Data Breaches and Insurance Coverage

In Wisconsin, a federal district court considered whether electronic funds in an online bank account were covered “tangible property” under a policy that provided commercial excess liability coverage and “Bis-Pak” coverage. See, Carlon Co. v. Delaget LLC , 2012 WL 1854146 (W.D. Wis. 2012). The policyholder in that case was a restaurant group, which had hired Delaget, LLC to manage its finances. Carlon's accounts allegedly appeared to have been exposed to a virus on Delaget's computer, leading to the theft of $696,656 from Carlon's account with Morgan Stanley. Id. at 2. The court held that the liability coverage form of the policy at issue did not apply, because there was no required loss of use of tangible property. According to the court, the electronic funds at issue were not tangible “by the ordinary meaning of that word, and no precedent or sufficient justification has been provided for treating them as such.” Id. at 5-6. The court similarly held that the property coverage form of the policy did not apply, because Delaget had not lost the use of its own property. Id. at 6.

By contrast, the Sixth Circuit held that a blanket crime policy did provide coverage for a data breach in Retail Ventures, Inc. v. National Union Fire Ins. Co. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) (applying Ohio law). In that case, an individual hacked the wireless network of DSW retail stores and stole the credit and debit card information of more than 1.4 million customers. Id. at 824. The plaintiffs' blanket crime policy provided coverage for losses, which directly resulted “from the theft of any Insured property by Computer Fraud.” National Union did not dispute that there was a theft that involved “Computer Fraud” as defined in the policy, but it did dispute that the losses at issue directly resulted from that computer fraud. Both the Ohio District Court and the Sixth Circuit rejected National Union's argument; applied a “proximate cause” standard; and held that the policyholder's losses directly resulted from the breach. Id. at 825-26.

The court in Metro Brokers Inc. v. Transportation Ins. Co., No. 1:12-CV-3010 (N.D. Ga. filed Aug. 29, 2012), held that an all-risk insurance policy excluded losses from a hacker's unauthorized access to the policyholder's account and subsequent theft of funds from escrow accounts. Specifically, the court determined that the breach fell within the policy's exclusion for damage resulting from “malicious code and system penetration.” The court also held that stealing electronic funds was not the “forgery of a negotiable instrument” under the policy's forgery endorsement, because the funds had no “intrinsic value” (as required by the policy), and because the transfers were triggered electronically instead of by a signed writing.

A federal district court in Kentucky likewise held that CGL coverage did not apply to losses resulting from the improper access of a customer database. See, Liberty Corporate Capital Ltd. v. Sec. Safe Outlet, Inc., 937 F. Supp. 2d 891 (E.D. Ky. 2013). The policyholder in that case, Security Safe Outlet (SSO), allegedly stole confidential customer information from Bud's Gun Shop (BGS), and used that information to advertise SSO's competing business by e-mail. Id. at 896. SSO sought defense and indemnity from Liberty Corporate for the claims alleged against it arising out of these facts. Id. at 894.

In rejecting SSO's claim for coverage, the court held that the customer information was not covered “tangible property” because the policy excluded “electronic data” from the definition of property, and because customer information in an electronic database was not “tangible,” since it had no “physical form or characteristics.” Id. at 899. The court then held that there would be coverage under the policy's “personal and advertising injury” provision, because the e-mails that SSO sent to BGS's customers constituted advertising, but that a breach of contract exclusion nevertheless barred coverage under the policy as a whole. Id. at 902.

Finally, a Connecticut state appellate court recently affirmed that a CGL policy did not provide coverage for liabilities resulting from lost computer tapes in Recall Total Info. Mgmt. Inc. v. Federal Ins. Co., 2014 WL 43529 (Conn. App. Ct. 2014). In that case, Recall had contracted to transport electronic tapes for IBM. When IBM's tapes (literally) fell off the back of a truck during transport, employment-related data for 500,000 individuals was lost. Id. at 1.

Recall asserted that coverage under the “personal injury” coverage part of the CGL policy at issue, which provided coverage for damage resulting from “injury ' caused by an offense of ' electronic, oral, written or other publication of material ' that violates a person's right to privacy,” applied. Id. at 5. In rejecting that contention, the trial court held, and the appellate court affirmed, that the tapes were not “published” because there was no evidence the information on them was actually accessed by a third party. Id. at 6. Additionally, merely triggering notification statutes was not a “presumptive invasion[] of privacy” giving rise to coverage under the policy. Id. at 7.

Settlements

Some cases involving coverage for data breaches have recently settled (in whole or in part), but are nonetheless worth noting for the insights that they provide into the basis for the parties' disputes. For example, in 2011, Scottrade Inc. settled a dispute with its insurer, The St. Paul Mercury Insurance Company, over coverage for losses resulting from the unauthorized access of around 1,400 brokerage accounts registered with the company. Scottrade, Inc., v. The St. Paul Mercury Ins. Co., No. 4:09-CV-1855 (E.D. Mo. filed Nov. 12, 2009). Scottrade sought recovery under a bond issued by St. Paul Mercury, which contained a rider for computer systems fraud that covered the entry or change of “Electronic Data or Computer System” into or within “any Computer System operated by the Insured, provided that the entry or change causes property to be transferred ' an account ' to be added, deleted, debited or credited, or an unauthorized account or a fictitious account to debited or credited.”

Sony Corporation settled a data breach coverage dispute with one of its insurers, Great American, but Sony's coverage dispute with another insurer, Zurich, went forward in New York state court. See, Zurich Am. Ins. Co. v. Sony Corp. of Am., No. 651982/2011 (N.Y. Sup. Ct. filed July 20, 2011). This coverage dispute stemmed from the breach in 2011 of Sony's PlayStation Network, and the theft of more than 100 million individuals' personal information.

Zurich initiated a declaratory judgment action against Sony and three additional insurers, seeking a declaration that the CGL policies that Zurich had issued to Sony did not provide coverage for this breach because there was no damage to tangible property, and because there had been no “personal or advertising injury.” Zurich also initiated an additional action against Sony's excess insurer, Great American, but in late 2013, Sony and Great American stipulated that the latter has no payment obligations to Sony as a result of the breach, and that Great American will not allege that Sony failed to comply with notice requirements or any law, statute or regulation if any claims from Sony insureds are retendered to Great American.

Michaels Stores recently settled a coverage dispute with Arch Insurance Company over coverage for a breach stemming from a “skimming attack,” in which hackers used a program to compromise the stores' PIN pad terminals, which collected customers' debit and credit card information when the cards were swiped for payment. See, Arch Ins. Co. v. Michaels Stores, Inc., No. 1:12-cv-00786 (N.D. Ill. filed Feb. 3, 2012). Arch had asserted that there was no coverage because there was no property damage or personal and advertising injury. XL Insurance America had also filed a declaratory judgment action against Michaels stemming from the breach, but XL dismissed its suit once Michaels settled with Arch.

And, in October 2013, Schnuck Markets dismissed a lawsuit against its insurer Liberty Mutual, which had sought coverage for losses stemming from a malware attack that compromised 2.4 million credit and debit cards. See, Liberty Mutual Ins. Co. v. Schnuck Markets Inc., No. 4:13-CV-01574 (E.D. Mo. filed Aug. 14, 2013). Schnuck's excess insurer Liberty Mutual had contended that its policy did cover the breach because there was no property damage and no personal and advertising injury, and because other policy exclusions applied. Schnuck's insurer, Beazley Insurance Company, continued to contend against coverage for this loss. See, Beazley Ins. Co. Inc. v. Schnuck Markets Inc., No. 1:13-CV-08083 (S.D. N.Y. filed Nov. 13, 2013).

Pending Cases

Finally, these pending disputes bear watching:

1. State Nat'l Ins. Co. v. Global Payments Inc., No. 1:13-CV-01205 (N.D. Ga. filed Apr. 2013). This dispute stems from the hacking of a credit and debit card processor's computer systems. State National, which issued an excess liability policy to Global Payments, contends that its policy does not apply to the breach because the policy's “privacy” and “technology services” coverage parts do not apply, and because exclusions bar coverage.

2. First Commonwealth Bank v. St. Paul Mercury Insurance Co., No. 2:14-CV-0009 (W.D. Pa. filed Jan. 3, 2014): On Jan. 3, 2014, First Commonwealth Bank sued St. Paul Mercury Insurance in a federal Pennsylvania court, seeking coverage under a professional liability policy for losses stemming from a bank account hacking scheme. As a result of this hacking scheme, the bank replaced $3.5 million into three corporate accounts. St. Paul alleges that it was improper for the bank to replace that money without first seeking permission from the insurer, as required under the Policy.

Conclusion

Looking ahead, we expect that coverage disputes resulting from data breaches are far from over. As businesses continue to integrate technology into the heart of the companies, the information protected becomes increasingly valuable and a larger target for sophisticated criminals. The coverage issues that follow are likewise ever more valuable, and the cases compiled in this article may reflect “just the beginning” of litigation regarding this type of loss.

Ellen Farrell is a Counsel in Crowell & Moring LLPs Insurance/Reinsurance practice group. Kathryn Linsky is an Associate in the same practice group.

Editor's Note: With the modern technology that allows businesses to do more things on computers and on other electronic devices, efficiencies can be achieved, but unintended negative consequences can also result. When a breach of the data on these devices occurs and confidential information is accessed by unauthorized persons, the financial consequences to the business entity may be substantial. But when that business seeks defense and indemnification from its insurer, the insurer just might push back.

Last month's article began a discussion of cases that have grappled with the question of whether businesses' insurance policies cover losses brought about by security breaches. Following are more cases that have dealt with the issue.

Tangible Property And CGLs

In Wisconsin, a federal district court considered whether electronic funds in an online bank account were covered “tangible property” under a policy that provided commercial excess liability coverage and “Bis-Pak” coverage. See, Carlon Co. v. Delaget LLC , 2012 WL 1854146 (W.D. Wis. 2012). The policyholder in that case was a restaurant group, which had hired Delaget, LLC to manage its finances. Carlon's accounts allegedly appeared to have been exposed to a virus on Delaget's computer, leading to the theft of $696,656 from Carlon's account with Morgan Stanley. Id. at 2. The court held that the liability coverage form of the policy at issue did not apply, because there was no required loss of use of tangible property. According to the court, the electronic funds at issue were not tangible “by the ordinary meaning of that word, and no precedent or sufficient justification has been provided for treating them as such.” Id. at 5-6. The court similarly held that the property coverage form of the policy did not apply, because Delaget had not lost the use of its own property. Id. at 6.

By contrast, the Sixth Circuit held that a blanket crime policy did provide coverage for a data breach in Retail Ventures, Inc. v. National Union Fire Ins. Co. of Pittsburgh, Pa. , 691 F.3d 821 (6th Cir. 2012) (applying Ohio law). In that case, an individual hacked the wireless network of DSW retail stores and stole the credit and debit card information of more than 1.4 million customers. Id. at 824. The plaintiffs' blanket crime policy provided coverage for losses, which directly resulted “from the theft of any Insured property by Computer Fraud.” National Union did not dispute that there was a theft that involved “Computer Fraud” as defined in the policy, but it did dispute that the losses at issue directly resulted from that computer fraud. Both the Ohio District Court and the Sixth Circuit rejected National Union's argument; applied a “proximate cause” standard; and held that the policyholder's losses directly resulted from the breach. Id. at 825-26.

The court in Metro Brokers Inc. v. Transportation Ins. Co., No. 1:12-CV-3010 (N.D. Ga. filed Aug. 29, 2012), held that an all-risk insurance policy excluded losses from a hacker's unauthorized access to the policyholder's account and subsequent theft of funds from escrow accounts. Specifically, the court determined that the breach fell within the policy's exclusion for damage resulting from “malicious code and system penetration.” The court also held that stealing electronic funds was not the “forgery of a negotiable instrument” under the policy's forgery endorsement, because the funds had no “intrinsic value” (as required by the policy), and because the transfers were triggered electronically instead of by a signed writing.

A federal district court in Kentucky likewise held that CGL coverage did not apply to losses resulting from the improper access of a customer database. See , Liberty Corporate Capital Ltd. v. Sec. Safe Outlet, Inc. , 937 F. Supp. 2d 891 (E.D. Ky. 2013). The policyholder in that case, Security Safe Outlet (SSO), allegedly stole confidential customer information from Bud's Gun Shop (BGS), and used that information to advertise SSO's competing business by e-mail. Id. at 896. SSO sought defense and indemnity from Liberty Corporate for the claims alleged against it arising out of these facts. Id. at 894.

In rejecting SSO's claim for coverage, the court held that the customer information was not covered “tangible property” because the policy excluded “electronic data” from the definition of property, and because customer information in an electronic database was not “tangible,” since it had no “physical form or characteristics.” Id. at 899. The court then held that there would be coverage under the policy's “personal and advertising injury” provision, because the e-mails that SSO sent to BGS's customers constituted advertising, but that a breach of contract exclusion nevertheless barred coverage under the policy as a whole. Id. at 902.

Finally, a Connecticut state appellate court recently affirmed that a CGL policy did not provide coverage for liabilities resulting from lost computer tapes in Recall Total Info. Mgmt. Inc. v. Federal Ins. Co., 2014 WL 43529 (Conn. App. Ct. 2014). In that case, Recall had contracted to transport electronic tapes for IBM. When IBM's tapes (literally) fell off the back of a truck during transport, employment-related data for 500,000 individuals was lost. Id. at 1.

Recall asserted that coverage under the “personal injury” coverage part of the CGL policy at issue, which provided coverage for damage resulting from “injury ' caused by an offense of ' electronic, oral, written or other publication of material ' that violates a person's right to privacy,” applied. Id. at 5. In rejecting that contention, the trial court held, and the appellate court affirmed, that the tapes were not “published” because there was no evidence the information on them was actually accessed by a third party. Id. at 6. Additionally, merely triggering notification statutes was not a “presumptive invasion[] of privacy” giving rise to coverage under the policy. Id. at 7.

Settlements

Some cases involving coverage for data breaches have recently settled (in whole or in part), but are nonetheless worth noting for the insights that they provide into the basis for the parties' disputes. For example, in 2011, Scottrade Inc. settled a dispute with its insurer, The St. Paul Mercury Insurance Company, over coverage for losses resulting from the unauthorized access of around 1,400 brokerage accounts registered with the company. Scottrade, Inc., v. The St. Paul Mercury Ins. Co., No. 4:09-CV-1855 (E.D. Mo. filed Nov. 12, 2009). Scottrade sought recovery under a bond issued by St. Paul Mercury, which contained a rider for computer systems fraud that covered the entry or change of “Electronic Data or Computer System” into or within “any Computer System operated by the Insured, provided that the entry or change causes property to be transferred ' an account ' to be added, deleted, debited or credited, or an unauthorized account or a fictitious account to debited or credited.”

Sony Corporation settled a data breach coverage dispute with one of its insurers, Great American, but Sony's coverage dispute with another insurer, Zurich, went forward in New York state court. See, Zurich Am. Ins. Co. v. Sony Corp. of Am., No. 651982/2011 (N.Y. Sup. Ct. filed July 20, 2011). This coverage dispute stemmed from the breach in 2011 of Sony's PlayStation Network, and the theft of more than 100 million individuals' personal information.

Zurich initiated a declaratory judgment action against Sony and three additional insurers, seeking a declaration that the CGL policies that Zurich had issued to Sony did not provide coverage for this breach because there was no damage to tangible property, and because there had been no “personal or advertising injury.” Zurich also initiated an additional action against Sony's excess insurer, Great American, but in late 2013, Sony and Great American stipulated that the latter has no payment obligations to Sony as a result of the breach, and that Great American will not allege that Sony failed to comply with notice requirements or any law, statute or regulation if any claims from Sony insureds are retendered to Great American.

Michaels Stores recently settled a coverage dispute with Arch Insurance Company over coverage for a breach stemming from a “skimming attack,” in which hackers used a program to compromise the stores' PIN pad terminals, which collected customers' debit and credit card information when the cards were swiped for payment. See, Arch Ins. Co. v. Michaels Stores, Inc., No. 1:12-cv-00786 (N.D. Ill. filed Feb. 3, 2012). Arch had asserted that there was no coverage because there was no property damage or personal and advertising injury. XL Insurance America had also filed a declaratory judgment action against Michaels stemming from the breach, but XL dismissed its suit once Michaels settled with Arch.

And, in October 2013, Schnuck Markets dismissed a lawsuit against its insurer Liberty Mutual, which had sought coverage for losses stemming from a malware attack that compromised 2.4 million credit and debit cards. See, Liberty Mutual Ins. Co. v. Schnuck Markets Inc., No. 4:13-CV-01574 (E.D. Mo. filed Aug. 14, 2013). Schnuck's excess insurer Liberty Mutual had contended that its policy did cover the breach because there was no property damage and no personal and advertising injury, and because other policy exclusions applied. Schnuck's insurer, Beazley Insurance Company, continued to contend against coverage for this loss. See, Beazley Ins. Co. Inc. v. Schnuck Markets Inc., No. 1:13-CV-08083 (S.D. N.Y. filed Nov. 13, 2013).

Pending Cases

Finally, these pending disputes bear watching:

1. State Nat'l Ins. Co. v. Global Payments Inc., No. 1:13-CV-01205 (N.D. Ga. filed Apr. 2013). This dispute stems from the hacking of a credit and debit card processor's computer systems. State National, which issued an excess liability policy to Global Payments, contends that its policy does not apply to the breach because the policy's “privacy” and “technology services” coverage parts do not apply, and because exclusions bar coverage.

2. First Commonwealth Bank v. St. Paul Mercury Insurance Co., No. 2:14-CV-0009 (W.D. Pa. filed Jan. 3, 2014): On Jan. 3, 2014, First Commonwealth Bank sued St. Paul Mercury Insurance in a federal Pennsylvania court, seeking coverage under a professional liability policy for losses stemming from a bank account hacking scheme. As a result of this hacking scheme, the bank replaced $3.5 million into three corporate accounts. St. Paul alleges that it was improper for the bank to replace that money without first seeking permission from the insurer, as required under the Policy.

Conclusion

Looking ahead, we expect that coverage disputes resulting from data breaches are far from over. As businesses continue to integrate technology into the heart of the companies, the information protected becomes increasingly valuable and a larger target for sophisticated criminals. The coverage issues that follow are likewise ever more valuable, and the cases compiled in this article may reflect “just the beginning” of litigation regarding this type of loss.

Ellen Farrell is a Counsel in Crowell & Moring LLPs Insurance/Reinsurance practice group. Kathryn Linsky is an Associate in the same practice group.