Computer Fraud: Notification of Insurance Coverage Issues

January 9, 2013

Several years ago, computer hackers accessed the computer system of a large retail operation to obtain the credit card and checking information of more than 1.4 million customers of the retailer. This precipitated several actions.

The first action was that the retailer was required to provide notifications to its customers of the breach—and also to address and rectify the consequences of the data breach. As a result, the retailer was required not only to alert its customers to the fact that their data had been compromised, but also to pay related fees arising from charge backs, credit card re-issuances, and ongoing credit monitoring. Although this retailer was based in another state, merchants in Wisconsin are subject to a specific statute, Wis. Stat. § 134.98, which requires notice when personal information falls into the hands of third parties, generally within 45 days of the security breach. While the failure to comply with that notification requirement is not negligence per se, it may be used as evidence of negligence or a breach of legal duty. As a result, businesses should be aware of this requirement and should act promptly to seek legal advice in the event of a security incident.

Another action precipitated by computer fraud is to address the attendant costs. In the case of the national retailer whose computer system was hacked, the retailer spent $6.8 million dollars for public relations, defense of customer claims based on disclosure of personal information, and responding to government investigations. An unanticipated expenditure of this magnitude can have significant financial consequences. In such event, the business will invariably look to see if there is coverage under one or more of its insurance policies, so that it can be reimbursed for the out-of-pocket expenditures.

Whether or not there is coverage in this circumstance is entirely dependent on the coverage provided in the applicable insurance policy. Some policies provide coverage. Some provide limited coverage. Some provide no coverage. In the case involving the large retailer, its insurance carrier denied coverage. Litigation resulted. The policy in question provided coverages for loss “resulting directly from…(t)he theft of any Insured property by Computer Fraud.” What does this mean? The carrier asserted that the fraud had to be the “sole” and “immediate” cause of the $6.8 million loss. The retailer asserted that the fraud only had to be a “proximate” cause, i.e., a contributing factor to the loss. The court invoked a number of well-established “rules of contract construction,” e.g., policy ambiguities are construed in favor of coverage and against the carrier. The end result was a court declaration that the loss was covered under the policy.

What does this mean to persons who want coverage for the consequences of computer fraud? It means that they have to search the market place to locate carriers who are willing to provide coverage for this type of loss. A proactive approach is the best way to manage this potential risk.

To subscribe to email alerts from Axley Law Firm, click here.