In late 2007, an Ohio federal court ruled that an insurer defending itself in a lawsuit over its denial of coverage of a computer hacking claim against one of its insureds should not be forced to disclose any information regarding its own unrelated security breach or about how it handled similar computer hacking claims with other policyholders. Retail Ventures, Inc. v. National Union Fire Insurance Company of Pittsburgh, PA, No. 06-443 (November 8, 2007).
According to the decision, the insured, a nationwide retailer, learned in March 2005 that its computer system had been hacked and that customer data had been stolen from 108 of its store locations. The incident led to a lawsuit against the company by the state of Ohio and to three class-action suits by consumers whose confidential information had been stolen. The retailer sought coverage under its computer fraud insurance policy, claiming that the policy covered the theft of any insured property through the unauthorized accessing of the insured’s computer system. The insurer denied the claim, citing an exclusion for the theft of confidential information. The retailer sued, seeking compensatory and punitive damages for breach of contract and breach of the implied covenant of good faith and fair dealing.
As part of discoveryin the coverage action between the insured retailer and the insurer, the retailer sought information regarding a security breach of the insurer’s own computer system in 2006. The retailer also demanded information regarding how the insurer handled claims similar to that of the retailer with its other policyholders. The insurer objected to these requests, stating that they were unrelated to the case at hand, that the production of the information would be overly burdensome, and that release of such information would violate the confidentiality of other policyholders. The retailer filed a motion to compel.
The Ohio federal court denied the motion, stating that the risk of exposing the privileged information of other policyholders was too high. The Court also agreed with the insurer that its own security breach was irrelevant to the issues of the retailer’s case. However, the judge did require that the insurer release information regarding the reserves it posted for the retailer’s claim and that it produce copies of the claim file it had created before the suit was filed.