Trailblazing Anderson Kill & Olick PC attorneys had to overcome an almost complete lack of case law and a determined opponent to gain their recent win over an AIG unit that had refused to cover a unit of shoe retailer DSW Inc. in a 2005 hacker attack.
Joshua Gold, a shareholder in Anderson Kill's New York office who led the DSW team, said there have been so few cases in which a company has sought coverage for a data theft by hackers, he and his fellow attorneys had to craft arguments from scratch.
"I’m not aware of any other reported decision that addresses insurance coverage for a hacking event and the losses that flow from that event under any kind of similar circumstances," he said. "It’s novel, but in another way, it’s sort of bringing both the law and the industry into the modern age."
The Sixth Circuit in August upheld an Ohio district court’s 2010 opinion that found DSW unit Retail Ventures Inc. was covered under the computer fraud rider of its blanket crime policy with AIG unit National Union Fire Insurance Co. of Pittsburgh, Pa., and awarded it $6.8 million in stipulated losses and prejudgment interest.
After the shoe company was hit in 2005 by notorious hacker Albert Gonzalez, who stole the debit and credit card numbers of about 1.4 million clients by sneaking into a database from an unsecure website, it became the target of government investigations and lawsuits, and sought coverage from the insurer, according to court documents.
Gold said the company bought the policy in 2004, before data hacking was as common as it is now, but credited its risk manager with the foresight to prepare for a hacking event.
"She was able to make a case that it was always her intention to guard against this risk," Gold said. "So when we tried to match up the insurance company’s denial with what the plain language of the policy provided for, which was unauthorized computer access, it was clear to us that this was the type of insurance coverage that was intended to be sold and delivered in the event in this type of claim."
Gold said with that underpinning established, the team went to work dismantling AIG’s arguments that DSW’s claim was excluded under its policy.
"When we looked at the exclusion that AIG was relying upon, it looked to us to be so unduly broad in the way they interpreted it, that essentially, if you were to take their interpretation at face value, it would gut any meaningful coverage at all," he said.
Gold said the team took heart when it saw the insurance company’s briefing, in which it attempted to explain the exclusion.
"The exclusion was made up of maybe a dozen words, and their interpretation was about 45 words long," he said. "In other words, if this language was so clearly in their favor, I didn’t understand why they needed to translate it for the court from 12 words to 45 words. At that point I thought their position was unworkable."
AIG took two main approaches in defending its denial of coverage. It said the policy only covered losses "resulting directly from" theft by computer fraud, and it requires that theft to be the "sole and immediate cause of the insured's loss." This "direct-means-direct" approach would cover only DSW's own loss from employee misconduct and nothing due to third parties.
Gold, who argued that a more liberal proximate cause standard was applicable, said there is an ongoing argument in insurance circles about whether policyholders need to meet the heightened causation standard, which AIG was advocating, to determine if a direct loss is covered under a crime policy.
DSW was able to cite three Ohio cases to the Circuit Court that backed up its position, although they weren’t directly related to computer data hacking. But that helped convince the appeals panel, because AIG was unable to cite any cases that resulted in different opinions, Gold said.
AIG had also argued the policy didn’t apply to the loss or "proprietary information, trade secrets, confidential processing methods or other confidential information of any kind." Fending off that argument was more difficult because there was no prior case law to go to for guidance.
"That took probably the lion’s share of the work to analyze that exclusion and demonstrate in a real common sense and practical application why that exclusion could not mean what AIG argued it meant," Gold said.
He said although policies can be interpreted different ways, AIG’s overly broad arguments against coverage would have led to a strained interpretation, or at least one no more reasonable than DSW’s.
Another factor DSW’s team had to overcome was simply how long the case took to wind through the system. The case was filed in district court in 2006, and the motions for summary judgment were filed in 2007.
"We had completed discovery, moved for summary judgment and then the judge got busy," he said. "So it was some time before we heard back from the judge."
In the meantime, there were multiple rounds of supplemental briefing.
"We probably felt like we had a moving target because we had fresh arguments that the other side had raised," Gold said. "It was challenging in that we thought we were basically done with the summary judgment briefing and then new arguments popped up in terms of the coverage case ... and we ended up having to brief those probably in way that was a little hectic and unplanned for."
He said the team hadn’t taken those arguments fully into account during discovery because they had never really been cited.
"We also were dealing with a very competent attorney for the other side and an insurance company that was willing to fight all way way up to the court of appeals," he said. "The whole thing required perseverance."
But the outcome is likely to have a lasting effect, Gold said.
"I think the natural tendency is for not only courts but parties to look back and try to find guidance where they can, and given the fact that there isn’t much out there, and this is the first reported case on computer crime insurance for a computer hacking incident, I suspect you’re going to have cases that will cite to this case and parties that will cite to this case and they’ll use it where they can," he said.
Retail Ventures and DSW are represented by Joshua Gold of Anderson Kill & Olick PC and James E. Arnold and Gerhardt A. Gosnell II of James E. Arnold & Associates.
National Union Fire Insurance is represented by Steven G. Janik, Thomas D. Lambros and Crystal Lynn Maluchnik of Janik LLP.
The case is Retail Ventures Inc. et al. v. National Union Fire Insurance, case number 10-4576, in the U.S. Court of Appeals for the Sixth Circuit.