November 26, 2012 Top Story

Boundaries of Computer Fraud Insurance Coverage

Commercial coverage policy extends to cyber claim

Renee Choy Ohlendorf

The U.S. Court of Appeals for the Sixth Circuit recently held that an insurer’s non-cyber but general commercial crime policy covered third-party losses resulting from a large-scale computer hacking attack. The decision suggests that as data breaches increase, insureds will have a basis to obtain coverage under their non-cyber policies.

The Retail Ventures Decision

In Retail Ventures, Inc. v. National Union Fire Insurance Company [PDF], computer hackers accessed the computer system of shoe retailer DSW to obtain the credit card and checking account information of more than 1.4 million DSW customers. The retailer incurred $6.8 million of expenses for public relations, defending customer claims and lawsuits, and responding to government investigations.

DSW sought to recover the losses from its insurer under a computer fraud rider to its commercial crime policy. The language provided that loss “resulting directly from . . . [t]he theft of any Insured property by Computer Fraud” was covered. The insurer initially received conflicting opinions from its two outside coverage counsel as to whether DSW’s losses were insured but ultimately denied the claim. DSW subsequently filed suit for coverage under the policy and contended that the insurer’s denial constituted bad faith.

In an issue of first impression under Ohio law, the dispute between the parties centered on what standard the court should apply when interpreting the policy. The court considered whether the policy language “resulting directly from” imposed a traditional proximate causation standard or a heightened standard of causation under the “direct-means-direct” approach.

“Direct-means-direct” requires that the event be the “sole” and “immediate” cause of the loss to trigger coverage. This standard imposes a higher bar that precludes the insured’s claims for vicarious liability to third parties and has been applied in the fidelity bond context. Likening the commercial crime policy to a fidelity bond, the insurer urged the court to adopt the “direct-means-direct” approach.

The appellate court rejected the insurer’s arguments and affirmed the judgment in favor of DSW. In support, the Sixth Circuit cited state court decisions where a proximate cause standard was applied to other types of first-party coverage and predicted that the Ohio Supreme Court would do the same in the context of a commercial crime policy.

The Sixth Circuit also held the policy exclusion for loss of proprietary information to be inapplicable by applying the doctrine of ejusdem generis, whereby the general terms take their meaning from specific terms in the document. The court reasoned that the specific terms in the policy pertained to DSW’s information on its business operations rather than the customer information. It declined to find that the denial of coverage was in bad faith, however, stating that the insurer’s interpretation of the exclusion provisions was reasonable.

Did the Court Expand Coverage under the Policy?

Leaders of the ABA Section of Litigation disagree over the proper scope of coverage for third-party losses under this policy. “On more traditional policies where the loss isn’t excluded, the boundaries of coverage are being tested,” observes Sherilyn Pastor, Newark, NJ, cochair of the Section of Litigation’s Insurance Coverage Litigation Committee.

Some believe the court applied the correct reasoning and reached the correct result. The decision “is consistent with the broader set of principles that are deployed in interpreting an insurance policy,” opines Rukesh A. Korde, Washington, D.C., cochair of the Computer and Technology Subcommittee of the Insurance Coverage Litigation Committee. “Both the Sixth Circuit and the district court looked to the principle of ejusdem generis to interpret those policy exclusions and stated that exclusions need to be clearly explained and narrow and specific in application. That is fairly well embedded in insurance law,” notes Korde. Additionally, Pastor observes that “many jurisdictions subscribe to the proximate cause standard” in construing insurance policies.

Other Section leaders believe there is no precedent for this decision. “The court tried to find coverage where it didn’t exist,” says Richard J. Bortnick, Philadelphia, cochair of the Computer and Technology Subcommittee of the Section’s Insurance Coverage Litigation Committee. “If there was other coverage, perhaps the policyholder wouldn’t have even tried to push it onto this policy,” he notes.

Implications for Policyholders and Insurance Companies

The ruling in Retail Ventures is likely to lead to an increase in data breach claims, according to Pastor. “Policyholders will be less likely to accept a denial. This ruling gives policyholders a roadmap on how they can pursue a claim under this type of policy,” she explains.

The nature and extent of coverage under other types of policy and for other types of cyber events may differ, however. Korde points out that there is currently no standard approach for insuring or underwriting cyber liability risks. In addition to the coverage that may now be available under commercial crime policies under Retail Ventures, insurance companies also offer a myriad of cyber policies that specifically address the different types of components of loss associated with data breaches.

Because this is an evolving area, those seeking insurance for cyber liability would do well “to read their insurance policies before they buy them—not after a loss occurs—and to be sure that the types of risks and exposures that they have are covered in a way they intend,” advises Pastor.

Renee Choy Ohlendorf is an associate editor for Litigation News.

Keywords: cyber liability, insurance coverage, insurance policy, data breach

Related Resources

  • Retail Ventures, Inc. v. Nat’l. Union Fire Ins. Co., Nos. 10-4576 and 4608 (6th Cir. Aug. 23, 2012).

Copyright © 2017, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).