The United States Court of Appeals for the Sixth Circuit recently held that losses resulting from the theft of customers’ banking information from a retailer’s computer system are covered under a commercial crime policy’s computer fraud endorsement. See Retailer Ventures, Inc. v. Nat’l Union Fire Ins. Co., -- F.3d --, 2012 WL 3608432 (6th Cir. Aug. 23, 2012).
In February 2005, a computer hacker gained access to the main computer system of shoe retailer DSW Shoe Warehouse, compromising the credit card and checking account information of more than 1.4 million DSW customers. Following the data breach, DSW incurred expenses of more than $5 million in connection with customer communications, public relations, customer claims, lawsuits, governmental investigations, and associated attorneys’ fees. Losses associated with “charge backs, card reissuance, account monitoring, and fines imposed by VISA/MasterCard” accounted for more than $4 million of those expenses.
Retail Ventures, Inc., DSW Inc., and DSW Shoe Warehouse Inc. (collectively, the “plaintiffs”) sought coverage for the losses under a commercial crime policy issued by National Union Fire Insurance Company. After National Union refused to provide coverage, the plaintiffs filed claims in Ohio federal court, seeking a declaratory judgment and alleging breach of contract and breach of the duty of good faith and fair dealing.
The parties cross moved for summary judgment concerning coverage and bad faith. Applying Ohio law, the district court awarded summary judgment in favor of the plaintiffs on the coverage claim, but granted summary judgment to National Union on the bad faith claim. The parties then stipulated to a summary of the plaintiffs’ covered losses and cross-appealed to the Sixth Circuit.
The Sixth Circuit’s Decision
The Coverage Provision
The Sixth Circuit first reviewed the district court’s finding that the policy provided coverage for the losses. The coverage provisions at issue were contained in an endorsement titled “Computer & Funds Transfer Fraud Coverage.” That endorsement provided coverage for “Loss which the Insured shall sustain resulting directly from the theft of any Insured property by Computer Fraud.”
On appeal, National Union argued that the loss the plaintiffs suffered did not result directly from the theft of insured property by computer fraud. Specifically, National Union argued that the “resulting directly” language required the theft by computer fraud to be the sole or immediate cause of the loss and that the district court erred in applying a broader proximate cause standard.
The Sixth Circuit rejected National Union’s argument. The court found that the language was ambiguous and, further, that Ohio courts had not yet decided what standard to apply to the “resulting directly from” requirement in the context of a commercial crime policy. The court found, however, that other Ohio state court decisions supported the district court’s determination that an Ohio court would apply a proximate cause standard to determine whether the plaintiffs’ loss “resulted directly from” the theft by computer fraud. Thus, in the absence of any contrary Ohio court authority and consistent with Ohio’s general principles of insurance contract interpretation requiring ambiguous provisions to be construed in favor of coverage, the Sixth Circuit upheld the district court’s application of a proximate cause standard.
The Exclusionary Provision
The Sixth Circuit then affirmed the district court’s conclusion that coverage was not barred by a policy exclusion precluding coverage for “any loss of proprietary information, Trade Secrets, Confidential Processing Methods, or other confidential information of any kind.” National Union argued that the loss was of either “proprietary information” or “other confidential information of any kind.”
The Sixth Circuit first rejected National Union’s argument that the loss was of “proprietary information,” finding that “loss of proprietary information would mean the loss of information ‘to which [the] Plaintiffs own or hold single or sole right.’” Because the stolen customer information was “owned or held by many, including the customer, the financial institution, and the merchants to whom the information is provided in the ordinary stream of commerce,” the court upheld the finding below that customers’ banking information did not fit the plain and ordinary meaning of “proprietary information.”
Next, the Sixth Circuit rejected National Union’s contention that the loss was of “other confidential information of any kind.” The court utilized the canon of contract construction ejusdem generis, which requires that a general term take its meaning from the specific terms it is grouped with. Thus, because the phrase “other confidential information of any kind” was grouped with the phrases “proprietary information,” “Trade Secrets,” and “Confidential Processing Methods,” the court explained it was constrained to construe the meaning of the general, catchall provision with the specific phrases.
The district court reasonably concluded that the phrases “proprietary information,” “Trade Secrets,” and “Confidential Processing Methods” were “specific terms that all pertain to secret information of plaintiffs involving the manner in which the business is operated.” The Sixth Circuit concluded, therefore, that the phrase “other confidential information of any kind” was limited to “other secret information of [the] Plaintiffs which involves the manner in which the business is operated.” Consequently, because the customer information was not the plaintiffs’ confidential information and did not involve the manner in which the plaintiffs’ business was operated, the loss was not of “other confidential information of any kind.”
The Bad Faith Claim
Finally, the Sixth Circuit affirmed the district court’s finding that National Union did not act in bad faith. Finding no support under Ohio law for the argument, the court rejected the plaintiffs’ assertion that an insurer could deny coverage in good faith only if it determined its interpretation was the only reasonable interpretation. The court also found that National Union’s request for a second coverage opinion did not make its “investigation so one-sided as to constitute bad faith.”
The Sixth Circuit’s decision underscores the need for policyholders to consider all available coverages when dealing with data loss, since there is now considerable evidence that standard lines of coverage may very well cover these types of losses. The decision also highlights the continued evolution of the nature and scope of data loss issues and how the outcome of causation-related issues bears on the availability of insurance coverage.