No Coverage for Bank Claims Arising from Data Breach
A New York intermediate appellate court, applying New York law, has ruled that an insurance coverage claim, arising out of the theft of electronic credit card data and a subsequent suit by a bank arising out of the alleged misuse of that data, did not involve “property damage,” within the meaning of a comprehensive general liability policy. See RVST Holdings, LLC v. Main Street America Assurance Co., No. 521419, 2016 WL 634611 (N.Y. App. Div. Feb. 18, 2016). This decision further reinforces that there is very limited coverage for “data breach” claims outside the coverage afforded by specialized “cyber” policies.
The Present Decision
The policyholder, a fast-food company, stored its customers’ credit card information on its computer network, which was infiltrated by unknown individuals. These individuals unlawfully obtained the customers’ credit card information and used that information to make fraudulent charges. The claimant, a bank, filed suit against the policyholder, alleging that the policyholder had negligently failed to exercise reasonable care in safeguarding the information of the claimant’s cardholders. The claimant asserted that this negligence caused it to sustain damages related to its reimbursement of the fraudulent charges. The insurer refused to defend or indemnify the policyholder for the underlying suit, and the policyholder filed a declaratory action against the insurer seeking coverage. The trial court granted summary judgment to the policyholder.
On appeal, the court held that the insurer had no duty to defend because the underlying action arose out of the policyholder’s negligent handling of electronic data, which did not constitute a claim for “property damage” under the policy. The court noted that both the insurer and the policyholder agreed that the allegations in the underlying complaint were based upon losses due to the theft and subsequent misuse of electronic data. The parties also agreed that the electronically stored information at issue in the underlying action qualified as “electronic data” under the policy’s definition of that term. The court explained that, while the policy covered damages arising out of damage to tangible property, the policy specifically excluded “electronic data” from the definition of “tangible property.” The court also observed that the policy excluded “damages arising out of the loss of electronic data.” Therefore, the court held that the underlying action’s claim for damages arising out of the policyholder’s negligent handling of electronic data was not a claim for “property damage” under the policy.
The Emerging Trend
Under older policy forms, some policyholders sought coverage under “Coverage A” (property damage) of CGL policies for “data breach” claims. Although the better view is that electronic data cannot constitute “tangible property” under any definition of the term, see, e.g., Am. Online, Inc. v. St. Paul Mercury Ins. Co., 207 F. Supp. 2d 459, 466 (E.D. Va. 2002) (“Computer data is not tangible property.”), aff’d, 347 F.3d 89 (4th Cir. 2003) and State Auto Prop. & Cas. Ins. Co. v. Midwest Computers & More, 147 F. Supp. 2d 1113, 1116 (W.D. Okla. 2001) (“Alone, computer data cannot be touched, held or sensed by the human mind; it has no physical substance. It is not tangible property.”), the case law under older policy forms was mixed. See Computer Corner, Inc. v. Fireman’s Fund Ins. Co., 46 P.2d 1264 (N.M. Ct. App. 2002) (finding coverage for suit for loss of data from reformatting hard drive; “computer data is tangible property”); Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., No. CIV. 99-185 TUC ACM, 2000 WL 726789 (D. Ariz. Apr. 18, 2000) (concluding that loss of data on computer network constituted “property damage”).
More recently, however, policies have expressly excluded claims involving damage to (or loss of use of) electronic data. For example, many CGL policies bar coverage for “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” See ISO Form No. CG 00 01 12 04 (added in 2004). The RVST Holdings decision illustrates that these types of limitations will be given effect.