(Editor's Note: The following article has been contributed by David M. Governo and Corey M. Dennis of Governo Law Firm LLC, an 18-attorney law firm in Boston, Mass.)
No business today is immune from the threat of a costly data security breach. While cyber liability insurance is becoming a recommended element in mitigating the financial exposure associated with such breaches, which are estimated to cost between $3.7 million and $5.5 million per incident, businesses have found coverage under traditional insurance policies in some limited circumstances.
The U.S. Court of Appeals for the Sixth Circuit recently held in Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012), that DSW Inc., DSW Shoe Warehouse, Inc., and Retail Ventures, Inc. (an affiliated company) were entitled to coverage under a commercial crime policy for a $6.8 million loss resulting from a cyber attack.
In February 2005, computer hackers gained unauthorized access to the wireless network at one of DSW’s stores, downloading credit card and checking account information pertaining to more than 1.4 million customers of 108 stores. The following month, DSW, DSW Shoe Warehouse, and Retail Ventures (collectively “DSW”) were alerted to fraudulent transactions using the stolen customer information. Soon thereafter, DSW notified its insurer, National Union Fire Insurance Company, of its insurance claim based on the data breach. National Union subsequently denied coverage under the computer fraud rider to a “Blanket Crime Policy,” stating that the loss was excluded because it related to theft of confidential customer information and that the policy did not cover “indirect loss.”
DSW ultimately incurred more than $5.3 million in losses, including costs associated with the compromised credit card information (that is, charge backs, card reissuance, account monitoring, and fines imposed by VISA and MasterCard), as well as expenses for customer communications, public relations, customer claims and lawsuits, and attorneys’ fees in connection with investigations by seven state Attorneys General and the Federal Trade Commission. The parties later stipulated that the losses totaled more than $6.8 million (excluding DSW’s self-insured retention), including prejudgment interest.
DSW filed an action in Ohio state court seeking a declaratory judgment and asserting claims for breach of contract and breach of the duty of good faith and fair dealing. National Union counterclaimed seeking a declaratory judgment and later removed the case to the U.S. District Court for the Southern District of Ohio. On cross-motions for summary judgment, the court held that DSW was entitled to coverage under the computer fraud rider but rejected DSW’s bad faith claim.
On appeal, the U.S. Court of Appeals for the Sixth Circuit affirmed. National Union argued that the District Court erred in applying a traditional “proximate cause” standard to determine whether DSW sustained loss “resulting directly from” the “theft of Insured property by Computer Fraud” under the policy. However, the Sixth Circuit rejected that argument, agreeing with the District Court that the Ohio Supreme Court would apply a proximate cause standard (as an issue of first impression) and that that there was a sufficient link between the hacking incident and DSW’s financial loss.
National Union also argued that the loss was excluded because the customer information fell within an exclusion for loss of “proprietary” or “confidential” information. The Sixth Circuit disagreed, explaining that the information was not secret information held only by DSW, but rather, was held by many entities, including the customer, financial institutions, and other merchants. Nevertheless, the court rejected DSW’s bad faith claim, holding that National Union’s denial of coverage was reasonably justified and the claim was “fairly debatable.”
The Retail Ventures, Inc. decision serves as a reminder to policyholders that, depending on the circumstances and particular policies at issue, they may find coverage for data breaches under traditional policies. However, this complex area of the law is developing quickly, as are the relevant insurance policies, and insureds cannot expect to rely on traditional policies to cover non-traditional claims. For instance, last year Zurich American Insurance Company filed a declaratory judgment action seeking a ruling that it has no obligation to provide coverage to Sony Corp. under a commercial general liability policy following a massive data breach that resulted in the filing of more than 50 class action lawsuits and a loss of over $178 million. That action is currently pending in New York state court.
For many businesses today, cyber liability insurance is the recommended solution, as it is specifically designed to cover losses arising from data breaches and related losses, such as business revenue lost due to hacking, costs of restoring lost data, costs of notifying and providing credit monitoring for affected parties, forensic investigation costs, regulatory compliance costs, and costs of defending lawsuits and paying judgments or settlements. In any event, it is advisable for businesses to consult with insurance professionals and legal counsel to ensure protection from the financial risks associated with data breaches.