September 19, 2012 - The United States Court of Appeals for the Sixth Circuit has upheld a trial court judgment, and an AIG subsidiary has been required to pay over $7 million for a computer hacking insurance claim. The Sixth Circuit rejected AIG's denial of insurance coverage for the losses that resulted when a policyholder in 2005 suffered a data breach at the hands of a computer hacker. Retail Ventures Inc. et al. v. National Union Fire Insurance of Pittsburgh, Pa., case number 10-4576, August 23, 2012. The court's mandate was issued on September 14, 2012, and the judgment has been paid in full.
The policyholder, a nationwide retailer, filed its claim after hackers stole credit card and checking account information for over one million customer account transactions, which resulted in fraudulent credit card charges, credit monitoring costs, re-establishment of accounts, call center costs, legal expenses, and a spate of class action suits, as well as an inquiry by the FTC. Class action defense costs were paid by a separate insurance company without resort to litigation.
The Sixth Circuit's decision, upholding an Ohio District Court summary judgment ruling, rejected AIG's attempt to exclude coverage on the grounds that the "direct loss" provision in its crime insurance policy excluded the computer hacking claim. The decision instead found that coverage existed for the losses suffered by the retailer for, among other things, reimbursing others for fraudulent credit card charges and expenses for addressing an FTC inquiry. The Sixth Circuit found that the promise to cover loss "resulting directly from" the "theft of Insured property by Computer Fraud" imposes a traditional proximate cause standard, which, in this case, would encompass liability where the policyholder holds or is responsible for property or information entrusted to it by other parties.
In addition to its direct loss defense, AIG cited several exclusions, including an exclusion for the loss of "proprietary information, Trade Secrets, Confidential Processing Methods or other confidential information of any kind." Finding that exclusion inapplicable to the theft of customer data, the Sixth Circuit upheld the District Court, finding that "the stolen customer information was not 'proprietary information' at all, since the information is owned or held by many, including the customer, the financial institution and the merchants to whom the information is provided in the ordinary stream of commerce."
Joshua Gold, counsel to DSW, commented, "Because the direct loss argument is a recurring defense, the Sixth Circuit's ruling is of particular importance to those that purchase fidelity, crime, and financial institution bond coverage. The case is also very significant given the ever-growing threat of computer data breaches and lack of judicial guidance on insurance coverage for such risks and losses. This decision is good news for any business that accepts credit cards or stores customer data in any form."