On August 28, 2012, the 6th Circuit Court of Appeals handed down a groundbreaking decision that sent shockwaves through the world of cyber-risk insurance. As many have quipped, the court held that crime (coverage) does pay, finding that a computer fraud rider on a standard blanket crime policy covered losses stemming from a hacker's theft of the insured customers' credit card and bank account data. This ruling is undoubtedly good news for policyholders and their counsel, and especially those policyholders who have resisted purchasing widely available cyber-risk insurance coverage.
The case arose out of a well-publicized 2005 cyber-attack on DSW, the national shoe warehouse chain. In February of that year, a hacker gained access to DSW's main computer system through one of its local wireless networks and compromised more than 1.4 million customers' credit card and checking accounts. The hacker then used the information to engage in fraudulent credit card transactions, exposing DSW to significant liability. As a result of the breach, DSW incurred expenses of more than $5 million in connection with customer communications, public relations, customer claims, lawsuits, governmental investigations, attorneys' fees and fines imposed by the credit card companies, which alone amounted to more than $4 million of the total expenses.
DSW sought coverage from National Union pursuant to a "Computer & Funds Transfer Fraud Coverage" endorsement to the crime policy, which provided that National Union would pay for loss that the insured sustained "resulting directly from ... the theft of any Insured Property by Computer Fraud ...." National Union denied the claim on the grounds that the loss was excluded under the computer fraud rider because it was related to the theft of proprietary confidential customer credit card information. Moreover, National Union asserted that DSW's loss did not qualify as a loss "resulting directly from" the theft of insured property. The trial court granted summary judgment to DSW for the full amount of the loss, plus interest, but denied its bad faith claims against National Union.
The 6th Circuit, affirming the lower court's decision, held that a proximate cause standard should be applied to determine whether an insured sustained loss "resulting directly from" the theft of insured property. In so doing, the court rejected National Union's argument that the policy is essentially a traditional fidelity bond, which does not provide third-party liability coverage. The court noted that the terms of the policy, rather than its title, govern the coverage provided and found that aspects of the policy specifically contemplated third-party coverage. It also disagreed with National Union's argument that "resulting directly from" unambiguously means that the data breach must be the sole or immediate cause of the insured's loss. Rather, the court found that the operative language only required that the breach be the proximate cause of the loss. Thus, it held that the losses that DSW suffered resulted directly from the data breach as required by the terms of the policy.
Finally, the court held that the exclusion for proprietary and other confidential information did not apply. Specifically, the exclusion provided: "Coverage does not apply to any loss of proprietary information, Trade Secrets, Confidential Processing Methods, or other confidential information of any kind." The court held that even if the copying of customer information qualified as a "loss," it was not a loss of "proprietary information ... or other confidential information of any kind." Rather, it reasoned that the customers' credit card and checking account information was not proprietary because it was owned or held by many entities, including the customers themselves, the financial institutions that issued the cards, and all of the merchants involved in the stream of commerce. Thus, the term "other confidential information of any kind" could not be construed so broadly as to encompass all information that individuals expect to be protected from unauthorized disclosure, because such a broad interpretation "would swallow not only the other terms in [the] exclusion but also the coverage for computer fraud." Further, the court held that the exclusion only applied to the insured's confidential or proprietary information relating to the manner in which the insured conducts its business. It did not apply to customer information because such information does not "involve the manner in which the business is operated."
Though based on Ohio law, the implications of the DSW decision are likely to be far-reaching. We can expect that if they haven't done so already, policyholders will pursue similar claims in other jurisdictions. With this ruling, they will now have a detailed roadmap to help them do so.
The case caption is Retail Ventures, Inc., v. National Union Fire Insurance Company of Pittsburgh, Pa., No. 2:06-cv-443 (6th Cir. August 23, 2012), and can be found here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.