Cyber hacking, data breaches, and privacy concerns are an increasingly common risk facing companies today. These breaches, often grabbing national headlines, can lead to substantial financial exposure. While a growing market for stand-alone cyber insurance policies is available to minimize this risk, companies facing exposure resulting from a data breach may also have existing coverage under other policies.
In 2013, a number of high-profile data breaches made national headlines, serving as a reminder of the risk companies face in storing customer data. As the data breach[es] suffered by [prominent retailers Neiman Marcus and Target and] software giant Adobe demonstrated, even a sophisticated company may find itself the victim of such an attack. In the most recent annual study by the Ponemon Institute, data breaches were estimated to cost companies approximately $188 for each person whose information is compromised, with the average data breach costing the victim company $5.4 million. Of course, the cost can be considerably higher. The retailer T.J. Maxx reportedly paid hundreds of millions of dollars as a result of a breach, disclosed in 2007, which compromised credit and debit card information for approximately 46 million customers.
Cyper Insurance Options
A new form of insurance coverage, known as cyber insurance, has evolved to specifically address certain cyber risks, such as data breaches. Cyber policies are the insurance industry’s preferred solution to risks created by such attacks. However, even companies without cyber-specific policies may be able to find coverage for losses related to a data breach under existing policies. While most insurance companies have attempted to exclude cyber risks from general liability and first-party property policies, coverage for data breach costs may be available under policies such as general liability, errors and omissions, media E&O, and directors and officers policies.
Additionally, coverage may be available under a company’s crime policy. In a key data breach decision issued by the Sixth Circuit Court of Appeals in 2012, the court held that a computer fraud rider to a “Blanket Crime Policy” covered losses from a hacker’s theft of customer credit card and checking account data. The case, Retail Ventures, Inc. v. National Union Fire Insurance Co. of Pittsburgh, 691 F.3d 821 (6th Cir. 2012), arose out of a 2005 hack of shoe retailer DSW’s computer system and the download of over 1.4 million customers’ credit card and checking information. The hacker subsequently used the credit card information to engage in fraudulent credit card transactions. Unsurprisingly, DSW incurred significant expenses as a result of the breach, paying over $5.3 million in related costs. These costs included: customer communications; public relations efforts; customer claims and lawsuits; attorneys’ fees in connection with state and federal investigations; and, most significantly, over $4 million in fines imposed by Visa and MasterCard.
In the face of these losses, DSW sought coverage from its insurer, National Union Fire Insurance Company of Pittsburgh, PA (National Union). National Union denied coverage, asserting that the losses were excluded under the computer fraud rider because the losses related to the theft of confidential customer information. The Ohio District Court and the Sixth Circuit rejected this argument, granting and affirming DSW’s motion for summary judgment. The Sixth Circuit held that the relevant exclusion only applied to claims arising out of the loss of confidential information belonging to the policyholder, not confidential information belonging to DSW’s customers, providing that “Coverage does not apply to any loss of proprietary information, Trade Secrets, Confidential Processing Methods, or other confidential information of any kind.” The Sixth Circuit further noted that the term “other confidential information of any kind” did not exclude all information belonging to anyone that is expected to be protected from unauthorized disclosure. Such a broad interpretation “would swallow not only the other terms in [the] exclusion but also the coverage for computer fraud.”
In attempting to avoid coverage, National Union also asserted that plaintiff’s losses did not qualify as losses “resulting directly from . . . the theft of any Insured property by Computer Fraud,” as required by the policy. They asserted that the data breach was not the sole cause of DSW’s losses and that the losses were an indirect result of vicarious liability to third parties. The trial court and Sixth Circuit rejected this argument as well, holding that, under Ohio law, the appropriate standard to apply was a proximate cause standard, and that DSW’s losses were proximately caused by the data breach.
The Sixth Circuit’s opinion in Retail Ventures provides a useful tool for companies without cyber policies that find themselves facing exposure resulting from a data breach. At least in the Sixth Circuit, commonly used, broadly worded exclusions for proprietary and other confidential information will not exclude coverage for customer credit card and checking information. In addition, a less exacting proximate cause standard will be applied in determining whether an insured’s loss will be covered by crime policies.
For more information, read the Court’s full opinion in Retail Ventures, Inc. v. National Union Fire Insurance Co. of Pittsburgh.