discretionary application or interpretation of a contract term.” Id. In order to establish a claim for breach of the implied covenant, a plaintiff must show: (1) that “the plaintiff and the defendant were parties to a contract under which the plaintiff reasonably expected to receive certain benefits”; (2) that “the defendant engaged in conduct that injured the plaintiff’s right to receive some or all of those benefits”; and (3) that, “when committing the acts by which it injured the plaintiff’s right to receive benefits [the plaintiff] reasonably expected to receive under the contract, the defendant was acting in bad faith.” Franco v. Yale Univ., 238 F.
Supp. 2d 449, 455 (D. Conn. 2002), aff’d, 80 F. App’x 707 (2d Cir. 2003) (citing Fairfield Fin. Mortg. Grp., Inc. v. Salazar, No. CV000339752S, 2002 WL 1009809, at *3 (Conn. Super. Ct. Apr. 23, 2002)); see Capstone Bldg. Corp. v. Am. Motorists Ins. Co., 67 A.3d 961, 986 (Conn. 2013) (“To constitute a breach of the implied covenant of good faith and fair dealing, the acts by which a defendant allegedly impedes the plaintiff’s right to receive benefits that he or she reasonably expected to receive under the contract must have been taken in bad faith.” (cleaned up)). Bad faith, in general, “implies . . . actual or constructive fraud, or a design to mislead or deceive another, or a neglect or refusal to fulfill some duty or some contractual obligation, not prompted by an honest mistake as to one’s rights or duties, but by some interested or sinister motive.” Dorfman v. Smith, 271 A.3d 53, 71 (Conn. 2022) (alteration in original). The Connecticut Supreme Court has
repeatedly reaffirmed that bad faith “means more than mere negligence; it involves a dishonest purpose.” See, e.g., id.; De La Concha of Hartford, Inc. v. Aetna Life Ins. Co., 849 A.2d 382, 388 (Conn. 2004). Thus, “a mere coverage dispute, or even simple negligence on the part of the insurer, does not constitute bad faith on the insurer’s part.” Van Dorsten, 554 F. Supp. 2d at 287. B. Discussion Defendant asserts that summary judgment is warranted on Count Three because Plaintiff has failed to present evidence showing that Defendant acted in bad faith. In response, Plaintiff references communications and deposition testimony that purportedly show that Defendant misrepresented the terms of the Policy and failed to reasonably investigate Plaintiff’s claim. Notably absent from these exhibits, however, is any evidence that Defendant acted with a dishonest purpose. Because Plaintiff has failed to direct the Court to any evidence demonstrating that Defendant acted in bad faith, Defendant is entitled to summary judgment with respect to Count Three.
At their core, Plaintiff’s allegations of bad faith are: first, that Defendant did not appropriately discuss business interruption loss coverage with Plaintiff in the aftermath of the data breach; and second, that Defendant did not ask Plaintiff for information that would have been necessary to conduct a good faith and reasonable investigation into Plaintiff’s purported business interruption losses. Plaintiff relies predominantly on the following evidence. First, Plaintiff claims that Guittar sent an email to McDonald on June 19, 2019, that deceptively omitted mention of business interruption coverage. Second, Plaintiff cites correspondence between its insurance broker, Ted Barber, and Defendant, in which Barber purportedly sought clarification regarding Plaintiff’s first-party coverage and Defendant responded by issuing a $35,000 check without sufficient clarification. Third, Plaintiff relies on deposition testimony of Jason Cormier,
Defendant’s property claim director and corporate representative, for the proposition that Defendant did not request any documentation regarding Plaintiff’s first-party claim, despite Defendant’s usual practice of doing so. Plaintiff asserts that, instead of requesting documentation, Defendant relied only on conversations with Plaintiff to arrive at its coverage position. None of the evidence Plaintiff references indicates that Defendant acted with a dishonest purpose. Applying Connecticut law, the Second Circuit has stated that “[a]llegations of a mere coverage dispute or negligence by an insurer in conducting an investigation will not state a claim for bad faith against an insurer.” Mazzarella v. Amica Mut. Ins. Co., 774 F. App’x 14, 17 (2d Cir. 2019). Moreover, a plaintiff “cannot recover for bad faith if the insurer denies a claim that is ‘fairly debatable,’ i.e., if the insurer had some arguably justifiable reason for refusing to pay or terminating the claim.” McCulloch v. Hartford Life & Acc. Ins. Co., 363 F. Supp. 2d 169, 177 (D. Conn. 2005), adhered to on reconsideration No. 3:01-CV-1115 (AHN), 2005 WL 8165602 (D. Conn. Sept. 29, 2005). Even assuming for the sake of argument that Defendant failed to take the
appropriate steps when considering Plaintiff’s claim, Plaintiff has not explained how this case presents anything more than a coverage dispute over a fairly debatable claim or negligence on the part of Defendant. Notably, Plaintiff’s first argument that Defendant misrepresented Plaintiff’s coverage is belied by the evidence: Guittar’s June 19, 2019, email to Plaintiff explicitly stated that Plaintiff’s “Data Breach Expense Coverage includes . . . Cyber Business Interruption and Extra Expense.” Ex. V to Pl.’s Opp. at 3. This undercuts Plaintiff’s assertion that Guittar’s email deceptively excluded mention of this coverage. In any event, given the ambiguity in the Cyber Business Interruption and Extra Expense provision of the Policy, as discussed above, whether Plaintiff was entitled to coverage under the provision was fairly debatable. Therefore, Defendant’s
representations that it did not need to provide coverage for such losses do not, on their own, constitute bad faith. With respect to Plaintiff’s assertion that Defendant improperly failed to investigate Plaintiff’s claim and that Plaintiff was injured as a result, Plaintiff has not offered any evidence that Defendant’s purported failure to properly investigate was due to anything other than negligence. Thus, at most, Plaintiff’s evidence suggests that Defendant incorrectly took the position that it would not provide coverage for a fairly debatable claim and negligently failed to investigate that claim. Plaintiff has offered no evidence that Defendant’s agents committed any acts or omissions with a dishonest purpose. Accordingly, no reasonable jury could find for Plaintiff with respect to Count Three. For the foregoing reasons, the Court grants Defendant’s motion to the extent it requests summary judgment on Count Three, Plaintiff’s claim for breach of the implied covenant of good
faith and fair dealing. VI. CONCLUSION For the reasons described herein, Defendant’s motion for summary judgment is GRANTED IN PART and DENIED IN PART. The Court will convene a conference with the parties to set a trial date and deadlines for pretrial submissions with respect to Count One, Plaintiff’s breach of contract claim.
SO ORDERED at Hartford, Connecticut, this 12th day of December, 2022.
/s/ Sarala V. Nagala SARALA V. NAGALA UNITED STATES DISTRICT JUDGE