Republished from Tressler’s Privacy Risk Report blog.

In Camp’s Grocery, Inc. v. State Farm Fire & Cas. Co., 4:16-cv-00204 (October 25, 2016), the U.S. District Court for the Northern District of Alabama granted summary judgment to defendant State Farm and denied plaintiff Camp’s Grocery (Camp’s) cross-motion to establish coverage for a data breach incident under a first party property policy and Inland Marine endorsements.

Camp’s was sued in the underlying litigation when the computer systems at a grocery store it operated in Alabama were hacked and confidential customer data including credit card, debit card and check card information was compromised. The plaintiffs in the underlying lawsuit, three credit unions, alleged that Camp’s breach caused them to suffer damages related to their customers’ accounts, including costs to reissue credit cards, reimbursing customers for losses, lost interest and transaction fees, lost customers, diminished good will and administrative expenses. The credit unions claim Camp’s was liable for these damages because Camp’s failed “to provide adequate computer systems and employee training and/or maintain adequate encryption and intrusion detection and prevention systems.”

While the District Court addressed coverage under two principal sections of the property policy issued by State Farm, the decision is clear in stating that Camp’s argument focused on establishing coverage under two Inland Marine endorsements. Nevertheless, the District Court still addressed whether there was coverage under the first party property and liability sections of the Policy even though Camp’s only attached copies of the Inland Marine endorsements to its complaint.

No Coverage Under the First Party Property Sections of the State Farm Policy

The District Court held there was no coverage under Section I of the Policy entitled “Property.” The insuring clause of Section I stated that State Farm would “pay for accidental direct physical loss to…Covered Property,” which included “Buildings” and “Business Personal Property.” The Policy defined “Business Personal Property” as “Property, used in your business, that you own, lease from other or rent from others, or that is loaned to you,” in addition to “Property of others that is in your care, custody or control….”  However, the Policy further defined “Covered Property to expressly not include “electronic data.”  And, “Accident” was defined as not including “any defect, programming error, programming limitation, computer virus, malicious code, loss of ‘electronic data,’ loss of access, loss of use, loss of functionality or other condition within or involving ‘electronic data’ of any kind.”  Given this policy language, the District Court found there was no coverage for the underlying litigation under Section I.

No Coverage Under the Liability Sections of the State Farm Policy

Likewise, the District Court held there was no coverage under Section II of the Policy entitled “Liability.” The insuring clause of Section II stated that State Farm would pay those sums “the insured becomes legally obligated to pay as damages because of ‘bodily injury,’ ‘property damage,’ or ‘personal and advertising injury’ to which this insurance applies.” The District Court also noted that Section II of the Policy also contained the following provisions related to computers and electronic data:

First, the term “property damage” as used in Section II is limited to liability for harm to “tangible property,” which is defined not to include “electronic data.” And expressly excluded from liability coverage under Section II are “damages arising out of the loss of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”

Based on these provisions, the District Court found the liability section of the Policy was not triggered by the allegations in the underlying litigation.

No Coverage Under the Inland Marine Endorsements

Camp’s central argument was that it was entitled to coverage under two Inland Marine endorsements attached to the Policy entitled “Inland Marine Computer Property Form” and “Inland Marine Conditions.” The Insuring Agreement for the Computer Property Form provides that State Farm will pay for physical loss to “‘computer equipment,’ used in your business operations, that you own, lease from other, or that is loaned to you” and “removable data storage media used in your business operations to store ‘electronic data.’”

State Farm asserted it was entitled to summary judgment because the Computer Property Form is a “first party insuring agreement” and, therefore, does not provide for defense or indemnity against claims brought against Camp’s by a third party related to lost or compromised electronic data. In response, Camp’s argued that even if the Computer Property Form did not contain a defense or indemnity obligation, a provision found in Section II of the Policy (Liability) provides that State Farm assumed a duty to defend and indemnify Camp’s.  That is, Camp’s takes the position that the Inland Marine endorsements “expand the scope of liability insurance coverage” under Section II to require State Farm to provide a defense and indemnity for claims involving computers and electronic data.

In rejecting Camp’s argument, the District Court was persuaded by State Farm’s position that the liability provision in Section II of the Policy “is triggered where the insured becomes legally obligated to pay damages because of bodily injury, property damage or personal and advertising injury.” And, while Camp’s was not claiming the underlying litigation contained any allegations of bodily injury or personal and advertising injury, Camp’s did claim the underlying litigation sought damages for property damage when the credit unions claimed damages to replace credit and debit cards. The District Court rejected Camp’s argument on the basis that Section II of the Policy defines “property damage” as being limited to “tangible property” and the Policy is careful to state “electronic data is not tangible property.” The District Court found “the Credit Unions assert that Camp’s lax computer network security allowed the intangible electronic data contained on the cards to be compromised such that the magnetically encoded card numbers could no longer be used, causing purely economic loss flowing from the need to issue replacement cards with new electronic data.” Further, Section II contained an exclusion for “damages arising out of the loss of, loss of use of, corruption of, inability to access, or inability to manipulate electronic data.” Given these provisions the District Court found there was not coverage for the Credit Union’s claims.

The District Court additionally rejected any attempt by Camp’s to “selectively read[] the Policy in a piecemeal fashion, picking and choosing parts of different coverages that would preclude or exclude their application to the Credit Unions’ claims.”

This decision further demonstrates the need for cyber insurance and how traditional insurance may not offer protection against these emerging claims. Here, despite Camp’s efforts to establish coverage under the various provisions of its property policy, the District Court ultimately finds the various coverage parts to a first party insurance policy cannot be twisted into providing cyber coverage for data breach litigation.