Two risks important to retailers carried the day in 2016: cyber security and product contamination. The decisions underscore the need for retailers to maintain adequate insurance for these risks. Indeed, retailers are an increasingly popular target for cyberattacks, and the subject of increasingly stringent enforcement of state and federal regulations. Last year's decisions are critical reminders that having the right insurance is key, and even unintentional missteps can jeopardize coverage.
The Right Cyber Insurance is Critical
As the following cases show, simply having cyber insurance is not enough. The right policies are needed to protect against business- and industry-specific risks.
- Gaps in Insurance Programs Can Jeopardize Coverage for Cyber Breaches: Camp's Grocery, Inc. v. State Farm Fire & Cas. Co., No. 4:16-CV-0204-JEO, 2016 WL 6217161, at *1 (N.D. Ala. Oct. 25, 2016).
In Camp's, three credit unions sued a Piggly Wiggly franchisee after suffering losses on cardholders' accounts when hackers stole card information from the grocer's network. Camp's business insurance included property and liability coverages and an inland marine computer property form that covered, among other things, "accidental direct loss" to "electronic data," including some types of customer data. A court ruled that the grocer could not rely on the "electronic data" coverage extension because it applied only to first-, not third-, party claims. The court also held that the underlying suit alleged only compromised "intangible electronic data" -- which fell squarely within the property policy's "electronic data" exclusion.
Lessons: Ensure that cyber security programs include adequate first- and third-party coverages.
- Cyber Coverage May Not be as Comprehensive as Assumed: P.F. Chang's China Bistro, Inc. v. Federal Insurance Company, No. 2:15-cv-1322 (SMM), 2016 WL 3055111 (D. Ariz. May 31, 2016) (on appeal; pending dismissal following successful mediation on Nov. 22, 2016).
A federal court rejected P.F. Chang's attempt to recover $2 million it paid following a 2013 breach where hackers obtained and posted on the Internet approximately 60,000 credit card numbers belonging to Chang's customers. Chang's was insured under a "CyberSecurity by Chubb Policy." After the 2014 breach, Federal agreed to reimburse Chang's nearly $1.7 million for valid claims brought by injured customers and issuers. However, Federal refused to reimburse an additional $2 million in fees and assessments that were passed down to Chang's by credit card service providers. The court agreed that Federal had no liability for the fees, holding, in part, that a common contract exclusion applied and that Chang's had no reasonable expectation of coverage.
Lessons: Know what you are buying, and compare your expectations and risks to the actual policy language. Carve back contract exclusions. Engage knowledgeable brokers and coverage counsel to help with that task.
- Even When Coverage is Questionable, Submit Your Claims for Cyber Losses: Travelers Property Casualty Company of America et al. v. Federal Recovery Services et al., Case No. 2:14-cv-00170 (D. Utah Jan. 12, 2016).
A Utah federal court refused to dismiss a bad faith claim brought by Federal Recovery Services (FRS) against Travelers, despite finding no duty to defend FRS under Travelers' "CyberFirst Policy." FRS sought defense and indemnity for a fitness center's lawsuit against it. The gym alleged that FRS intentionally misused the private financial information of gym customers, which interfered with FRS's business dealings. The court found no coverage because the misconduct was alleged to be willful and malicious -- not negligent, as necessary for coverage. However, the court refused to dismiss the question of whether Travelers had acted in bad faith by imposing inappropriate conditions precedent to claim initiation and failing to diligently investigate, fairly evaluate and promptly communicate with FRS.
Lessons: Even when coverage is questionable, businesses should submit cyber insurance claims, especially since significant harm can occur in short order following the data breach.
Product Recall Cases Differ on Courts' Coverage Determinations
Mistakes happen, with potentially disastrous consequences to health. That's where accidental contamination and product recall insurance come into play. But buyer beware -- 2016 warned that even unintentional omissions at the application stage can risk coverage.
- Coverage for Potential Product Contamination: Foster Poultry Farms, Inc. v. Certain Underwriters at Lloyd's, London, No. 1:14-953, 2015 WL 5920289 (E.D. Cal. Oct. 9, 2015), amended, 2016 WL 235211 (E.D. Cal. Jan. 20, 2016).
A California federal court held that losses associated with alleged noncompliance with federal sanitation regulations were covered by food contamination insurance as an "error in ... production." The case arose from a USDA order to suspend operations due to prevalence of salmonella in Foster's largest chicken-processing plant. Foster's insurer denied coverage under its "accidental contamination" and "government recall" forms. In subsequent litigation, the court granted Foster's motion for summary judgment, finding that Foster's sanitation failures were "errors" covered by the policy. The court held that there need not be absolute certainty of bodily injury; rather, the government standard -- where possible contamination was sufficient to warn against public consumption -- triggered coverage.
Lessons: Insurers may argue that the scope of contamination or recall coverage is narrower than what businesses expect. To minimize that risk, due diligence at the policy-selection stage is required along with emphasizing the common-sense policy interpretation at the litigation stage.
- Even Inadvertent Omissions at Application Stage Risks Rescission: H.J. Heinz Company v. Starr Surplus Lines Insurance Company, No. 15-cv-0631 (W.D. Pa. Feb. 1, 2016) (appeal argued before 3d Cir. on Dec. 6, 2016).
Despite a jury verdict in the insured's favor, a Pennsylvania federal court rescinded an accidental contamination and government recall insurance policy issued to the H.J. Heinz Company. The case arose after Heinz sought $25 million in coverage for business interruption losses it experienced after Chinese authorities discovered lead in its baby cereal. The court granted rescission on the grounds that Heinz made material misrepresentations and omissions regarding its claim history, which Heinz claimed were inadvertent errors by its new Global Insurance Director. Although a jury agreed that Heinz's errors were unintentional, the court found that even unintentional material misrepresentations were sufficient to void the contract.
Lessons: Engage critical personnel to identify potential necessary disclosures and report what you know and do not know.