(Editor's Note: The following article has been contributed by David M. Governo and Corey M. Dennis of Governo Law Firm LLC, an 18-attorney law firm in Boston, Mass.)
No business today is immune from the threat of a costly data security breach. While cyber liability insurance is becoming a recommended element in mitigating the financial exposure associated with such breaches, which are estimated to cost between $3.7 million and $5.5 million per incident, businesses have found coverage under traditional insurance policies in some limited circumstances.
DSW filed an action in Ohio state court seeking a declaratory judgment and asserting claims for breach of contract and breach of the duty of good faith and fair dealing. National Union counterclaimed seeking a declaratory judgment and later removed the case to the U.S. District Court for the Southern District of Ohio. On cross-motions for summary judgment, the court held that DSW was entitled to coverage under the computer fraud rider but rejected DSW’s bad faith claim.
On appeal, the U.S. Court of Appeals for the Sixth Circuit affirmed. National Union argued that the District Court erred in applying a traditional “proximate cause” standard to determine whether DSW sustained loss “resulting directly from” the “theft of Insured property by Computer Fraud” under the policy. However, the Sixth Circuit rejected that argument, agreeing with the District Court that the Ohio Supreme Court would apply a proximate cause standard (as an issue of first impression) and that that there was a sufficient link between the hacking incident and DSW’s financial loss.