Computer and Funds Transfer Fraud Endorsements Issues in Data Breach Claims

This is “simply” a what-if scenario, but consider this: If your e-commerce company were to suffer a data breach, do you know that there is insurance coverage for related costs under some commercial crime-insurance policies?

It is so.

An Ohio federal court has held that a computer and funds transfer fraud endorsement in an AIG commercial-crime policy provides coverage for a data breach. So, if your company bought such coverage, and your company has suffered a data breach, then be sure to put that insurance company on notice for the claim.

Insurance companies may protest that computer and funds transfer fraud endorsements, or similar endorsements, do not provide coverage for data breaches. But that assertion is contrary to developing law.

The Nitty-Gritty

In Retail Ventures, Inc. v. National Union Fire Insurance Co. of Pittsburgh, PA, No. 2:06cv443 (S.D. Ohio), the insureds (DSW) suffered a data breach after an unknown hacker fraudulently accessed DSW's computer systems. As a result of the incursion, DSW faced consumer class-action lawsuits and was forced to enter into a consent agreement with the Federal Trade Commission (“FTC”).

In its claim, DSW sought coverage for the costs resulting from the data breach from AIG under an AIG 2004-2005 commercial crime policy that included a computer and funds transfer fraud endorsement (see, Retail Ventures, Complaint, Ex. A at 30 of 47). AIG did not deny coverage, but rather, notified DSW that coverage appeared to be precluded on the grounds that an exclusion relating to defense costs for legal proceedings ' damages for which the insured would be legally liable, and costs and fees in establishing the amount of the loss ' on
the grounds that the damages did not result directly from computer theft. AIG continued to reserve its rights, but without admitting that there was coverage for the claim, after receiving additional information from DSW.

After AIG refused to provide coverage while at the same time stating that it had not denied coverage, DSW sued AIG, seeking a declaration that AIG owed coverage under the policy. Both DSW and AIG moved for summary judgment as to whether AIG owed coverage.

The court granted summary judgment for DSW (see, Retail Ventures, slip op at 21 (S.D. Ohio Mar. 30, 2009)). The court found that there was coverage and rejected all of AIG's coverage defenses.

The decision is instructive for companies seeking coverage for data breaches. Not only does the decision find coverage under computer and funds transfer endorsements, but it also explains why many, if not all, of the defenses that AIG raised (and that could be expected to raise in future data-breach claims) are not valid.

The Reasoning

First, there was a “theft.” The court noted that the computer fraud endorsement provided coverage for “[t]he theft of any insured property by Computer Fraud” (Retail Ventures, slip op. at 13 (emphasis in original)). The AIG policy stated: “Theft means the intentional and unlawful taking of insured property to the deprivation of the Insured.” Id., Complaint, Ex. A at 31 of 47. The court held that the data breach there constituted theft of insured property. (See, Id., slip op. at 13, finding coverage under Endorsement 17, which required “theft of any insured property.”)

Policyholders with computer and funds transfer fraud coverage should argue that the basic facts in a data breach are the same ' a data breach occurred, and that the breach resulted from a malicious hacking in which credit-card data was stolen so that the hackers could use the information. Therefore, an assertion by AIG, or any other insurance company that sold similar coverage, that coverage does not apply to the submitted data-breach claim because there was no “theft” is without merit.

Second, the court rejected AIG's argument that there was no “direct loss” under the policy. The court cited its earlier holding that the crime policy was not a fidelity bond, and explained that AIG's position was an attempt to “alter a liability contract into a fidelity bond and ignore the intent of the parties to the Crime Policy.” Id. at 13. Because the crime policy is not a fidelity bond, the court applied a traditional proximate-cause test to determine whether the losses resulting from the data breach were direct or not. The court considered cases from “[n]umerous jurisdictions” to determine the appropriate test to decide whether the loss from the data breach was direct. The court considered New York law, citing Federal Deposit Insurance Corp. v. National Union Fire Insurance Co. of Pittsburgh, PA, 205 F.3d 66 (2d Cir. 2000) (“FDIC“) in reaching its conclusion that “the application of a proximate-causation standard” is the appropriate test. Retail Ventures, slip op. at 12 (citation omitted).

The court's reliance on FDIC is significant, because the FDIC opinion discussed and analyzed Aetna Casualty & Surety Co. v. Kidder, Peabody & Co. Inc., 676 N.Y.S.2d 559 (1st Dep't 1998), extensively. Kidder, Peabody is a decision that insurance companies may cite as the rule determining whether damages are direct versus indirect, or consequential. In Kidder, Peabody, the insurance companies sought:

[A] declaration that they are not obligated to indemnify defendant insureds under the terms of numerous fidelity bonds ' for misconduct of its employee in divulging confidential information relating to corporate takeovers and mergers of Kidder's clients, which resulted in massive insider trading and losses to third parties. Id. at 560-61.

The employees used insider information to engage in insider trading that was designed to harm third parties, rather than to have harmed the employer, in addition to benefitting the employees. See, Id.

The court discussed what it understood the drafting history of fidelity policies to be, and, based on that drafting history, determined that when the employee did not intend to cause harm to the employer, the fidelity policy's coverage did not apply to the losses asserted by third parties (see, Id. at 564-66). The court concluded that:

[T]he putative loss to Kidder arises in part from a settlement with third parties, but the settlement was not the direct result of the employee's dishonest conduct; the employee's dishonesty only caused pricing irregularities in the stock, which, themselves, caused losses to the customers, which then led to litigation concluding in settlement. In this sense, the settlement would not constitute a covered loss. Id. at 564.

This consisted of too many steps in the causal chain to be covered under a fidelity bond.

By contrast, the Retail Ventures court held that “there [wa]s a sufficient link between the computer hacker's infiltration of Plaintiffs' computer system and Plaintiffs' financial loss to require coverage under” the computer and funds transfer fraud endorsement. Retail Ventures, slip op. at 12.

Because of the Retail Ventures holding, when seeking coverage under such an endorsement, policyholders should be sure to remind insurance companies that the proximate-cause test is the relevant test. An insurance company's citation of Kidder, Peabody, as AIG did in the DSW case, to assert otherwise, is not persuasive. The Retail Ventures court analyzed the policy language and held that Kidder, Peabody is inapposite. The court reached that conclusion, even though the Kidder, Peabody decision was described as “the chief case upon which AIG relie[d]” (see, Retail Ventures, Plaintiffs' Sur-Reply Memorandum of Law in Opposition to Motion for Summary Judgment by Defendant National Union Fire Insurance Company of Pittsburgh, PA, at 7 (S.D. Ohio Oct. 19, 2007)). The court held that “the Crime Policy cannot be labeled solely a fidelity bond and the aspect of it which is, Section I, is not at issue currently.” Retail Ventures, slip op. at 11. The same logic applies to claims for coverage for other data breaches under similar policy provisions.

Direct Loss

Moreover, New York courts applying New York law have looked beyond Kidder, Peabody. For example, in Sorrentino v. Allcity Insurance Co., 645 N.Y.S.2d 515 (App. Div. 2d Dep't 1996), the court relied on the proximate-cause test as used to determine whether damages were direct loss or not (see, Id. at 516). Therefore, if a loss results from an incident earlier within the causal chain, the loss may be considered a direct loss. The Retail Ventures court found that the loss from the data breach was direct for purposes of coverage under the Computer & Funds Transfer Fraud Endorsement. The same should hold true for other data breaches under similar endorsements.

Exclusion (m) also did not apply in the DSW action. That exclusion stated, in the AIG policy:

This Policy does not apply ' to damages of any type for which the insured is legally liable, except direct compensatory damages arising from a loss covered under this Policy[.] Retail Ventures, Complaint, Ex. A at 7 of 47.

The language in Kidder, Peabody did not require otherwise. The court stated in Retail Ventures:

Turning to Exclusion (m), the Court already concluded “direct” requires a proximate cause analysis. Moreover, there is no suggestion that the damages Plaintiffs incurred are anything but compensatory.

Under that authority, any assertion that the data-breach-related damages are “indirect and consequential” would be without basis. Such an assertion would be based on nothing more than the insurance company's own opinion. Data-breach-related damages should be seen as compensatory under such an endorsement. It is recognized widely that the damages sought in data-breach and privacy litigation include credit monitoring. For example, in the settlement that resolved the TJX Companies' data breach, “[t]he first category of benefits ' which, incidentally, ma[de] up the vast majority of the settlement's purported value” consisted of “credit monitoring” and related costs, which was valued “at over $ 177,000,000.” In re TJX Cos. Retail Security Breach Litig., 584 F. Supp. 2d 395, 400 (D. Mass. 2008). Plainly, damages that make up part of a settlement are compensatory damages arising from a loss.

In addition, claims for credit-monitoring costs should be seen as having resulted directly from the breach and also constitute mitigation costs. An insured that incurred such costs “should not be prejudiced because [it] took steps in the face of [current and potentially additional] imminent [harm] prudently to mitigate damages.” (See, Wilmot v. State, 32 N.Y.2d 164, 168 (1973); see also, Levantino v. Ins. Co. of N. Am., 422 N.Y.S.2d 995, 1002 (N.Y. Sup. 1979) (discussing mitigation obligations).) Surely, if an insured had not taken steps to mitigate its losses and potential losses, the insurance company would argue that coverage was not available on the basis that the insured had not mitigated its losses.

Finally, any argument that coverage is barred because of an exclusion for “loss of proprietary information, Trade Secrets, Confidential Processing Methods or other confidential information of any kind” should fail. AIG raised that argument, and lost, in Retail Ventures. (See, Retail Ventures, slip op. at 13.) The Retail Ventures court found Exclusion 9 to be ambiguous, and refused to enforce it to deny coverage for costs related to a data breach. (See, generally, Id. at 13-19.)

The Wrap-Up

The Retail Ventures decision is a welcome one for policyholders seeking coverage for data breaches under computer and funds transfer fraud endorsements. Policyholders facing denials of coverage for data breaches under such endorsements should cite the Retail Ventures decision to support a claim for coverage and reject an improper denial.

This is “simply” a what-if scenario, but consider this: If your e-commerce company were to suffer a data breach, do you know that there is insurance coverage for related costs under some commercial crime-insurance policies?

It is so.

An Ohio federal court has held that a computer and funds transfer fraud endorsement in an AIG commercial-crime policy provides coverage for a data breach. So, if your company bought such coverage, and your company has suffered a data breach, then be sure to put that insurance company on notice for the claim.

Insurance companies may protest that computer and funds transfer fraud endorsements, or similar endorsements, do not provide coverage for data breaches. But that assertion is contrary to developing law.

The Nitty-Gritty

In Retail Ventures, Inc. v. National Union Fire Insurance Co. of Pittsburgh, PA, No. 2:06cv443 (S.D. Ohio), the insureds (DSW) suffered a data breach after an unknown hacker fraudulently accessed DSW's computer systems. As a result of the incursion, DSW faced consumer class-action lawsuits and was forced to enter into a consent agreement with the Federal Trade Commission (“FTC”).

In its claim, DSW sought coverage for the costs resulting from the data breach from AIG under an AIG 2004-2005 commercial crime policy that included a computer and funds transfer fraud endorsement (see, Retail Ventures, Complaint, Ex. A at 30 of 47). AIG did not deny coverage, but rather, notified DSW that coverage appeared to be precluded on the grounds that an exclusion relating to defense costs for legal proceedings ' damages for which the insured would be legally liable, and costs and fees in establishing the amount of the loss ' on
the grounds that the damages did not result directly from computer theft. AIG continued to reserve its rights, but without admitting that there was coverage for the claim, after receiving additional information from DSW.

After AIG refused to provide coverage while at the same time stating that it had not denied coverage, DSW sued AIG, seeking a declaration that AIG owed coverage under the policy. Both DSW and AIG moved for summary judgment as to whether AIG owed coverage.

The court granted summary judgment for DSW (see, Retail Ventures, slip op at 21 (S.D. Ohio Mar. 30, 2009)). The court found that there was coverage and rejected all of AIG's coverage defenses.

The decision is instructive for companies seeking coverage for data breaches. Not only does the decision find coverage under computer and funds transfer endorsements, but it also explains why many, if not all, of the defenses that AIG raised (and that could be expected to raise in future data-breach claims) are not valid.

The Reasoning

First, there was a “theft.” The court noted that the computer fraud endorsement provided coverage for “[t]he theft of any insured property by Computer Fraud” (Retail Ventures, slip op. at 13 (emphasis in original)). The AIG policy stated: “Theft means the intentional and unlawful taking of insured property to the deprivation of the Insured.” Id., Complaint, Ex. A at 31 of 47. The court held that the data breach there constituted theft of insured property. (See, Id., slip op. at 13, finding coverage under Endorsement 17, which required “theft of any insured property.”)

Policyholders with computer and funds transfer fraud coverage should argue that the basic facts in a data breach are the same ' a data breach occurred, and that the breach resulted from a malicious hacking in which credit-card data was stolen so that the hackers could use the information. Therefore, an assertion by AIG, or any other insurance company that sold similar coverage, that coverage does not apply to the submitted data-breach claim because there was no “theft” is without merit.

Second, the court rejected AIG's argument that there was no “direct loss” under the policy. The court cited its earlier holding that the crime policy was not a fidelity bond, and explained that AIG's position was an attempt to “alter a liability contract into a fidelity bond and ignore the intent of the parties to the Crime Policy.” Id. at 13. Because the crime policy is not a fidelity bond, the court applied a traditional proximate-cause test to determine whether the losses resulting from the data breach were direct or not. The court considered cases from “[n]umerous jurisdictions” to determine the appropriate test to decide whether the loss from the data breach was direct. The court considered New York law, citing Federal Deposit Insurance Corp. v. National Union Fire Insurance Co. of Pittsburgh, PA , 205 F.3d 66 (2d Cir. 2000) (“ FDIC “) in reaching its conclusion that “the application of a proximate-causation standard” is the appropriate test. Retail Ventures, slip op. at 12 (citation omitted).

The court's reliance on FDIC is significant, because the FDIC opinion discussed and analyzed Aetna Casualty & Surety Co. v. Kidder, Peabody & Co. Inc. , 676 N.Y.S.2d 559 (1st Dep't 1998), extensively. Kidder, Peabody is a decision that insurance companies may cite as the rule determining whether damages are direct versus indirect, or consequential. In Kidder, Peabody, the insurance companies sought:

[A] declaration that they are not obligated to indemnify defendant insureds under the terms of numerous fidelity bonds ' for misconduct of its employee in divulging confidential information relating to corporate takeovers and mergers of Kidder's clients, which resulted in massive insider trading and losses to third parties. Id. at 560-61.

The employees used insider information to engage in insider trading that was designed to harm third parties, rather than to have harmed the employer, in addition to benefitting the employees. See, Id.

The court discussed what it understood the drafting history of fidelity policies to be, and, based on that drafting history, determined that when the employee did not intend to cause harm to the employer, the fidelity policy's coverage did not apply to the losses asserted by third parties (see, Id. at 564-66). The court concluded that:

[T]he putative loss to Kidder arises in part from a settlement with third parties, but the settlement was not the direct result of the employee's dishonest conduct; the employee's dishonesty only caused pricing irregularities in the stock, which, themselves, caused losses to the customers, which then led to litigation concluding in settlement. In this sense, the settlement would not constitute a covered loss. Id. at 564.

This consisted of too many steps in the causal chain to be covered under a fidelity bond.

By contrast, the Retail Ventures court held that “there [wa]s a sufficient link between the computer hacker's infiltration of Plaintiffs' computer system and Plaintiffs' financial loss to require coverage under” the computer and funds transfer fraud endorsement. Retail Ventures, slip op. at 12.

Because of the Retail Ventures holding, when seeking coverage under such an endorsement, policyholders should be sure to remind insurance companies that the proximate-cause test is the relevant test. An insurance company's citation of Kidder, Peabody, as AIG did in the DSW case, to assert otherwise, is not persuasive. The Retail Ventures court analyzed the policy language and held that Kidder, Peabody is inapposite. The court reached that conclusion, even though the Kidder, Peabody decision was described as “the chief case upon which AIG relie[d]” (see, Retail Ventures, Plaintiffs' Sur-Reply Memorandum of Law in Opposition to Motion for Summary Judgment by Defendant National Union Fire Insurance Company of Pittsburgh, PA, at 7 (S.D. Ohio Oct. 19, 2007)). The court held that “the Crime Policy cannot be labeled solely a fidelity bond and the aspect of it which is, Section I, is not at issue currently.” Retail Ventures, slip op. at 11. The same logic applies to claims for coverage for other data breaches under similar policy provisions.

Direct Loss

Moreover, New York courts applying New York law have looked beyond Kidder, Peabody. For example, in Sorrentino v. Allcity Insurance Co. , 645 N.Y.S.2d 515 (App. Div. 2d Dep't 1996), the court relied on the proximate-cause test as used to determine whether damages were direct loss or not ( see , Id. at 516). Therefore, if a loss results from an incident earlier within the causal chain, the loss may be considered a direct loss. The Retail Ventures court found that the loss from the data breach was direct for purposes of coverage under the Computer & Funds Transfer Fraud Endorsement. The same should hold true for other data breaches under similar endorsements.

Exclusion (m) also did not apply in the DSW action. That exclusion stated, in the AIG policy:

This Policy does not apply ' to damages of any type for which the insured is legally liable, except direct compensatory damages arising from a loss covered under this Policy[.] Retail Ventures, Complaint, Ex. A at 7 of 47.

The language in Kidder, Peabody did not require otherwise. The court stated in Retail Ventures:

Turning to Exclusion (m), the Court already concluded “direct” requires a proximate cause analysis. Moreover, there is no suggestion that the damages Plaintiffs incurred are anything but compensatory.

Under that authority, any assertion that the data-breach-related damages are “indirect and consequential” would be without basis. Such an assertion would be based on nothing more than the insurance company's own opinion. Data-breach-related damages should be seen as compensatory under such an endorsement. It is recognized widely that the damages sought in data-breach and privacy litigation include credit monitoring. For example, in the settlement that resolved the TJX Companies' data breach, “[t]he first category of benefits ' which, incidentally, ma[de] up the vast majority of the settlement's purported value” consisted of “credit monitoring” and related costs, which was valued “at over $ 177,000,000.” In re TJX Cos. Retail Security Breach Litig., 584 F. Supp. 2d 395, 400 (D. Mass. 2008). Plainly, damages that make up part of a settlement are compensatory damages arising from a loss.

In addition, claims for credit-monitoring costs should be seen as having resulted directly from the breach and also constitute mitigation costs. An insured that incurred such costs “should not be prejudiced because [it] took steps in the face of [current and potentially additional] imminent [harm] prudently to mitigate damages.” ( See , Wilmot v. State , 32 N.Y.2d 164, 168 (1973); see also , Levantino v. Ins. Co. of N. Am. , 422 N.Y.S.2d 995, 1002 (N.Y. Sup. 1979) (discussing mitigation obligations).) Surely, if an insured had not taken steps to mitigate its losses and potential losses, the insurance company would argue that coverage was not available on the basis that the insured had not mitigated its losses.

Finally, any argument that coverage is barred because of an exclusion for “loss of proprietary information, Trade Secrets, Confidential Processing Methods or other confidential information of any kind” should fail. AIG raised that argument, and lost, in Retail Ventures. (See, Retail Ventures, slip op. at 13.) The Retail Ventures court found Exclusion 9 to be ambiguous, and refused to enforce it to deny coverage for costs related to a data breach. (See, generally, Id. at 13-19.)

The Wrap-Up

The Retail Ventures decision is a welcome one for policyholders seeking coverage for data breaches under computer and funds transfer fraud endorsements. Policyholders facing denials of coverage for data breaches under such endorsements should cite the Retail Ventures decision to support a claim for coverage and reject an improper denial.