Can a first-party insurance policy ever provide coverage for third-party loss?  Well…that depends on what the policy actually says, which goes back to the first rule of all coverage work:  Read The Policy.  (Corollary rule:  Assumptions Are The Mother of All Foulups.)

Here are the facts from a very recent case decided by the U.S. Court of Appeals for the Sixth Circuit on this topic.  DSW operates shoe stores.  Hackers used the local wireless network at one DSW store to get unauthorized access to the DSW computer system and download credit card information for 1.4 million DSW customers at 108 stores.  A slew of fraudulent transactions followed.

Following the data breach, DSW incurred substantial expenses for customer communications, public relations, customer claims and lawsuits, and attorneys’ fees in connection with investigations by seven state Attorneys General and the FTC.  DSW eventually entered into a consent order with the FTC requiring DSW to shore up its security system.  The biggest hit taken by DSW, though – roughly $4 million – arose from the compromised credit card information: costs associated with chargebacks, card reissuance, account monitoring, and fines imposed by VISA/MasterCard.  DSW’s total loss was about $6.8 million.

National Union had sold DSW a Blanket Crime Policy.  The policy provided coverage for “Loss which the Insured shall sustain resulting directly from…The theft of any Insured property by Computer Fraud.”

The Policy defined “Computer Fraud” as “the wrongful conversion of assets under the direct or indirect control of a Computer System by means of (1) The fraudulent accessing of such Computer System; (2) The insertion of fraudulent data or instructions into such Computer System; or (3) The fraudulent alteration of data, programs or routines in such Computer System.”

But, the Policy excluded the costs of defending lawsuits, “except as may be specifically stated to the contrary.”

National Union argued that, given the exclusion for defending suits, the policy was essentially a Fidelity Bond providing only first-party coverage, and that losses associated with third-party claims (such as those made by the FTC and customers) were not included within the insuring agreement.

But the Court wrote that “the label given to a policy is not determinative of coverage,” and focused on the coverage grant.  “Loss” is a broad term. What did it mean that a covered “Loss” must “result directly from the theft”?  National Union argued that the “resulting directly from” language required that the theft of property by computer fraud be the “sole” and “immediate” cause of the policyholder’s loss.  The Court, however, found that the language was ambiguous, writing:  “We find that the phrase ‘resulting directly from’ does not unambiguously limit coverage to loss resulting ‘solely’ or ‘immediately’ from the theft itself.”  In other words, “proximate” cause of a loss was all that was needed…and that was enough to encompass the costs of dealing with the third party claims, taking them out of the exclusion for defending suits and claims.  There was no question that DSW had suffered a “financial loss,” even if part of that loss was attorneys’ fees, and there was a “sufficient link” between “the computer hacker’s infiltration of [DSW’s] computer system” and the financial loss. 

National Union also pointed to an exclusion in the policy reading:  “Coverage does not apply to any loss of proprietary information, Trade Secrets, Confidential Processing Methods, or other confidential information of any kind.”  The Court held that this exclusion did not apply.  Basically, the Court found that the exclusion was meant to apply to the policyholder’s information, used in the policyholder’s business, which gives the policyholder the “opportunity to obtain advantage over competitors who do not know or use the information.”  Here, the information belonged to customers, and not really to DSW.

Given the exclusion for defending claims, insurance company folks may argue that this case is an example of a Court bending over backwards to find coverage where none really exists. But I think that, in a way, this case represents the flipside of bad faith.  If a claim is “fairly debatable,” then the insurance company can’t be held liable for bad faith in refusing to cover it.  But…if the application of policy language is “fairly debatable,” then the policyholder should (and usually does) get the benefit of the doubt as to whether coverage exists.  After all, the carrier writes the policies, and the carrier has to deal with the consequences if the language is not 100% clear.