Another US decision addressing coverage for cyber-liability under the CGL policy:

While there continues to be a dearth of caselaw in Canada, following cases such as Recall Total Information Management Inc. et al. v. Federal Insurance Company et al, and Zurich American Insurance Co. v. Sony Corporation of America, another decision has been handed down by a US court this year in relation to cyber-related losses where the insured sought coverage under a Commercial General Liability policy.

In RVST Holdings LLC v Main St. Am. Assur. Co. (New York Court of Appeals), the plaintiff fast-food restaurant chain had suffered a hacking event by unknown individuals who unlawfully obtained customers’ information and used that to make numerous fraudulent credit card charges. Trust Co. Bank subsequently commenced an action against the plaintiff alleging (relevant here) that it negligently failed to exercise reasonable care in safeguarding its customers’ credit card information. The plaintiff sought coverage under its CGL policy with the defendant, who declined coverage on the basis of an exclusion for third party claims arising from loss of electronic data.

The plaintiffs then commenced an action seeking (amongst others) a declaration of a duty to defend it in the action by Trust Co. Bank. The defendant insurer moved for summary judgment to dismiss the action, which however failed at first instance (NY Supreme Court). The insurer appealed.

In finding for the insurer on appeal, the court noted that both parties agreed the underlying action was based upon “losses due to the theft and subsequent misuse of electronic accounting data and/or electronic vandalism at certain [of the plaintiff’s restaurant] locations.” Secondly, there was no dispute that the card holder information at issue came within the definition of “electronic data” as per the policy, and the only remaining question was whether the policy excluded from coverage third party damages from stolen electronic data.

Like the test in Canada, the court noted the duty to defend is broad and will be found so long as there are claims within the action that may fall within coverage if assumed true. However there is no duty to defend when the insurer can demonstrate the allegations in the underlying complaint solely or entirely fall within a policy exclusion.

Here, Appeal Court found that an exclusion applied. In particular the liability section provided coverage for all amounts the plaintiff becomes legally obligated to pay because of “property damage”. It noted that the definition of property damage specifically excludes damages arising out of the loss of electronic data. The court held that in light of that unambiguous language, the underlying claim arose out of the plaintiff’s negligent handling of electronic data and could not be a claim for “property damage” under the policy.

The judgment records the property damage definition, which like the IBC 2005 model wording in effect in Canada, defines property damage as including: “Physical injury to tangible property … or … Loss of use of tangible property that is not physically injured. … [however] For the purposes of this insurance, electronic data is not tangible property.”

The appellate court also noted that the plaintiffs had attempted to avoid that result by arguing there was a duty to defend under the property damage section of their policy. However it observed that this coverage was for first party, and not third party claims. Thus there was no coverage, and no duty to defend.

Unlike Recall Total, there was no physical property which could be said to be part of the claim, and the Appeal decision is hardly a surprising one. However, insurers will have taken note of the fact that it took an unsuccessful Summary Judgment motion and appeal to achieve this result (with the defence costs that accompany this) despite the growing body of caselaw which ought to be settling the issue of coverage for data breach from hacking claims under the standard CGL policy wording.

Download as PDF