Cyber-risk insurance coverage is alive and well, and you need it
- September 13, 2012
Virginia Business recently published an article addressing insurance coverage for all forms of cyber-risk. This area of first- and third-party exposure continues to garner attention throughout the global business community. A study just published by Corporate Board Member and FTI Consulting found that “for the first time, data security was earmarked by the largest percentage of responding directors (48 percent) and general counsel (55 percent) as an issue of concern.” Businesses large and small not only should, but must take the risk seriously. Least anyone think this exposure to loss is only for large IT heavy companies, the Wall Street Journal published an article in mid-July concerning small business owners whose bank accounts have been wiped out by cyber criminals. Cyber insurance is not just for e-commerce businesses as you are about to learn.
Insurance coverage for cyber-risks, more formerly known as network security/privacy coverage, is becoming more comprehensive in scope and more widely available in the marketplace. As industry expert Richard Betterley noted in his June 2012 report on cyber insurance, “[t]he market continues to broaden, especially in health care and the small- to mid-sized insureds segments.” Betterley goes on to state in his report, that coverage is available for crisis management services, notification to potentially affected customers, credit monitoring, and costs to re-secure the data.
As more businesses push to use the Internet for banking and hosting services on the cloud, policyholders must take a hard look at their cyber-risk exposure for losses. It is always easier to be convinced by way of example, and the United States Court of Appeals for the Sixth Circuit’s latest opinion does just that for insureds. (Retail Ventures, Inc. v. National Union Fire Insurance Company of Pittsburgh, Pa.). For those not very familiar with these two parties to the litigation, Retail Ventures is DSW Shoe Warehouse and National Union is a large insurance company owned by Chartis (formerly AIG).
In 2005, hackers breached DSW’s main computer system and downloaded more than 1.4 million customers’ credit cards and checking information profiles. DSW filed a notice of claim with National Union for the losses of approximately $5.3 million related in various forms to the theft. In response to the insurance claim under DSW’s Blanket Crime Policy, which contained an endorsement for Computer & Funds Transfer Fraud Coverage, National Union denied it. This forced DSW to sue its insurer for coverage of the data theft and related costs.
In this particular case, the federal courts were called upon to apply Ohio state law. The courts found the issue, which basically revolved around the interpretation of the simple phrase “resulting directly from,” new to Ohio for this type of claim. For DSW, its recovery of over $5.3 million boiled down to a court interpreting for the first time small phrases in the crime policy’s computer fraud coverage. You can only imagine the risk posed to a smaller business in having a large claim outright denied- it becomes a life or death struggle for the business against its larger insurer.
The district court found in favor of coverage for DSW, and National Union appealed to the federal court of appeals based in Cincinnati. After a thorough analysis of Ohio and other law, it too found in favor of DSW. As the court succinctly noted, “[d]espite defendant’s arguments to the contrary, we find that the phrase ‘resulting directly from’ does not unambiguously limit coverage to loss resulting ‘solely’ or ‘immediately’ from the theft itself. The court also analyzed the insurer’s arguments that various exclusions within the computer fraud endorsement barred coverage. Those attempts to defeat coverage for DSW were also rejected.
An interesting twist on this story is that DSW, as part of its lawsuit for insurance coverage, sought a finding that the Chartis carrier acted in bad faith in denying the claim. As many a risk manager and insurance adjuster knows, a bad faith claim is the hammer in insurance litigation. It allows a winning insured to seek extra damages over and above the policy limits. In short, bad faith can prove to be the best arrow in a policyholder’s litigation quiver.
Unfortunately, bad faith can also be a hard claim to prove in a lot of cases, and that was true here. National Union had two outside attorneys provide coverage opinions prior to denying the claim. When the first attorney said coverage existed, the insurer sought a second opinion. That latter attorney issued an opinion that there was not coverage. Then the first attorney changed his mind in light of the new opinion.
DSW argued that the insurer’s seeking of a second opinion when it did not like the first, from an attorney that the insurer used regularly, was bad faith. The appellate court ruled that requesting a second opinion under the circumstances did not make the insurance investigation so “one-sided” as to constitute bad faith. DSW’s other arguments for a finding of bad faith were also rejected. The result of losing the bad faith argument meant that DSW could not force the insurer to pay its legal fees.
A company’s traditional insurance program may not cover cyber losses, or likely contains gaps in such coverage for cyber/data breaches. The DSW case demonstrates how far a policyholder may have to go to find coverage through a more traditional insurance policy. As noted in a recent announcement from Marsh, one of the largest insurance brokers in the world, highlights, “Cyber insurance policies can fill many of the gaps in traditional insurance and provide direct loss and liability protection for risks created by the use of technology and data in an organization’s day-to-day operations.”
There is no time like the present for policyholders (large and small) to analyze their insurance programs to determine if their current insurance will cover cyber-risks, or if the gaps may need to be filled. An ounce of prevention upfront from such an analysis may prevent the type of insurance fight DSW needed to get the coverage it paid for from its insurer.
Collin Hite is the leader of the Insurance Recovery team in Hirschler Fleischer’s Richmond office. He handles insurance recovery and coverage litigation in the areas of business interruption, all risk, construction, business torts, products liability, directors’ and officers’ liability, employee dishonesty, intellectual property, and environmental matters.