Court Sides with Insurer: Credit Card Data isn’t Lost Property
A court in Alabama threw out a suit brought by a breached grocery store chain, saying that stolen credit card data doesn’t count as “damaged property.”
Businesses interested in covering their cyber risk would do well to read the small print – or even the large print – on their policies.
That’s the lesson out of a court in Alabama, which threw out a suit by Camp’s Grocery, a franchise of the Piggly Wiggly grocery chain, which sought to recover from a costly data breach using money from an insurance policy issued by State Farm Insurance.
In a summary judgement (read: “dis”), John Ott, the Chief U.S. Magistrate Justice for the U.S. District Court in the Northern District of Alabama concluded in an 18 page opinion issued on October 25 that State Farm had no obligation to cover the cost of the breach for Camp’s under the terms of its policy with State Farm.
Camp’s sued State Farm after it was sued by local credit unions who were affected by the breach of the grocery chain, issuing new cards to customers whose data was lifted by cyber criminals. State Farm, it argued, was obligated to pay for damages under the terms of a business owners insurance policy that covered “property damage” sustained by the grocery chain and physical loss to computer equipment and removable data storage media.
Camp’s also attempted to argue that credit cards were the kind of physical property the insurance policy was written to cover. Credit cards, they argued, are “not only electronic data, but are (also) tangible property that can be touched and handled.”
Further, the State Farm policy, which contains language giving the insurer the right – but not the obligation – to defend Camp’s “against suits arising from claims of owners of property” compels the insurer to defend Camp’s against the credit union suits, Camp’s argued.
“Nice try” was effectively the response from the Federal magistrate. Camp’s was being too clever by half in reading the “first party” insurance it received from State Farm as pertaining to third party risk, such as the loss of credit card data.
On the credit card data, “Camp’s argument is fatally flawed,” Judge Ott wrote. “The Credit Unions do not assert that Camp’s acts or omissions caused physical harm or damage to any cards as tangible property. Rather, the Credit Unions assert that Camp’s lax computer network security allowed the intangible electronic data contained on the cards to be compromised such that the magnetically encoded card numbers could no longer be used, causing purely economic loss flowing from the need to issue replacement cards with new electronic data.”
It’s a painful read. And totally avoidable. Sure, cyber insurance is still a new(ish) and growing market. But one area that insurance companies have a good handle on and insure readily is data theft and loss, just like Camp’s. There are plenty of insurers and policy options out there for small and mid-sized businesses like Camp’s that wish to buy protection against exactly the kind of incidents the chain is describing. In fact, the cyber insurance industry is rapidly expanding and diversifying, with some “towered” coverage (involving multiple insurers) reaching as high as $500m for complex kinds of cyber crimes, said Chip Block of the firm Evolver.
Alas, when disaster struck, Camp’s was woefully short of a specific cyber insurance policy that would cover exactly the type of cyber incident they experienced. Caught with their pants down (metaphorically speaking) the company tried to spin straw into gold: bending the language of a standard business policy to suit its needs. Nice try… but no.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business