The computer network of a Five Guys Burger franchise, RVST Holdings, LLC (RVST), was hacked. Customers’ credit card information was stolen and used to make numerous fraudulent charges. Trustco Bank brought an action against RVST, alleging it was negligent in securing Trustco cardholders’ information, causing Trustco to sustain damages related to reimbursing its cardholders for the fraudulent charges.
RVST sought coverage for the Trustco claim from its insurer, Main Street America Assurance Company (Main Street) under a business owner’s insurance policy. Main Street declined coverage.
RVST then brought an action against Main Street in a New York state trial court. Main Street moved for summary judgment, citing, among other things, the policy’s exclusion for "damages arising out of the loss of … electronic data." The state court judge denied the motion, and Main Street appealed.
In RVST Holdings, LLC v. Main Street America Assurance Co., New York’s appellate division reversed, with orders to enter summary judgment in Main Street’s favor. Notably, the appellate division’s opinion makes evident that the claim was submitted for coverage under the policy’s liability coverage for "sums that [the insured] becomes legally obligated to pay as damages because of … ‘property damage’."
The court held there was no liability coverage for "property damage" (and thus no duty to defend) for two reasons: (1) the definition of "property damage" included the following explicit caveat: "for the purposes of this insurance, electronic data is not tangible property"; and (2) the policy’s "electronic data" exclusion unambiguously applied to the subject data breach, which the court held plainly constituted "damages arising out of the loss of … electronic data." The court also rejected the insured’s contention that because the first-party property coverage did not contain the same exclusion, coverage should somehow obtain. The court was dismissive, noting the first-party property coverage was inapplicable to a third-party claim.
This case may mark the beginning of the end of coverage battles for cyber-risks under traditional, non-cyber policies, which now typically include exclusionary language similar to that relied on by the New York Appellate Division. Thus, questions of whether a data breach might constitute a privacy invasion that constitutes a "personal or advertising injury" or if non-functioning hardware or software might constitute "property damage," will now largely become academic (perhaps until some theory of long-tail delayed trigger brings older pre-exclusion occurrence policies back into play). The decision also counsels policyholders to ensure they carefully review their coverage and fill any possible gaps for ever-evolving cyber risk.