If your organization suffers a loss as a result of someone hacking into your network, will your insurance policy's computer fraud rider cover the loss? The answer, of course, depends on the language of your policy and the specific facts involved. However, a recent decision of the federal Sixth Circuit Court of Appeals may provide some insight.
Retail Ventures v National Union Fire Life Insurance Co. of Pittsburgh, PA involves the early 2005 hacking of personal information, including credit card numbers, of over 1.4 million Designer Shoe Warehouse (DSW) consumers. As a result, DSW incurred expenses for customer communications, public relations, customer claims and lawsuits, and attorney fees relating to government investigations. DSW submitted a claim of loss which was denied by the insurance company. DSW brought a declaratory action and the trial court found in favor of DSW in the amount of $6.8 million as covered as the “theft of any Insured Property by Computer Fraud” clause in the policy.
On appeal to the Sixth Circuit, the insurance company argued, among other things, that the losses from breached customer information was excluded under the following clause: “Coverage does not apply to any loss of proprietary information, Trade Secrets, Confidential Processing Methods, or other confidential information of any kind.” The court rejected this argument, finding that any ambiguity in the language must be construed in favor of the insured. The Sixth Circuit agreed with the trial court that the “plain and ordinary meaning” of the exclusion was the loss of information “to which Plaintiffs own or hold a single or sole right” which would not apply to the hacked customer information. The court affirmed the $6.8 million award.
In the event of a loss involving a breach of your organization's network, review your insurance policy carefully.