Data Breaches - When Are They Covered?

(Editor's Note: The following article has been contributed by David M. Governo and Corey M. Dennis of Governo Law Firm LLC, an 18-attorney law firm in Boston, Mass.)

No business today is immune from the threat of a costly data security breach. While cyber liability insurance is becoming a recommended element in mitigating the financial exposure associated with such breaches, which are estimated to cost between $3.7 million and $5.5 million per incident, businesses have found coverage under traditional insurance policies in some limited circumstances. 

The U.S. Court of Appeals for the Sixth Circuit recently held in Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012), that DSW Inc., DSW Shoe Warehouse, Inc., and Retail Ventures, Inc. (an affiliated company) were entitled to coverage under a commercial crime policy for a $6.8 million loss resulting from a cyber attack.

In February 2005, computer hackers gained unauthorized access to the wireless network at one of DSW’s stores, downloading credit card and checking account information pertaining to more than 1.4 million customers of 108 stores. The following month, DSW, DSW Shoe Warehouse, and Retail Ventures (collectively “DSW”) were alerted to fraudulent transactions using the stolen customer information. Soon thereafter, DSW notified its insurer, National Union Fire Insurance Company, of its insurance claim based on the data breach. National Union subsequently denied coverage under the computer fraud rider to a “Blanket Crime Policy,” stating that the loss was excluded because it related to theft of confidential customer information and that the policy did not cover “indirect loss.” 

DSW ultimately incurred more than $5.3 million in losses, including costs associated with the compromised credit card information (that is, charge backs, card reissuance, account monitoring, and fines imposed by VISA and MasterCard), as well as expenses for customer communications, public relations, customer claims and lawsuits, and attorneys’ fees in connection with investigations by seven state Attorneys General and the Federal Trade Commission. The parties later stipulated that the losses totaled more than $6.8 million (excluding DSW’s self-insured retention), including prejudgment interest.

DSW filed an action in Ohio state court seeking a declaratory judgment and asserting claims for breach of contract and breach of the duty of good faith and fair dealing.  National Union counterclaimed seeking a declaratory judgment and later removed the case to the U.S. District Court for the Southern District of Ohio. On cross-motions for summary judgment, the court held that DSW was entitled to coverage under the computer fraud rider but rejected DSW’s bad faith claim.

On appeal, the U.S. Court of Appeals for the Sixth Circuit affirmed. National Union argued that the District Court erred in applying a traditional “proximate cause” standard to determine whether DSW sustained loss “resulting directly from” the “theft of Insured property by Computer Fraud” under the policy.  However, the Sixth Circuit rejected that argument, agreeing with the District Court that the Ohio Supreme Court would apply a proximate cause standard (as an issue of first impression) and that that there was a sufficient link between the hacking incident and DSW’s financial loss.

National Union also argued that the loss was excluded because the customer information fell within an exclusion for loss of “proprietary” or “confidential” information. The Sixth Circuit disagreed, explaining that the information was not secret information held only by DSW, but rather, was held by many entities, including the customer, financial institutions, and other merchants.  Nevertheless, the court rejected DSW’s bad faith claim, holding that National Union’s denial of coverage was reasonably justified and the claim was “fairly debatable.”

The Retail Ventures, Inc. decision serves as a reminder to policyholders that, depending on the circumstances and particular policies at issue, they may find coverage for data breaches under traditional policies. However, this complex area of the law is developing quickly, as are the relevant insurance policies, and insureds cannot expect to rely on traditional policies to cover non-traditional claims. For instance, last year Zurich American Insurance Company filed a declaratory judgment action seeking a ruling that it has no obligation to provide coverage to Sony Corp. under a commercial general liability policy following a massive data breach that resulted in the filing of more than 50 class action lawsuits and a loss of over $178 million. That action is currently pending in New York state court.

For many businesses today, cyber liability insurance is the recommended solution, as it is specifically designed to cover losses arising from data breaches and related losses, such as business revenue lost due to hacking, costs of restoring lost data, costs of notifying and providing credit monitoring for affected parties, forensic investigation costs, regulatory compliance costs, and costs of defending lawsuits and paying judgments or settlements. In any event, it is advisable for businesses to consult with insurance professionals and legal counsel to ensure protection from the financial risks associated with data breaches.


Page 1 of 2

Resource Center

View All »

Contractors General Liability Coverage 102

What is a prior work exclusion? Which option is right for my client? Why do...

Sign up today to get a 50% matching credit -...

Insurance marketing sometimes seems like it's a game of swings and misses, but we're here...

Guide: 5 Steps to Selling Cyber

Cyber risk and data security is on the agenda of every business owner and executive....

Citation Correlation

Do rigger and signalperson qualifications correlate with the cause of crane and rigging accidents? ...

Complete Guide to Electronic Signatures in Property & Casualty Insurance...

In property and casualty insurance, closing new business quickly is key. Learn how to leverage...

INSTANT ACCESS: Complimentary Sales Closer Questionnaires

Help property owners or managers compare your commercial residential property insurance coverage vs. the competition....

Determining Vacant Property Perils and Valuations

Are your clients fully covered for Vacant Properties? In this economic climate, your insureds may...

Risk Management for Law Firms

This package of 3 concise risk management articles offers straightforward content and practical suggestions law...

Guide: Top 15 E&O Risks-And How To Avoid Them

Accidents happen. But when it's an errors and omissions oversight, that accident can open your...

We'll Show You How to Reach Your Sales Goals

Whether you work alone or have a team of agents working for you, we can...

Claims Connection eNewsletter

Breaking news on disasters, fraud, legal trends, technology, and CE initiatives for the P&C claim professional – FREE. Sign Up Now!

Claims-Handling Guidelines

Claims Magazine is providing the following free guidelines and regulations in order to help adjusting professionals stay abreast of each state’s unique property and casualty claim-handling requirements.

View our State Guidelines »

Advertisement. Closing in 15 seconds.