According to the Privacy Rights Clearinghouse, in 2005, DSW Shoe Warehouse suffered a data breach affecting over 1.4 million customers, across 25 states. Between February 1 and February 14, 2005, hackers gained unauthorized access to the DSW main computer system and then the criminals downloaded credit card and checking account information pertaining to customers (the DSW incident was a part of the same scheme that targeted TJX, Barnes & Noble, Target, Sports Authority, Boston Market -see, The Great Cyberheist, by James Verini, New York Times Magazine, Nov. 10, 2010 –using a technique known as “war driving,” hackers sat in vehicles outside stores with laptops and high-power radio antennae to gain access to networks). DSW was first alerted of the problem in March of 2005. In the wake of the breach, DSW incurred expenses relating to customer communications, public relations fees, customer claims/litigation and attorneys fees in connection with the investigations by seven state AG’s and the FTC. DSW claimed losses of $4 million, including costs associated with charge backs, card reissuance, account monitoring and fines imposed by VISA/MasterCard.
DSW submitted Proofs of Loss to its insurer, National Union, starting in September 2005 (following initial notification of the matter in April 2005). DSW claimed a total of $6.8 million for the losses plus interest. At the time, DSW did not have specific data breach coverage for the incident; however, it submitted the claim under a computer fraud rider to a “Blanket Crime Policy.” (As of 2005, AIG and other insurers provided coverages for network security/privacy liabilities as well as coverages for network incidents, interruptions; at the time, some policies did not specifically address fines/penalties associated with a breach but most now do).
National Union denied coverage for the loss under the crime policy, stating that the claims arose from “third party theft of proprietary confidential customer credit card information.” The crime policy included an endorsement for “Computer & Funds Transfer Fraud Coverage,” where the insurer agreed to pay for “Loss which the Insured shall sustain resulting directly from… theft of any Insured property by Computer Fraud…” (Italics added).
The district court granted summary judgment for DSW based upon the policy language and National Union appealed. The appellate court disagreed with the insurer’s denial analysis and found coverage for DSW by stating that the phrase “resulting directly from” does not unambiguously limit coverage to a loss resulting “solely” or “immediately” from the theft itself (see, Retail Ventures, Inc. v. National Union Fire Ins. Co. of Pittsburgh, Pa., — F.3d—(2012) [emphasis added].
National Union argued that the commercial crime policy was a fidelity bond and provided only first party coverage. The district court found that the policy covered more than fidelity coverage. National Union also argued that the “resulting directly from” language required that the theft of property by computer fraud be the “sole” and “immediate” cause of the insured’s loss. National Union urged that this approach refers to the insured’s own loss, say from employee misconduct, and not the insured’s vicarious liability to third parties.
While the Sixth Circuit acknowledged that other decisions reason that the “resulting directly from” language suggests a stricter causation than proximate cause, the court went on to find that the Ohio Supreme Court would apply a proximate cause standard to determine whether the loss was covered. The appellate court decided that the “resulting directly from” language was ambiguous. Further, the court did not find an exclusion to apply. The court found that the exclusion for “loss of … confidential information of any kind” did not include the hacked customer data as the customer information was not DSW’s confidential information but was obtained from customers in order to receive payment.
Given the trend in available coverages following this and other notable incidents from 2005 to 2007 (Choice Point, TJX), it does not appear likely that many courts will be looking to crime policies or fidelity policies for coverage of these types of losses. It might not be unexpected, however, that where a policy has language about “computer fraud” or “computer systems” courts will continue to pay careful attention to the language, in particular if there are significant losses following breach incidents. And, as noted by this court, not all crime policies contain similar “resulting directly from” language or even provisions that address “computer fraud.” In that regard, the decision may have a limited shelf-life.