Ruling on Crime Policy Covering Data Breach

In 2012, the Sixth Circuit Court of Ap­peals held that the expenses resulting from the cyber theft of customer data were recoverable under a commercial crime policy in a case filed by the retail store DSW Shoe Warehouse. Retail Ven­tures, Inc. v. Nat’l Union Fire Ins. Co., 691 F.3d 821 (6th Cir. 2012).

In the case, hackers used a wireless net­work at a DSW Shoe Warehouse store to obtain unauthorized access to DSW’s computer systems and downloaded cred­it card and bank account information from over 1.4 million customers. Sub­sequently, fraudulent transactions using the stolen customer payment informa­tion occurred. DSW incurred millions of dollars of expenses for customer com­munications, public relations, customer claims and lawsuits, and attorney fees in connection with investigations. The im­portant distinction here is that the losses were not direct financial losses from money taken from DSW, but expenses resulting from the remediation due to the theft of the information.

DSW submitted a claim for coverage under a computer fraud rider to a “blan­ket Crime Policy” for losses related to the computer hacking. The rider pro­vided coverage for Computer and Funds Transfer Fraud Coverage; specifically, any loss resulting from the theft of any insured property by computer fraud. DSW filed an action to determine whether the losses were covered by the commercial crime policy, and DSW pre­vailed with respect to its claim that the hacking damages were covered under the policy. The Company appealed argu­ing that the expenses incurred were not a loss resulting directly from the theft of insured property by computer fraud.

The 6th Circuit held that the loss and dam­ages for remediation to customers was caused by the hacking. DSW did not have a specific cyber insurance policy yet was still able to obtain coverage based on language in its commercial crime policy.

Businesses should review their existing coverage carefully and may find that coverage for data breach is not expressly covered. Although we do not recommend relying upon a crime policy to cover cy­ber theft, if a business has a cyber loss and does not have a cyber theft policy, there may be coverage elsewhere.