Every day another corporation suffers a major data breach. Class action privacy breach lawsuits often follow, and companies incur substantial nonlegal expenses in responding to data breaches. It is important for every business to understand cyber risks and how to insure against losses arising from data breaches and theft of electronically stored information. In a ruling that may enable companies to obtain insurance coverage for data breaches under traditional first party insurance policies, the United States Court of Appeals for the Sixth Circuit held in Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co., 691 F.3d 821 (6th Cir. 2012) that losses resulting from the theft of customers’ banking information from a retailer’s computer system are covered under a commercial crime policy.
The Retail Ventures Decision
In February 2005, a computer hacker accessed the computer system of Designer Shoe Warehouse (DSW) and downloaded credit card and checking account information from 1.4 million DSW customers. Following the data breach, DSW incurred losses of more than $5 million, which included not only losses incurred by the company in connection with customer communications and public relations but also legal fees and expenses incurred in addressing customer claims, lawsuits and investigations by state attorneys general and the Federal Trade Commission. Losses associated with “charge backs, card reissuance, account monitoring, and fines imposed by” the credit card companies accounted for more than $4 million of those expenses.
DSW and its parent company, Retail Ventures, sought coverage for the losses under a commercial crime policy issued by AIG subsidiary National Union Fire Insurance Company of Pittsburgh, PA. DSW argued that coverage existed under a policy endorsement providing coverage for “[l]oss which the Insured shall sustain resulting directly from … the theft of any Insured property by Computer Fraud.” After National Union refused to provide coverage, the policyholders filed suit in Ohio federal court seeking coverage for all damages DSW experienced.
The central issue in the case was whether DSW could recover the amounts paid to third parties as a result of the data breach. The insurer argued that the policy at issue was a first-party fidelity bond, and therefore DSW was entitled to recover damages only for its own losses — e.g., customer communication and public relations costs — but not for any liability to third parties such as customers or credit card companies. National Union relied on a series of cases holding that when an insured incurs liability to a third party as a result of employee misconduct, financial loss resulting from that liability does not “directly” result from the employee misconduct and therefore is not covered by fidelity bonds containing “direct loss” language.
Affirming the trial court, the Sixth Circuit rejected the insurer’s argument and applied a proximate cause standard to the phrase in the policy “resulting directly from.” Because the amounts paid to customers through chargebacks and amounts paid to the credit card companies were proximately caused by the data breach, the court concluded that all DSW’s losses were covered.
The Sixth Circuit also rejected National Union’s argument that that coverage was barred by a policy exclusion for “loss of proprietary information, Trade Secrets, Confidential Processing Methods, or other confidential information of any kind.” National Union argued that the stolen data was proprietary information, thus barring coverage, but the Sixth Circuit found that the customers’ banking information was not confidential information of DSW and did not involve the manner in which it operated its business. Rather, the exclusion applied only to “secret information of [the policyholders] involving the manner in which business is operated” and did not apply to DSW’s claim.
The Impact of Retail Ventures
Today, many commercial insurers offer affirmative coverage for data breach claims. Firms considering the purchase of a cyber liability policy should review the proposed policies carefully to be sure that the policy provides coverage for the risks the insured seeks to manage.
Even absent specific cyber liability coverage, however, the Retail Ventures case demonstrates that commercial policyholders may be entitled to coverage for data breach claims under traditional first-party property policies such as fidelity bonds. Therefore, if a business experiences a data breach, it should explore not only coverage under any affirmative “cyber” policy but also under other traditional first-party coverages.
For more information, please contact either of the authors, L.D. Simmons and Joshua Davey, or any other member of the McGuireWoods insurance recovery team.