Data Breaches - When Are They Covered?

(Editor's Note: The following article has been contributed by David M. Governo and Corey M. Dennis of Governo Law Firm LLC, an 18-attorney law firm in Boston, Mass.)

No business today is immune from the threat of a costly data security breach. While cyber liability insurance is becoming a recommended element in mitigating the financial exposure associated with such breaches, which are estimated to cost between $3.7 million and $5.5 million per incident, businesses have found coverage under traditional insurance policies in some limited circumstances. 

The U.S. Court of Appeals for the Sixth Circuit recently held in Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012), that DSW Inc., DSW Shoe Warehouse, Inc., and Retail Ventures, Inc. (an affiliated company) were entitled to coverage under a commercial crime policy for a $6.8 million loss resulting from a cyber attack.

In February 2005, computer hackers gained unauthorized access to the wireless network at one of DSW’s stores, downloading credit card and checking account information pertaining to more than 1.4 million customers of 108 stores. The following month, DSW, DSW Shoe Warehouse, and Retail Ventures (collectively “DSW”) were alerted to fraudulent transactions using the stolen customer information. Soon thereafter, DSW notified its insurer, National Union Fire Insurance Company, of its insurance claim based on the data breach. National Union subsequently denied coverage under the computer fraud rider to a “Blanket Crime Policy,” stating that the loss was excluded because it related to theft of confidential customer information and that the policy did not cover “indirect loss.” 

DSW ultimately incurred more than $5.3 million in losses, including costs associated with the compromised credit card information (that is, charge backs, card reissuance, account monitoring, and fines imposed by VISA and MasterCard), as well as expenses for customer communications, public relations, customer claims and lawsuits, and attorneys’ fees in connection with investigations by seven state Attorneys General and the Federal Trade Commission. The parties later stipulated that the losses totaled more than $6.8 million (excluding DSW’s self-insured retention), including prejudgment interest.

DSW filed an action in Ohio state court seeking a declaratory judgment and asserting claims for breach of contract and breach of the duty of good faith and fair dealing.  National Union counterclaimed seeking a declaratory judgment and later removed the case to the U.S. District Court for the Southern District of Ohio. On cross-motions for summary judgment, the court held that DSW was entitled to coverage under the computer fraud rider but rejected DSW’s bad faith claim.

On appeal, the U.S. Court of Appeals for the Sixth Circuit affirmed. National Union argued that the District Court erred in applying a traditional “proximate cause” standard to determine whether DSW sustained loss “resulting directly from” the “theft of Insured property by Computer Fraud” under the policy.  However, the Sixth Circuit rejected that argument, agreeing with the District Court that the Ohio Supreme Court would apply a proximate cause standard (as an issue of first impression) and that that there was a sufficient link between the hacking incident and DSW’s financial loss.

National Union also argued that the loss was excluded because the customer information fell within an exclusion for loss of “proprietary” or “confidential” information. The Sixth Circuit disagreed, explaining that the information was not secret information held only by DSW, but rather, was held by many entities, including the customer, financial institutions, and other merchants.  Nevertheless, the court rejected DSW’s bad faith claim, holding that National Union’s denial of coverage was reasonably justified and the claim was “fairly debatable.”

The Retail Ventures, Inc. decision serves as a reminder to policyholders that, depending on the circumstances and particular policies at issue, they may find coverage for data breaches under traditional policies. However, this complex area of the law is developing quickly, as are the relevant insurance policies, and insureds cannot expect to rely on traditional policies to cover non-traditional claims. For instance, last year Zurich American Insurance Company filed a declaratory judgment action seeking a ruling that it has no obligation to provide coverage to Sony Corp. under a commercial general liability policy following a massive data breach that resulted in the filing of more than 50 class action lawsuits and a loss of over $178 million. That action is currently pending in New York state court.

For many businesses today, cyber liability insurance is the recommended solution, as it is specifically designed to cover losses arising from data breaches and related losses, such as business revenue lost due to hacking, costs of restoring lost data, costs of notifying and providing credit monitoring for affected parties, forensic investigation costs, regulatory compliance costs, and costs of defending lawsuits and paying judgments or settlements. In any event, it is advisable for businesses to consult with insurance professionals and legal counsel to ensure protection from the financial risks associated with data breaches.

 

Page 1 of 2
Comments

Resource Center

View All »

Complimentary Case Study: Helping achieve your financial goals By:...

Find out how a Special Investigation Unit used TLOxp to save the company money and...

Do Your Clients Hold The Right CDL License?

Learn about the various classes of CDL Licenses and the industries that are impacted by...

Integrated Content & Communications: A Key Business Issue For Insurers

Insurers are renewing their focus on top line growth, and many are learning that growth...

High Risk Insurance Coverage in the E&S Market

Experts discuss market conditions, trends and projected growth in a rapidly changing niche.

Top E-Signature Security Requirements

This white paper covers the most important security features to look for when evaluating e-signatures...

EPLI Programs Crafted Just For Your Clients

Bring us your restaurant clients, associations and other groups and we’ll help you win more...

Is It Time To Step Up And Own An Agency?

Download this eBook for insight on how to determine if owning an agency is right...

Claims - The Good The Bad And The Ugly

Fraudulent claims cost the industry and the public thousands of dollars in losses. This article...

Leveraging BI for Improved Claims Performance and Results

If claims organizations do not avail themselves of the latest business intelligence (BI) tools, they...

Top 10 Legal Requirements for E-Signatures in Insurance

Want to make sure you’ve covered all your bases when adopting e-signatures? Learn how to...

Claims Connection eNewsletter

Breaking news on disasters, fraud, legal trends, technology, and CE initiatives for the P&C claim professional – FREE. Sign Up Now!

Claims-Handling Guidelines

Claims Magazine is providing the following free guidelines and regulations in order to help adjusting professionals stay abreast of each state’s unique property and casualty claim-handling requirements.

View our State Guidelines »

Advertisement. Closing in 15 seconds.