A series of cyberattacks in February 2005 breached the computer network at a DSW Shoe Warehouse location, allowing the hacker to access the company?s main system. The hacker obtained checking account and credit card information for at least 1.4 million customers. Fraudulent credit card charges and bank withdrawals began appearing in early March 2005. DSW Shoe Warehouse and its affiliated companies, Retail Ventures, Inc. and DSW, Inc. (collectively referred to here as ?DSW?) notified its insurer of a claim while it investigated the matter.
DSW ultimately incurred expenses resulting from the breach from communications and settlements with customers, public relations, and attorney?s fees in connection with investigations by the Federal Trade Commission (FTC) and seven state Attorneys General. DSW?s largest single expense was paid to the credit card networks for chargebacks, administrative expenses, and fines. DSW reportedly paid over $4 million to the Visa and MasterCard networks.
DSW?s insurer denied coverage under its blanket crime policy, stating that the loss was excluded by the policy?s computer fraud rider. The rider covered losses that resulted ?directly? from theft of any insured property via computer fraud, and excluded loss of proprietary information or trade secrets. The insurer claimed that the policy was a ?fidelity bond,? and that it therefore only covered theft or other crimes committed by employees. Because the loss involved a third-party theft of confidential or proprietary customer information, the insurer called it an ?indirect loss? not covered by the policy.
DSW filed a lawsuit in an Ohio federal court, asking the court for a declaratory judgment as to the terms of the insurance policy. The parties agreed that DSW?s losses totaled $6.8 million dollars. The trial court ruled in DSW?s favor, holding that the insurer was liable to cover the damages. The insurer appealed to the Sixth Circuit Court of Appeals.
The appeals court affirmed the trial court?s ruling and the $6.8 million judgment, holding that the blanket crime policy and computer fraud rider covered the damages from the security breach. The mere fact that the policy was labeled a ?fidelity bond? did not determine coverage. The court instead looked at the language of the policy itself and held that it did not unambiguously exclude losses such as outside security breaches. Regarding the ?direct loss? question, the court applied a ?proximate cause? standard. Because the hacking incident was the direct, proximate cause of DSW?s loss, the court held that it was a ?direct loss? within the meaning of the policy. Finally, the court considered whether the customer data was proprietary information excluded from coverage. Since DSW did not own or hold any rights to the customer information, the court ruled that it was not ?proprietary? within the meaning of the exclusion.
Prism Risk Management provides businesses and organizations with risk and loss prevention consulting and offers services in loss control planning. To learn how our team can help your organization, contact us today online or at (512) 901-0070.
More Blog Posts:
Cyber Risk Insurance: When Conventional Liability Coverage Might Not be Enough, Prism Risk Management Blog, September 16, 2012
International Privacy Group Issues Recommendations on Cloud Computing Policy, Prism Risk Management Blog, August 27, 2012
Guidelines for Financial Institutions that Use Outsourced Cloud Computing Can Help Other Businesses as Well, Prism Risk Management Blog, August 21, 2012
Photo credit: ?data security? by svilen001 on stock.xchng.
Like this:
Be the first to like this.
eric johnson big east tournament ashley olsen new apple tv sun flare love hewitt new ipad
কোন মন্তব্য নেই:
একটি মন্তব্য পোস্ট করুন