Several days ago, we obtained for a client an insurance recovery when the United States Court of Appeals for the Sixth Circuit rejected AIG’s denial of insurance coverage for the losses that resulted when the policyholder suffered a data breach at the hands of a computer hacker.
The Sixth Circuit’s decision underscores two important insurance coverage points: (1) policyholders should resist the routine insurance company claims handling tactic of applying an unduly narrow interpretation to the “direct loss” clause to crime insurance and fidelity bond insurance claims; and (2) when a loss occurs, policyholders are well advised to consider whether more than one policy covers their losses.
With regard to the “direct loss” defense to coverage, a number of federal courts have now rejected unduly narrow insurance company arguments about the scope of insurance coverage available under the “direct loss” insuring clause for crime/fidelity losses, including the Second, Third and Sixth Circuit Courts of Appeals. Several state courts have also rejected insurance company arguments over the direct loss clause (especially in the context of claims against the policyholder from customers and other third parties who have entrusted or transferred to the policyholder property or information that is later stolen). Since the “direct loss” argument is a recurring defense that insurance companies raise come claims time, the Sixth Circuit’s recent ruling is of particular importance to those in the financial industry that are mandated to purchase fidelity and financial institution bond coverage.
As for the issue of claims that implicate two or more insurance policy types, policyholders should make sure that they provide prompt notice to all potentially relevant insurance companies. In the context of the Sixth Circuit case referenced here, the policyholder received defense cost coverage for certain class actions from its general liability insurance company which were filed as a consequence of the data breach. In addition, the policyholder was able to recover for other losses suffered as a result of the data breach which led to, among other things, fraudulent credit card charges, credit monitoring expenses, and costs for re-establishing checking accounts.
As such, prudent risk management mandates that policyholders have a clear inventory of their insurance assets and take proactive steps to preserve their coverage rights under all potentially applicable insurance policies when claims surface.