Cyber Law

The United States Court of Appeals for the Sixth Circuit, interpreting Ohio law in a diversity action against an insurer, recently examined insurance coverage pursuant to a commercial crime insurance policy and specifically, the computer fraud rider to the policy. The underlying loss was caused by a computer hacker that gained unauthorized access to the insured's computer system which allowed the hacker to access the credit card and checking account information for 1.4 million customers. The insured was exposed to all types of damages, including defense costs and charges associated with the compromised credit card information (charge backs, reissuance of cards, fines, etc.).

In response to the insurer's claim for coverage, the insurer first argued that the claimed losses were not covered by the computer fraud rider. Based on the language contained in the "Computer & Funds Transfer Fraud Coverage" portion of the policy, the insurer agreed to insure loss which the insured sustained directly from the theft of any insured property by computer fraud. The insurer argued that coverage did not exist under the computer fraud rider because the plaintiff had not sustained loss "resulting directly from" the theft of customer information.

The Sixth Circuit had to decide whether to apply a traditional proximate cause standard to the meaning of "resulting directly from" or a stricter standard of causation that would apply "resulting directly from" to a narrow range of losses more typical of bonds. The Court ultimately applied the traditional rule that unclear language in insurance policies must be construed in the light most favorable to the insured, and the Court found that the policy did not unambiguously limit coverage to "bond-like" losses and therefore applied to the fines, penalties, and other losses proximately caused by the theft of consumer data.

The insurance company alternatively argued that the claimed losses were excluded because the losses constituted a "loss of proprietary information, Trade Secrets, Confidential Processing Methods, or other confidential information of any kind." The Court, while agreeing that "loss" means theft of information, even if the information is not otherwise destroyed or removed from the computer system, held that the customer data in question was neither "proprietary" nor "confidential" within the meaning of the exclusion. The Court reasoned that the information consisted of information that was widely known to other parties, including the customers themselves, the credit card companies, and other merchants with whom the customers had made charges. More importantly, the Court held that the consumer credit card information did not fall into the "other confidential information" portion of the exclusion. The Court held that "other confidential information" should be interpreted consistently with the other terms in the exclusion so that it only referred to information that was proprietary to the insured's business and protectable as a business secret. Otherwise, it "would swallow not only the other terms in this exclusion but also the coverage for computer fraud."

A business should not rely blindly on the assumption that its commercial property policy covers security breaches and theft of electronically stored information. Specialty policies should be shopped, and as this opinion reflects, even a policy that seems to cover such a loss might not. An attorney that specializes in insurance coverage should be consulted.