In 2012, the Sixth Circuit Court of Appeals held that the expenses resulting from the cyber theft of customer data were recoverable under a commercial crime policy in a case filed by the retail store DSW Shoe Warehouse. Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co., 691 F.3d 821 (6th Cir. 2012).
In the case, hackers used a wireless network at a DSW Shoe Warehouse store to obtain unauthorized access to DSW’s computer systems and downloaded credit card and bank account information from over 1.4 million customers. Subsequently, fraudulent transactions using the stolen customer payment information occurred. DSW incurred millions of dollars of expenses for customer communications, public relations, customer claims and lawsuits, and attorney fees in connection with investigations. The important distinction here is that the losses were not direct financial losses from money taken from DSW, but expenses resulting from the remediation due to the theft of the information.
DSW submitted a claim for coverage under a computer fraud rider to a “blanket Crime Policy” for losses related to the computer hacking. The rider provided coverage for Computer and Funds Transfer Fraud Coverage; specifically, any loss resulting from the theft of any insured property by computer fraud. DSW filed an action to determine whether the losses were covered by the commercial crime policy, and DSW prevailed with respect to its claim that the hacking damages were covered under the policy. The Company appealed arguing that the expenses incurred were not a loss resulting directly from the theft of insured property by computer fraud.
The 6th Circuit held that the loss and damages for remediation to customers was caused by the hacking. DSW did not have a specific cyber insurance policy yet was still able to obtain coverage based on language in its commercial crime policy.
Businesses should review their existing coverage carefully and may find that coverage for data breach is not expressly covered. Although we do not recommend relying upon a crime policy to cover cyber theft, if a business has a cyber loss and does not have a cyber theft policy, there may be coverage elsewhere.