This is page 2 of:
The Legal Perils Of Cyber-Insurance For Retailers
The Ohio Court rejected this approach and applied something not generally used in interpreting insurance contracts—common sense. It said, “directly related to” computer crime meant “caused by,” as opposed to “indirectly caused by” or “consequential damages” or too far removed from the computer crime as to be reasonable. So the costs of replacing a credit card “stolen” electronically is directly related to the theft, but the cost of installing new routers may or may not be—depending on how directly it is related to the actual theft.
As to the argument that the records were not “stolen” because they were still there, the court noted that the policy provided coverage for loss that the insured sustained “resulting directly from” the “theft of any Insured property by Computer Fraud,” which includes the “wrongful conversion of assets under the direct or indirect control of a Computer System by means of fraudulent accessing of such Computer System.” The consumers’ payment-card numbers and other information were certainly under the control of the computer system and were “converted” by Gonzalez and his gang through their fraudulently access to the computer system.
But wait, there’s more.
NUFIC had another reason for not paying the claim. You see, the policy excluded claims resulting from “loss of proprietary information, Trade Secrets, Confidential Processing Methods, or other confidential information of any kind.” Because the payment-card numbers were “proprietary” or “confidential” information, and that information was “lost,” no claim could proceed. If there were no coverage for the loss of the information itself, the insurance company argued, there would also be no coverage for the economic damages resulting from the loss of the information.
The insurance company relied on the fact that DSW treated customers’ data as confidential, that it was required to protect such data under Visa, MasterCard and PCI DSS rules, and that the chain submitted statements to the FTC asserting the statements (which included payment-card information) contained “confidential information” as proof the claim arose from the loss of confidential information and was, therefore, excluded. Catch-22.
Not so fast. The court noted that to interpret “other confidential information of any kind” as the defendant urged—to mean any information belonging to anyone who is expected to be protected from unauthorized disclosure—would swallow not only the other terms in this exclusion but also the coverage for computer fraud. Although the customers’ credit-card numbers were certainly sensitive and protected from misuse, they were not the types of trade secrets that this provision was likely intended to exclude from protection.
All of this goes to show that, even if you buy specific cyber-insurance, there is a huge difference between what you think it covers and what your insurer thinks is covered, particularly after you file a claim. Thus, all retailers should look at all of their insurance policies for language that might be used to deny claims and then figure out what is and what is not covered in advance. And insurance companies need to do a much better job explaining this stuff in clear language if they expect to be able to sell these policies in the future. Let’s not forget how Alice answered Humpty Dumpty’s claim that words mean what he says they do. “The question is,” Alice said, “whether you can make words mean so many different things.” That, my friend, is a job for a lawyer.
If you disagree with me, I’ll see you in court, buddy. If you agree with me, however, I would love to hear from you.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
