An insurance company’s efforts to deny payment of a claim by DSW Shoe Warehouse under its computer fraud rider to a “Blanket Crime Policy” was thwarted by a recent decision by the U.S. Sixth Circuit Court of Appeals.  In Retail Ventures, Inc., DSW, Inc., and DSW Shoe Warehouse, Inc. v. National Union Fire Insurance Company of Pittsburgh , the Court affirmed the district court’s decision that the plaintiffs suffered a loss resulting directly from the theft of any insured property by computer fraud,  and it rejected the defendant’s assertion that the loss was excluded under an exclusion for confidential information.  The opinion provides a cautionary lesson for companies to review their blanket crime policies and fidelity bonds to determine whether they provide the coverage for losses they anticipate in the event of a data security breach.

The case arises out of the well-known data security breach incident that occurred at a Boston-area DSW store in February, 2005.  The hackers used the local wireless network to access the main computer system of the DSW store to steal the credit card and bank account information of its customers that DSW stored on its system long after the transaction had been processed.  The data breach incident affected in excess of 1.4 million customers at 108 DSW stores.  

DSW carried a Blanket Crime Insurance Policy with the defendant that included a Computer Fraud Rider.  DSW notified the defendant by letter within several weeks after the incident, and continued to submit partial proofs of loss and supporting documentation as it conducted an investigation and responded to investigations by the Federal Trade Commission and seven state attorneys general.  In the course of these investigations, it incurred expenses for customer communications and notifications, customer claims and lawsuits, and attorney fees.  The parties stipulated to the amount of the losses which totaled $4 million, as well as $2.8 million in prejudgment interest.  

The basis for the dispute specifically concerned the language in the “Computer and Funds Transfer Fraud Coverage” endorsement to the policy, in which the defendant agreed to pay the insured for “loss which the Insured shall sustain resulting directly from …. [t]he theft of any Insured property by Computer Fraud” (emphasis added).  Further, it argued that an exclusion to coverage placed limits on coverage for losses of “proprietary information, Trade Secrets, Confidential Processing Methods, or other confidential information of any kind”.  

The defendant asserted that the losses at issue did not “result directly from” the theft of the data obtained by the hacking. However, the court agreed with the District Court that the Ohio Supreme Court would apply a proximate cause standard in interpreting “resulting directly from”, and upheld its determination that the phrase is not limited to coverage for loss resulting “solely” or “immediately” from the theft itself.  In addition, the court found that the exclusion for confidential information did not apply to the loss sustained by DSW.  Specifically, it found that the customer payment information that was stolen was not information which plaintiffs own or hold single or sole right.  The stolen customer information was not “proprietary information” since it was owned by the customers, by the financial institution and by DSW to whom the information was provided for to pay for the purchase of merchandise.  Thus, the stored customer data which was stolen did not come within the ordinary meaning of “proprietary information.” 

Nor did the customer information fall within the catch-all phrase, “confidential information of any kind.”  The defendant argued that this phrase was meant to cover any information belonging to anyone that is expected to be protected from unauthorized disclosure.  According to the Court, such an interpretation would not only exclude coverage for the other terms in the exclusion, but would serve to nullify coverage for computer fraud entirely.  The catch-all phrase was intended to refer to plaintiff’s secret information concerning its business operations.  The customer information that was the subject of the theft did not concern DSW’s business operations, and thus was not subject to the exclusion.

Data breach insurance has been criticized by some privacy experts as not worth the cost due to all the potential loopholes and variables.  Coverage for data security breaches is a relative newcomer to the insurance field, and the potential for damages is great, so insurers are treading carefully and conservatively with their coverage and conditions.  In the case of some policies, it covers only the cost of re-creating the data, and not the legal fees and other expenses incurred by the data owner. As this case demonstrates, companies should check their policies closely to find out what they have to do to “prove” their loss, and whether it in fact provides the coverage that the organization expects and needs.