A New Mexico Court docket of Appeals resolution illustrates that when a coverage time period is undefined and ambiguous, the time period have to be interpreted liberally and in favor of protection. In Kane v. Syndicate 2623-623 Lloyd’s of London, 2025 WL 1733046 (N.M. Ct. App. June 16, 2025), the courtroom affirmed abstract judgment for a policyholder and held {that a} cyber legal responsibility coverage afforded protection for the policyholder’s loss that resulted from a post-breach fraudulent funds switch as a result of the preposition “for” was broad sufficient to afford protection for a 3rd occasion declare ensuing from a safety breach.
Background
After New Mexico Well being Connections’ (NMHC) e-mail system was hacked, a foul actor emailed fraudulent invoices on the shape that one in every of NMHC’s distributors used for its invoices. The fraudulent invoices altered the receiving checking account data and requested over $4 million earlier than sending them to NMHC’s accounting division. NMHC wired fee to the fraudulent checking account listed on the invoices, believing that it was paying its vendor. Ultimately, the seller contacted NMHC searching for fee for the precise invoices, which triggered NMHC to find the safety breach.
NMHC did not pay the seller who was awaiting fee for the seller’s unique invoices. The seller then demanded fee from NMHC. NMHC then tendered the seller’s demand to its insurer and requested protection and indemnification. The insurer denied third occasion protection for the declare taking the place that the seller’s declare for the unpaid bill quantities didn’t set off third-party legal responsibility protection below the coverage for a safety breach, and even when it did, the coverage’s lack of cash exclusions barred protection for the third-party declare. In response, NMHC filed a lawsuit in district courtroom towards the insurer for breach of the coverage’s third-party legal responsibility provision.
Whereas the events didn’t dispute that the coverage’s fraudulent instruction protection utilized, their dispute rested on whether or not the seller’s third-party declare for the unpaid invoices was a declare “for” a safety breach.
The district courtroom granted abstract judgment in NMHC’s favor and concluded that the coverage’s third-party legal responsibility provision coated the seller’s declare towards “for” a safety breach as a result of the declare “arose from” a safety breach and “flowed from a safety breach.” The district courtroom additionally held that the exclusions cited by the insurer had been inapplicable.
Court docket of Appeals Determination
The insurer appealed to the New Mexico Court docket of Appeals asserting, because it did within the district courtroom, that the coverage’s third-party legal responsibility protection doesn’t apply as a result of the seller’s declare was not a declare “for” a safety breach and that the coverage’s exclusions referring to lack of cash barred protection.
The Court docket of Appeals examined the coverage’s third-party protection knowledge and community legal responsibility protection which supplied protection for, amongst different issues, any declare first made towards an insured through the coverage interval “for . . . a safety breach.” There was no dispute concerning the time period “safety breach” or whether or not the fraudulent and unauthorized invasion of NMHC’s e-mail constituted a safety breach. Nevertheless, the events tussled over what the time period “for” meant. The insurer claimed that the preposition “for” within the coverage phrase solely meant “equal to” and concluded that protection is supplied just for a loss immediately linked to the safety breach, and never for the associated fraudulent funds switch. NMHC, alternatively, construed “for” as which means “due to,” “arising out of,” or “because of.”
The Court docket of Appeals first regarded to the dictionary whereas analyzing the coverage’s which means of the phrase “for.” The courtroom acknowledged that each events’ most popular meanings of “for” had been included within the frequent utilization of the phrase, which demonstrated ambiguity. The Court docket of Appeals additionally mentioned that lack of consensus amongst courts in decoding the which means of a coverage time period, resembling “for,” is indicative of ambiguity. The courtroom finally accepted the reasoning of the policyholder and the district courtroom and decided that “for” might fairly be understood to both imply “immediately linked” to or “causally linked” to a safety breach.
The Court docket of Appeals additionally regarded to the coverage’s knowledge restoration prices protection provision, which coated prices incurred “as a direct results of a safety breach.” The courtroom reasoned that as a result of the legal responsibility protection supplied protection “for a safety breach” with out proscribing protection to occasions the place a breach or loss have to be “direct,” that it might embody each “direct and oblique” losses.
The Court docket of Appeals additionally rejected the insurer arguments that varied coverage exclusions referring to lack of cash utilized to preclude protection for the third-party declare, discovering that the exclusions didn’t clearly and unambiguously apply to the state of affairs at hand.
For policyholders, the Kane resolution reinforces that even a single-word preposition could be ambiguous when it leads to at the least two affordable interpretations. Certainly, policyholders want solely display {that a} coverage phrase or phrase is open to 2 affordable interpretations, whereas insurers should show that their interpretation is the one affordable one.
