A U.S. appeals court has rejected an insurer’s “direct loss” defense and ruled that a national retailer is entitled to recover nearly $7 million for a computer hacking claim.

The case involved DSW Shoe Warehouse and National Union Fire Insurance Co.—a subsidiary of American International Group Inc. (AIG).

The ruling by the U.S. Court of Appeals for the Sixth Circuit in Ohio upholds a district court summary judgment in the state that turned away AIG’s attempts to exclude coverage with several exclusions, including that the “direct loss” provision in its crime insurance policy excluded the retailer’s computer hacking claim, according to law firm Anderson Kill & Olick (AKO), who represented DSW.

The appeals court says the exclusion language in the policy was not unmistakably clear. The judges say, “The phrase ‘resulting directly from’ does not unambiguously limit coverage to loss resulting ‘solely’ or ‘immediately’ from the theft itself.”  

The ruling is “good news for any business that accepts credit cards or stores customer data in any form,” AKO says.

AIG could not immediately be reached for comment.

Early in 2005 a computer hacker accessed DSW’s local wireless network and downloaded credit card and checking account information to more than 1.4 million customers of more than 100 stores, according to court documents. Fraudulent transactions followed.

DSW’s expenses from the hacking incident included customer communications, public relations, customer claims and lawsuits, and attorney fees related to investigations by multiple state attorneys general and the Federal Trade Commission (FTC).

Upon receiving the claim, AIG’s counsel concluded DSW’s losses were not the direct result of the theft and the insurer appealed a summary judgment of $5.3 million in losses and about $1.5 million in interest.

AKO attorney and DSW counsel Joshua Gold says the appeals court ruling is significant to buyers of fidelity, crime and financial institution bond coverage “because the direct loss argument is a recurring defense.”

“The case is also very significant given the ever-growing threat of computer data breaches and lack of judicial guidance on insurance coverage for such risks and losses,” Gold adds in a statement.