Insurer Ordered to Pay for Hacking Losses

A federal appeals court ruled that a crime policy exclusion of "confidential information" did not apply to the theft of customer data by a hacker.

In one of the few cyber-liability cases to reach the federal appeals court level, a three-judge panel ruled an insurer must pay for losses following the theft of customer data by hackers.

National Union Fire Insurance Co., a subsidiary of AIG Inc., was ordered to pay $6.8 million plus interest to Retail Ventures Inc., DSW Inc. and DSW Shoe Warehouse Inc., according to an opinion filed by the 6th U.S. Circuit Court of Appeals on Aug. 23. (Retail Ventures and DSW merged in May 2011.)

Avoid a Legal Black Hole (04/12/13)
Technological Obsolescence (05/01/13)
Part 3: Big Data Masters (04/12/13)
Defending Your Networks (04/12/13)
Excess and Surplus At the Ready (04/12/13)

"I think the decision is quite significant because, as far as I know, it is the first reported case out there that ever dealt with insurance coverage for a computer hacking loss," said Joshua Gold, a shareholder at Anderson Kill & Olick P.C. in New York, in the Insurance Recovery Group.

Gold, who represented Retail Ventures, said the key issue that needed to be resolved was whether the theft of credit card and checking account information from about 1.4 million customers was a covered loss because it was stolen by a third-party computer hacker.

Insurers, he said, generally argue that such losses are not covered by commercial crime policies because they constitute an "indirect loss."

He argued, instead, that the loss should be covered under a "proximate cause" standard, or as the opinion stated, "there is a sufficient link between the computer hacker's infiltration of Plaintiffs' computer system and Plaintiffs' financial loss to require coverage ... ."

The district court in Ohio agreed with that interpretation but two independent legal observers did not.

Stacey McGraw, a partner at Troutman Sanders LLP in Washington, D.C., said she saw the decision as "an outlier or a one-off," and noted that Retail Ventures' policy had an exclusion for the loss of confidential information.

"To me, there was an exclusion that pretty clearly did apply, but the court did not find that it applied," she said.

The district court opinion stated the policy excluded coverage for the loss of "proprietary information, Trade Secrets, Confidential Processing Methods, or other confidential information of any kind."

Its ruling, which was upheld by the federal court, rejected the broad interpretation of "confidential information" because "the general term must take its meaning from the specific terms with which it appears." Since the data was not a trade secret, proprietary -- since it was "owned or held by many" financial institutions and others -- or a confidential processing method, the court ruled the exclusion did not apply.

McGraw said the Retail Ventures case resulted in a "fact-specific decision" that would probably have "limited application" to other cyber-liability insurance disputes.

John Mullen, a partner at Nelson Levine de Luca & Hamilton in Blue Bell, Pa., also thought the decision was an outlier.

"How can the 6th Circuit say it's not confidential [data] as to that entity just because other entities have that information?" he asked. "It's tortured reasoning to get to that and it doesn't recognize the real world."

Mullen said insurers would probably respond to the ruling by making policy wording "even more crystal clear than it already is."

--By Anne Freedman

December 17, 2012

Newsletter Sign-up