Insured’s Claims against Insurer under Cyber Policy Survive Motion to Dismiss

    The federal district court denied the insurer's motion to dismiss the insured's claims under a Commercial Cyber Policy, but granted the motion to dismiss the producer of the policy. Connelly Law Offices, PLLC v. Cowbell Cyber, Inc., 2025 U.S. Dist. LEXIS 152604 (W.D. Wash. Aug 7, 2025). 

    Woods Law and plaintiff Connelly Law Offices worked together on a personal injury lawsuit. The lawsuit resolved for $15,000,000. The funds were deposited into plaintiff's trust account for distribution. Under the fee agreement, Woods Law was to receive $1,501,885.55 in attorney fees and costs. 

    Plaintiff suffered a security breach that allowed hackers to obtain unauthorized access to the security codes and passwords of its employees' email accounts. The hackers were able to obtain details about the settled personal injury lawsuit and settlement. The hackers created a spoofed email account to impersonate Cary Woods at Woods Law. This allowed the hackers to intercept and delete emails sent by Woods Law to Plaintiff's employees. 

    Plaintiff's employee, Micah LeBank emailed Cary Woods at cwoods@carywoodslaw.com. and asked for tax information about the firm. LeBank received an email from cwoods@carywoodlaw.com (the hacker's spoofed email account, which did not have an "s" in the domain name). The spoofed email said Cary Woods was in Europe for vacation and asked about wiring the funds. LeBank asked that Woods send wiring instructions. The hackers then sent wiring instructions for a fraudulent CitiBank account to LeBank. 

    The hackers also intercepted an email arranging a phone call between plaintiff's firm and Woods Law to confirm the wiring instructions. A fake phone number was sent to plaintiff. Plaintlif called the number and verified the wiring instructions with the hackers. Plaintiff then wired $1,501,885,55 to the fraudulent CitiBank account. 

    The fraud was discovered and Woods Law sued plaintiff for loss of the money wired to the fraudulent account. Woods Law demanded the policy limit of $1,000,000 to settle the claim. The insurer, Spinnaker Insurance Company, denied coverage but defended under a reservation of rights. Citibank was able to recover $379,592.52 lost in the fraud and paid the amount to plaintiff, leaving the amount of lost funds at $1,122,293.03. Plaintiff entered a settlement with Woods Law and paid $1,501,855.55.

    Defendants paid $100,000 towards the claim under the policy's Social Engineering Endorsement, but denied the remainder of the claim.

    Plaintiff sued and defendants moved to dismiss. The dispute centred on whether the settlement between Woods Law and plaintiff was covered under the policy's Security Breach Liability insuring provision. The provision covered "Loss as a result of a Claim . . . for a Wrongful Act." "Wrongful Act" was defined as "[A]ny actual or alleged (a) Securityl Breach, (b) Failure to prevent unauthorised access to, or use of, electronic or non-electronic data containing Personal Information."

    The word "for," as in the clause "Claim . . . for a Wrongful Act," was crucial. Plaintiff did not allege that Woods Law issued a written demand for money damages simply because plaintiff failed to prevent hackers from accessing its employees' email accounts; there were intervening acts of the hacker in the causal chain. Woods Law filed suit because hackers obtained access to the employees' email accounts, spoofed messages between Woods Law and plaintiff, impersonated Woods over the telephone, and only then diverted the funds into a fraudulent CitiBank account, In defendants' view, this meant the Wrongful Act did not form the basis of the relief sought and there was too remote a connection between the Claim and Wrongful Act to qualify for coverage under the Security Breach Liability insuring provision. 

    There was another definition of "for," however. Plaintiff alleged that because of its failure to prevent hackers form accessing one of its employee's email accounts, Woods Law issued a written demand for money damages. Plaintiff alleged its failure to prevent unauthorised access to an employee's email account directly resulted in the loss of the money plaintiff intended to pay to Woods Law under the fee agreement and the subsequent written demand for money damage. This interpretation of the Security Breach Liabltily insuring provision was reasonable because it employed a common meaning of "for." The ambiguity had to be construed in favor of plaintiff.

    Therefore, plaintiff plausibly claimed the policy covered its liability under the Security Breach Liability insuring provision. Plaintiff adequately stated a claim for a breach of the duty to indemnify against defendants.

    The claims against Cowbell Cyber Inc. were dismissed, however. That Cowbell was an insurance administrator, sold insurance, performed coverage evaluations, and denied coverage for plaintiff's claim did not show it was an insurer.