Fifth Circuit Reiterates the Importance of Knowing Your Cyber Policy and Finds Insurance Coverage for Data Breaches

A company’s efforts to win back its customers’ goodwill after a computer-system failure could be covered under its cyber-risk insurance policy, so held the United States Court of Appeals for the Fifth Circuit in an opinion last month.

The dispute presented to the Fifth Circuit arose in response to a 2016 system outage for Southwest Airlines,[1] and Southwest sought to recoup $77 million in losses from its insurer, Liberty Insurance Underwriters, Inc. Liberty disclaimed coverage, arguing that these damages were not the result of the computer-system failure, but rather were related to travel-related perks (such as travel vouchers, future discounts, and rewards points) which Southwest offered to quell any customer backlash. The district court agreed, holding that these costs were “purely discretionary customer-related rewards programs” and not covered by the cyber risk policy.[2]

The Fifth Circuit reversed. In interpreting whether the policy language “all loss that an insured incurs solely as a result of a system failure”[3] covered Southwest’s losses, the Fifth Circuit started with the familiar premise that an insurance contract (like any contract) should be interpreted according to its plain meaning. Turning to its case law interpreting the words of the contract, and the dictionary, the Fifth Circuit noted that a “sole” cause must be independent of the other causes (i.e., the precipitating cause)[4] and reasoned that Southwest’s business decisions to compensate customers after the computer-system failure could be covered under the policy as a link in the causal chain tracing back to the computer-system failure. 

Some have already criticized this decision as allowing Southwest “to dictate the amount of its own loss.”[5] But the Fifth Circuit quickly dismissed this position, holding that there still must be a causal nexus between the system failure and the loss, and that an insured’s general duty to mitigate damages would prevent any unnecessary windfall.[6]

The costs resulting from a data-security incident can have long-lasting effects on an organization. Expenses associated with the investigation, remediation, regulatory enforcement, and reputational fallout following a data-security incident can be devastating to a company if it does not have adequate insurance coverage. 

If you have questions about the adequacy of your cyber-insurance coverage, whether you are adequately protected from a data breach, or if you have experienced a data breach, please contact a member of the HSE Insurance Coverage and Privacy and Data Security teams.

[1] See, e.g., Southwest Airlines Computer Glitch Causes Cancellations, Delays For Third Day, The Wash. Post, [].

[2] Sw. Airlines Co. v. Liberty Ins. Underwriters Inc., 2022 WL 5240650, at *1 n.2 (N.D. Tex. Sept. 6, 2022).

[3] Sw. Airlines Co. v. Liberty Ins. Underwriters Inc., 90 F.4th 847, 850 (5th Cir. 2024).

[4] Id. at 852–53.

[5] Id. at 853 (internal quotation marks omitted).

[6] Id. at 853–54.

Attorney Advertising. Prior results do not guarantee a similar outcome. This publication is provided as a service to clients and friends of Harter Secrest & Emery LLP. It is intended for general information purposes only and should not be considered as legal advice. The contents are neither an exhaustive discussion nor do they purport to cover all developments in the area. The reader should consult with legal counsel to determine how applicable laws relate to specific situations. ©2024 Harter Secrest & Emery LLP