Retail Ventures Decision Is Another Example of Ongoing Efforts to Determine How Insurance Applies to Cyber Attacks
The Sixth Circuit Court of Appeals recently affirmed a judgment in favor of the insured, finding that a computer fraud rider to a commercial crime policy covered loss arising from a data breach involving computer hackers stealing personal confidential information. Specifically, in Retail Ventures, Inc., v. National Union Fire Insurance Co. of Pittsburgh, Pa., (6th Cir. Aug. 23, 2012), the Court affirmed the trial court’s rulings in favor of the insured (1) that the loss from the data breach “result[ed] directly from” the hacking scheme and (2) that an exclusion for loss of confidential information did not apply to the loss of customer information. The trial court’s ruling in favor of the insurer on the bad faith count also was affirmed.
Scope of Loss
As part of a larger scheme, hackers were able to use the wireless network at a DSW Shoe Warehouse store to access the company’s electronic systems and download credit card and checking account numbers for more than 1.4 million customers at 108 stores. The hackers then used the stolen information for various fraudulent transactions. The insureds submitted a proof of loss that included amounts incurred for communications with customers, public relations in reaction to the breach, and defense costs for responding to various government investigations. However, the largest share of the costs submitted for coverage was for responding to customer complaints related to compromised credit card information.
Legal Argument
The insuring agreement of the computer fraud rider provided, in relevant part, coverage for “Loss which the Insured shall sustain resulting directly from: [t]he theft of any Insured property by Computer Fraud…” The insurer did not dispute that the copying of customer information qualified as the theft of Insured property by Computer Fraud. The insurer’s main argument was that the losses incurred by the insured did not “result … directly from” the activities of the hackers, and that the district court’s use of a proximate cause standard to measure causation was incorrect. Citing cases interpreting language in fidelity bonds, the insurer argued that “resulting directly from” required that the hacking be the “sole” and “immediate” cause of the loss, an argument the court characterized as “direct-means-direct.” The plaintiff, on the other hand, relied on cases applying a “proximate cause” standard for fidelity bond policies.
Without deciding which interpretation was correct, the Sixth Circuit held that the “resulting directly from” language was ambiguous. The Court also cited to Ohio cases applying a “proximate cause” test in a first-party context to support affirming the district court’s decision to apply a proximate cause standard to determine whether loss resulted “directly from” the wrongful acts.
The insurer also argued that an Exclusion for “loss of proprietary information, Trade Secrets, Confidential Processing Methods, or other confidential information of any kind” barred coverage, but the Court rejected the argument. Applying the interpretive principle of ejusdem generis – described as requiring that “the general term must take its meaning from the specific terms with which it appears” – the Court ruled that the confidential information referred to in the exclusion must be the insured’s confidential information related to the operation of its business, rather than personal information of customers. The Court raised the concern that, if “confidential information” included customer information, it would make the other words in the exclusion unnecessary and may render the computer fraud coverage illusory.
Finally, the Sixth Circuit affirmed summary judgment in favor of the insurer on the insured’s bad faith count. The insured argued that, under Ohio law, a denial of coverage is permissible only if an insurer had reason to believe that its interpretation of the policy was the “only reasonable one.” The Sixth Circuit ruled that Ohio law did not support this argument, which would effectively equate breach of contract and breach of the duty of good faith. The Court also rejected the insured’s argument that the insurer requesting a second opinion constituted a one-sided coverage investigation conducted in bad faith.
In Development: Cyber Liability
Cyber liability is a developing area of the law, and insurance coverage issues related to these relatively new types of claims are developing as well. Although new policies are being written specifically to address data breach and other cyber risks, insureds may still seek coverage under traditional general liability, professional liability, or commercial crime policies, which may, like the policy here, contain endorsements addressing computer-related risks.
Here a court was willing to interpret the policy language as being broader than the insurer believed it to be. In other cases, courts have upheld insurers' arguments that their policies were not written to cover risks associated with lost data. Careful analysis of the terms of policies is necessary, particularly when an insured has not purchased a policy specifically written to address cyber claims.
© TROUTMAN SANDERS LLP. ADVERTISING MATERIAL. These materials are to inform you of developments that may affect your business and are not to be considered legal advice, nor do they create a lawyer-client relationship. Information on previous case results does not guarantee a similar future result. Follow Troutman Sanders on Twitter.