Drawing a Line Between Tangible Damage and Corrupted Data
At first glance, a recent federal district court decision appears to be simply another ruling finding no coverage for a “data breach” exposure under a commercial general liability policy. See Camp’s Grocery Inc. v. State Farm Fire & Casualty Co., No. 4:16-cv-0204 (N.D. Ala. Oct. 25, 2016). But digging deeper, this decision has important implications for future cyber-related claims. The court found there was no third-party claim for property damage to tangible property where credit cards had to be replaced because intangible data contained on them had been compromised. In addition to finding that coverage was not triggered in the first instance, the court applied an increasingly common exclusion — which bars coverage for “damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data” — to find that coverage was unavailable for a claim arising out of a payment card breach. Given the relative sparsity of case law on these issues, the court’s decision to broadly apply the exclusion is likely to guide courts addressing data security issues in other contexts, such as the emerging risks at the intersection of physical property and cybersecurity, including exposures associated with the “internet of things.”
In Camp’s Grocery, the policyholder, which operated a grocery store, was sued by three credit unions alleging that its computer network was hacked, which compromised confidential customer data, including credit card, debit card and check card information. As a result, the plaintiffs claimed that they suffered losses to their cardholder accounts in the form of card reissuance charges, fraud losses, lost interest and transaction fees, lost customers, diminished good will and administrative expenses associated with investigating, correcting and preventing fraud. The policyholder tendered the suit under its CGL policy, but the insurer denied coverage. In ensuing coverage litigation, the district court granted summary judgment in favor of the insurer.
First, the court rejected the policyholder’s argument that first-party endorsements specific to computer programs and electronic data imposed a duty to defend or indemnify it for the credit unions’ suit. The court found the policy to be unambiguous, and it refused to read the duty to defend (as described in a third-party liability coverage part) as also applying to the first-party coverage endorsements. The court determined that the insurer’s discretionary right to defend “claims of owners of property” arising under the first-party coverage form did not impose a duty to defend claims involving such exposures, as the insured argued. In this way, the court’s decision was similar to a recent decision applying New York law, RVST Holdings LLC v. Main Street America Assurance Co., 256 N.Y.S. 3d 712 (N.Y. App. Div. 2016), where the court also refused to conflate third-party and first-party coverages under a policy when addressing claims arising from a claim by a financial institution against a retailer following a payment card breach at the retailer’s restaurants.
Second, the court addressed whether the underlying claim alleged “personal and advertising injury,” which the policy defined to include “injury … arising out of one or more of the following offenses: … e. [o]ral or written publication, in any manner, that violates a person’s right of privacy[.]” The court noted as a threshold matter that the policyholder abandoned its argument that that provision applied. The court went on to rule, however, that “[e]ven absent abandonment, [it] would find that the underlying action does not allege … ‘personal and advertising injury’ for the reasons stated in [the insurer’s] brief.”
Finally, the court also rejected the policyholder’s argument that the plaintiffs’ alleged losses in the form of “replacement customer debit and credit cards” alleged “property damage” within the meaning of the policy. The court noted that the policy expressly defined “property damage” to include “tangible property” only but not to include “electronic data.” The court ruled that, even if credit and debit cards are tangible property, the plaintiffs did not focus on any acts or omissions that caused physical harm or damage to the cards but instead alleged that the policyholder’s “lax computer network security allowed the intangible electronic data contained on the cards to be compromised such that the magnetically encoded card numbers could no longer be used, causing purely economic loss flowing from the need to issue replacement cards with new electronic data[,]” which was not a claim for “property damage” within the meaning of the policy. In addition, the court noted that the policy expressly excluded “damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data,” which it held would bar coverage in any event.
Camp’s Grocery is important for a number of reasons.
First, the court recognized that first-party coverage pertains to losses sustained by the insured to its own property and refused to read a duty to defend into a coverage part covering direct loss. The court also properly found that certain Inland Marine endorsements did not create a duty to defend based on language stating the insured may “elect” to defend against suits arising from claims by owners of property.
Second, Camp’s Grocery shows that “personal and advertising injury” has real limitations and cannot ordinarily be looked to as coverage for data breach liability.
Third, the decision shows that courts recognize the difference between the corruption of electronic data and damage to tangible property, even when the electronic data is stored on or in a tangible item. The decision further demonstrates that policyholders cannot circumvent a requirement for “property damage” by focusing on physical aspects of a loss, such as payment cards that are reissued, when the tangible property at issue is only made worthless because of the compromise of electronic data. The same rationale could apply to claims that computer systems or other devices are made worthless because of vulnerabilities associated with software within them.
Fourth, this decision shows that courts will apply exclusions for “damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data,” which have become more prevalent in recent years since Insurance Services Office published a new form endorsement for CGL coverage, in a straightforward and predictable manner. Going forward, this part of the court’s ruling may have the broadest impact on future coverage litigation given that it adds to the growing body of case law applying broadly worded electronic data exclusions according to their terms. See also Metro Brokers Inc. v. Transp. Insurance Co., No. 1:12-cv-3010 (N.D. Ga. Nov. 21, 2013) (applying “the extraordinarily broad exclusionary language” in an exclusion for “[a]ny ‘malicious code’” and “[a]ny ‘system penetration’” to bar coverage for a claim involving computer hacking through use of a key logger virus).
As the “internet of things” becomes an even bigger part of our economy, the limitation of property damage to tangible property and the widespread use of electronic data exclusions may have particular application when there are risks and claims that involve both cyber and physical aspects.