On August 23, 2012, the United States Court of Appeals for the Sixth Circuit held in Retailer Ventures, Inc. v. Nat’l Union Fire Ins. Co. that losses resulting from the theft of customers’ banking information from a retailer’s computer system are covered under a commercial crime policy’s computer fraud endorsement.
In February 2005, a computer hacker gained access to the main computer system of shoe retailer DSW Shoe Warehouse, Inc. (“DSW”) compromising more than 1.4 million DSW customers’ downloaded credit card and checking account information. Following the data breach, DSW incurred expenses of more than $5 million in connection with customer communications, public relations, customer claims, lawsuits, governmental investigations and associated attorneys’ fees. Losses associated with “charge backs, card reissuance, account monitoring, and fines imposed by” the credit card companies accounted for more than $4 million of those expenses.
Retail Ventures, Inc., DSW Inc. and DSW Shoe Warehouse, Inc. (collectively, the “policyholders”) sought coverage for the losses under a commercial crime policy issued by National Union Fire Insurance Company of Pittsburgh, Pa. (“National Union”). After National Union refused to provide coverage, the policyholders filed claims in Ohio federal court alleging breach of contract and seeking a declaratory judgment. Applying Ohio law, the district court awarded summary judgment in favor of the policyholders on the coverage claim.
On appeal, the Sixth Circuit agreed with the district court that DSW’s losses were covered under a policy endorsement providing coverage for “[l]oss which the Insured shall sustain resulting directly from…the theft of any Insured property by Computer Fraud.” The Sixth Circuit upheld the district court’s application of a proximate cause standard to the phrase “resulting directly” and its conclusion that DSW’s losses were proximately caused by the data breach (i.e., the “theft of any Insured property by Computer Fraud”).
The Sixth Circuit also affirmed the district court’s conclusion that coverage was not barred by an exclusion in the policy providing that “[c]overage does not apply to any loss of proprietary information, Trade Secrets, Confidential Processing Methods, or other confidential information of any kind.” The Sixth Circuit found that the district court reasonably concluded that the items listed in the exclusion – proprietary information, Trade Secrets, Confidential Processing Methods or other confidential information of any kind – were “specific terms that all pertain to secret information of [the policyholders] involving the manner in which business is operated.” In addition, because customers’ banking information was not the policyholders’ confidential information and did not involve the manner in which the policyholders operated their business, the Sixth Circuit affirmed the district court’s finding that the exclusion was not applicable.