The Sixth Circuit Court Appeals, in Retail Ventures, Inc. et al. v. National Union Fire Ins. Co., ruled last week that DSW was entitled to more than $6.8 million in losses and prejudgment interest under a commercial crime policy in connection with a computer hacking scheme. The loss occurred between February 1 and February 14, 2005 when hackers used the local wireless network at a DSW store to obtain access to DSW’s main computer system and download credit card and checking account information to more than $1.4 million customers in 108 stores. Upon learning of the breach, DSW commenced its own investigation and also notified its insurer of the claim. DSW sought coverage for expenses incurred relating to customer communications, public relations, customer claims and lawsuits and investigations by various state and federal regulatory authorities. Over $4 million in losses – the single largest share of the loss arising from the data breach – arose from the costs associated with charge backs, reissuance of credit cards, creditor monitoring and finds imposed by the credit card companies. The breach also resulted in an FTC investigation, resulting in a settlement and consent order for DSW, alleging tthat the breach was a result of the retailer’s failure to protect sensitive consumer data.
The insurer, National Union Fire Insurance Company of Pittsburgh, PA, denied DSW’s claim for coverage under the Blanket Crime Policy. The insurer argued, among other things, that the policy was a fidelity bond and, as such, only provided first party coverage. In other words, the insurer argued that the policy was never intended to provide liability coverage to DSW; rather, coverage was limited to employee dishonesty situations. Upholding the lower court, the Sixth Circuit held that the phase “fidelity bond” did not appear in the policy and, in any event, coverage does not turn on the label given to a policy but rather the language used in that policy. The Sixth Circuit also rejected the insurer’s argument that the insuring clause, which provided that the insurer would pay for loss “resulting directly from” any theft of the insured property by computer fraud, limited coverage to the insured’s own loss from the theft. Applying a proximate cause standard, the Sixth Circuit found that the DSW’s loss was the proximate cause – and “resulted directly from” – the computer breach. The Sixth Circuit also found that the information obtained did not constitute proprietary information and, as such, the policy’s exclusion for Proprietary Information, Trade Secrets and Confidential Processing Methods was not applicable to bar coverage.
This decision is yet another example of the complexity of evaluating coverage for data breach losses under traditional policies of insurance. Another court in another jurisdiction could have found for the insurer under these facts. The insurance market is constantly changing with new products becoming available to provide coverage where none existed before or where coverage can be questionable or uncertain. This decision thus underscores the importance for insureds and insures alike to retain skilled counsel to carefully examine proposed policy language. And, to avoid unpleasant surprises, insureds should also assess the nature of their data security exposures and then evaluate the likelihood of whether such exposures are covered by their traditional insurance program and, if not, whether such coverage might be available in the marketplace.