Boundaries of Computer Fraud Insurance Coverage
By Renee Choy Ohlendorf, Litigation News Associate Editor – November 26, 2012
The U.S. Court of Appeals for the Sixth Circuit recently held that an insurer’s non-cyber but general commercial crime policy covered third-party losses resulting from a large-scale computer hacking attack. The decision suggests that as data breaches increase, insureds will have a basis to obtain coverage under their non-cyber policies.
The Retail Ventures Decision
In Retail Ventures, Inc. v. National Union Fire Insurance Company [PDF], computer hackers accessed the computer system of shoe retailer DSW to obtain the credit card and checking account information of more than 1.4 million DSW customers. The retailer incurred $6.8 million of expenses for public relations, defending customer claims and lawsuits, and responding to government investigations.
DSW sought to recover the losses from its insurer under a computer fraud rider to its commercial crime policy. The language provided that loss “resulting directly from . . . [t]he theft of any Insured property by Computer Fraud” was covered. The insurer initially received conflicting opinions from its two outside coverage counsel as to whether DSW’s losses were insured but ultimately denied the claim. DSW subsequently filed suit for coverage under the policy and contended that the insurer’s denial constituted bad faith.
In an issue of first impression under Ohio law, the dispute between the parties centered on what standard the court should apply when interpreting the policy. The court considered whether the policy language “resulting directly from” imposed a traditional proximate causation standard or a heightened standard of causation under the “direct-means-direct” approach.
“Direct-means-direct” requires that the event be the “sole” and “immediate” cause of the loss to trigger coverage. This standard imposes a higher bar that precludes the insured’s claims for vicarious liability to third parties and has been applied in the fidelity bond context. Likening the commercial crime policy to a fidelity bond, the insurer urged the court to adopt the “direct-means-direct” approach.
The appellate court rejected the insurer’s arguments and affirmed the judgment in favor of DSW. In support, the Sixth Circuit cited state court decisions where a proximate cause standard was applied to other types of first-party coverage and predicted that the Ohio Supreme Court would do the same in the context of a commercial crime policy.
The Sixth Circuit also held the policy exclusion for loss of proprietary information to be inapplicable by applying the doctrine of ejusdem generis, whereby the general terms take their meaning from specific terms in the document. The court reasoned that the specific terms in the policy pertained to DSW’s information on its business operations rather than the customer information. It declined to find that the denial of coverage was in bad faith, however, stating that the insurer’s interpretation of the exclusion provisions was reasonable.
Did the Court Expand Coverage under the Policy?
Leaders of the ABA Section of Litigation disagree over the proper scope of coverage for third-party losses under this policy. “On more traditional policies where the loss isn’t excluded, the boundaries of coverage are being tested,” observes Sherilyn Pastor, Newark, NJ, cochair of the Section of Litigation’s Insurance Coverage Litigation Committee.
Some believe the court applied the correct reasoning and reached the correct result. The decision “is consistent with the broader set of principles that are deployed in interpreting an insurance policy,” opines Rukesh A. Korde, Washington, D.C., cochair of the Computer and Technology Subcommittee of the Insurance Coverage Litigation Committee. “Both the Sixth Circuit and the district court looked to the principle of ejusdem generis to interpret those policy exclusions and stated that exclusions need to be clearly explained and narrow and specific in application. That is fairly well embedded in insurance law,” notes Korde. Additionally, Pastor observes that “many jurisdictions subscribe to the proximate cause standard” in construing insurance policies.
Other Section leaders believe there is no precedent for this decision. “The court tried to find coverage where it didn’t exist,” says Richard J. Bortnick, Philadelphia, cochair of the Computer and Technology Subcommittee of the Section’s Insurance Coverage Litigation Committee. “If there was other coverage, perhaps the policyholder wouldn’t have even tried to push it onto this policy,” he notes.
Implications for Policyholders and Insurance Companies
The ruling in Retail Ventures is likely to lead to an increase in data breach claims, according to Pastor. “Policyholders will be less likely to accept a denial. This ruling gives policyholders a roadmap on how they can pursue a claim under this type of policy,” she explains.
The nature and extent of coverage under other types of policy and for other types of cyber events may differ, however. Korde points out that there is currently no standard approach for insuring or underwriting cyber liability risks. In addition to the coverage that may now be available under commercial crime policies under Retail Ventures, insurance companies also offer a myriad of cyber policies that specifically address the different types of components of loss associated with data breaches.
Because this is an evolving area, those seeking insurance for cyber liability would do well “to read their insurance policies before they buy them—not after a loss occurs—and to be sure that the types of risks and exposures that they have are covered in a way they intend,” advises Pastor.
Keywords: cyber liability, insurance coverage, insurance policy, data breach
- » Retail Ventures, Inc. v. Nat’l. Union Fire Ins. Co., Nos. 10-4576 and 4608 (6th Cir. Aug. 23, 2012).
Be the first to comment.