Data Breaches - When Are They Covered?

(Editor's Note: The following article has been contributed by David M. Governo and Corey M. Dennis of Governo Law Firm LLC, an 18-attorney law firm in Boston, Mass.)

No business today is immune from the threat of a costly data security breach. While cyber liability insurance is becoming a recommended element in mitigating the financial exposure associated with such breaches, which are estimated to cost between $3.7 million and $5.5 million per incident, businesses have found coverage under traditional insurance policies in some limited circumstances. 

The U.S. Court of Appeals for the Sixth Circuit recently held in Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012), that DSW Inc., DSW Shoe Warehouse, Inc., and Retail Ventures, Inc. (an affiliated company) were entitled to coverage under a commercial crime policy for a $6.8 million loss resulting from a cyber attack.

In February 2005, computer hackers gained unauthorized access to the wireless network at one of DSW’s stores, downloading credit card and checking account information pertaining to more than 1.4 million customers of 108 stores. The following month, DSW, DSW Shoe Warehouse, and Retail Ventures (collectively “DSW”) were alerted to fraudulent transactions using the stolen customer information. Soon thereafter, DSW notified its insurer, National Union Fire Insurance Company, of its insurance claim based on the data breach. National Union subsequently denied coverage under the computer fraud rider to a “Blanket Crime Policy,” stating that the loss was excluded because it related to theft of confidential customer information and that the policy did not cover “indirect loss.” 

DSW ultimately incurred more than $5.3 million in losses, including costs associated with the compromised credit card information (that is, charge backs, card reissuance, account monitoring, and fines imposed by VISA and MasterCard), as well as expenses for customer communications, public relations, customer claims and lawsuits, and attorneys’ fees in connection with investigations by seven state Attorneys General and the Federal Trade Commission. The parties later stipulated that the losses totaled more than $6.8 million (excluding DSW’s self-insured retention), including prejudgment interest.

DSW filed an action in Ohio state court seeking a declaratory judgment and asserting claims for breach of contract and breach of the duty of good faith and fair dealing.  National Union counterclaimed seeking a declaratory judgment and later removed the case to the U.S. District Court for the Southern District of Ohio. On cross-motions for summary judgment, the court held that DSW was entitled to coverage under the computer fraud rider but rejected DSW’s bad faith claim.

On appeal, the U.S. Court of Appeals for the Sixth Circuit affirmed. National Union argued that the District Court erred in applying a traditional “proximate cause” standard to determine whether DSW sustained loss “resulting directly from” the “theft of Insured property by Computer Fraud” under the policy.  However, the Sixth Circuit rejected that argument, agreeing with the District Court that the Ohio Supreme Court would apply a proximate cause standard (as an issue of first impression) and that that there was a sufficient link between the hacking incident and DSW’s financial loss.

National Union also argued that the loss was excluded because the customer information fell within an exclusion for loss of “proprietary” or “confidential” information. The Sixth Circuit disagreed, explaining that the information was not secret information held only by DSW, but rather, was held by many entities, including the customer, financial institutions, and other merchants.  Nevertheless, the court rejected DSW’s bad faith claim, holding that National Union’s denial of coverage was reasonably justified and the claim was “fairly debatable.”

The Retail Ventures, Inc. decision serves as a reminder to policyholders that, depending on the circumstances and particular policies at issue, they may find coverage for data breaches under traditional policies. However, this complex area of the law is developing quickly, as are the relevant insurance policies, and insureds cannot expect to rely on traditional policies to cover non-traditional claims. For instance, last year Zurich American Insurance Company filed a declaratory judgment action seeking a ruling that it has no obligation to provide coverage to Sony Corp. under a commercial general liability policy following a massive data breach that resulted in the filing of more than 50 class action lawsuits and a loss of over $178 million. That action is currently pending in New York state court.

For many businesses today, cyber liability insurance is the recommended solution, as it is specifically designed to cover losses arising from data breaches and related losses, such as business revenue lost due to hacking, costs of restoring lost data, costs of notifying and providing credit monitoring for affected parties, forensic investigation costs, regulatory compliance costs, and costs of defending lawsuits and paying judgments or settlements. In any event, it is advisable for businesses to consult with insurance professionals and legal counsel to ensure protection from the financial risks associated with data breaches.

 

Page 1 of 2
Comments

Resource Center

View All »

Top 10 Legal Requirements for E-Signatures in Insurance

Want to make sure you’ve covered all your bases when adopting e-signatures? Learn how to...

Get $100 in leads with $0 down!

NetQuote's detailed, real-time leads have boosted sales for thousands of successful local agents across the...

The Growing Role of Excess & Surplus Lines in Today’s...

The excess and surplus market (E&S) provides coverage when standard insurance carriers cannot or will...

Increase Sales Conversion with this Complimentary White Paper

This whitepaper will share proven techniques - used by many of the industry's top producers...

D&O Policy Definitions: Don't Overlook These Critical Terms

Unlike other forms of insurance where standard policy language prevails, with D&O policies, even seemingly...

Environmental Risk: Lessons Learned from Willy Wonka and the Chocolate...

Whether it’s a chocolate factory or an industrial wastewater treatment facility, cleanup and impacts to...

More Data, Earlier: The Value of Incorporating Data and Analytics...

Incorporating more data earlier in claims lifecycles can help you reduce severity payments by 25%*...

How Many Of Your Clients Are At Risk Of Flood?

Every home is vulnerable to flooding. Learn four compelling reasons why discussing flood insurance with...

Gauging your Business Intelligence Analytics Capabilities and the Impact of...

Big Data, Data Lakes and Data Swamps, How to gauge your company's Big Data readiness....

Extending Contact Center Capabilities Across the Insurance Enterprise

Today advancements in technology are making a big impact on business and society. To yield...

Claims Connection eNewsletter

Breaking news on disasters, fraud, legal trends, technology, and CE initiatives for the P&C claim professional – FREE. Sign Up Now!

Claims-Handling Guidelines

Claims Magazine is providing the following free guidelines and regulations in order to help adjusting professionals stay abreast of each state’s unique property and casualty claim-handling requirements.

View our State Guidelines »

Advertisement. Closing in 15 seconds.