Nationwide reboots policyholder’s data loss claim
Cyber and data losses continue to raise major concerns among businesses. Beefing up security procedures and ensuring appropriate cyber insurance is in place should remain a top priority for companies in the first quarter of the new year. However, no matter how stringent one’s procedures are, the weak link continues to be the human aspect within the process. Personnel failures in following security procedures can compromise even the best protocols and security systems. More companies are learning this lesson the hard way and then discovering the gap in insurance coverage for the loss.
The latest example confirming this problem comes out of the United States Court of Appeals for the Seventh Circuit, which includes Illinois. Nationwide Insurance Co. v. Central Laborers’ Pension Fund, ___ F.3d ___, 2013 WL 135726 (7th Cir., Jan. 11, 2013). This is an influential appellate court and its decisions can be used to persuade other courts around the country, including Virginia. Jeanne Hentz was employed at an Illinois accounting firm. The firm performed auditing work for several pension funds (the “Funds”) as part of its client base. One day after work Hentz inserted a CD into her laptop with the Funds’ data on it to work from home. While at home she left the laptop, including the CD, in her car where it was stolen. The Funds spent almost $200,000 in credit monitoring and insurance expenses to protect themselves from criminal use of the stolen data. They then sued Hentz in state court to recover these expenses.
Hentz had a homeowner’s policy with Nationwide Insurance. She tendered the state lawsuit to her insurer to provide a defense and ultimately indemnify her in the case. Nationwide believed it did not owe coverage, so it filed a federal declaratory judgment action against its policyholder and the Funds to deny coverage. “Nationwide argued that Hentz’s claim was not covered because the Policy does not cover ‘property damage’ to property rented to, occupied or used by or in the care of the ‘insured.’ Nationwide also relied upon language in the Policy stating that it does not cover ‘property damage’ arising out of or in connection with a ‘business’ conducted from an ‘insured location’ or engaged in by an ‘insured’, whether or not the ‘business’ is owned or operated by an ‘insured’ or employs an ‘insured.’” The trial court granted Nationwide summary judgment on the first argument and the Funds appealed.
The Court easily agreed with the trial court as to the first argument. In Illinois the “in care of” exclusion “applies only if two elements are met: the property lost or stolen was (1) within the exclusive possessory control of the insured at the time of the loss; and (2) a necessary element of the work performed by the insured.” The Court found the fact that the laptop was in Hentz’s automobile made the data within her exclusive control, and that the CD was a necessary part of her work as a CPA. Courts in Virginia would likely look favorably on this argument.
The appellate court, however, went further than the trial court by also addressing the second reason asserted by Nationwide to deny coverage – the business exclusion. This exclusion does not cover property damage arising out of or in connection with the operation of a business engaged in by the insured. Hentz’s employer was clearly engaged in an accounting business and it employed the insured. The underlying state lawsuit alleged that Hentz, as part of the business, had a duty to safeguard the confidential information of the clients, including the Funds, as part of being an accountant. The loss of the CD was alleged in the state lawsuit to constitute a breach of that duty. Thus, the “business exclusion” applied. This is a classic example of a plaintiff, in this case the Funds in the state lawsuit, pleading an insured out of coverage. It is important to remember that many states follow the “Eight Corners” rule in analyzing coverage for a lawsuit. The Court compares the allegations within the four corners of the complaint to the terms within the four corners of the insurance policy; if the allegations in the lawsuit are not covered then the policyholder does not get a defense. This is true even when the policyholder knows the allegations in the complaint are not factually correct.
Hentz and the Funds lost the argument for coverage in this instance where a standard homeowner’s policy failed to cover the data loss at issue. The Court’s opinion notes that the Funds were also pursuing a claim directly against the accounting firm, and the question is: Did that firm possess the correct cyber insurance to cover the loss? This case not only provides guidance for filling in an important gap in coverage where employees take work home with them, but highlights the weakness in any company’s data protection policies. Laptop usage, thumb or external drives, personal email accounts and open Wi-Fi usage by employees all compromise the best security procedures. It is just human nature that employees are going to access your network and data to work in the easiest manner possible. While it may be impossible to fully secure your data due to human actions, the next best procedure is to ensure your business has the appropriate cyber insurance to backstop the loss. While the Funds spent $200,000 in this instance, there are many more examples where the cost is much higher. Some cyber-insurance policies exclude coverage when the lost data was unencrypted. In short, policyholders are encouraged to review their insurance programs to verify that they possess the appropriate types of coverage to protect against cyber and data losses.
Collin Hite is the practice leader of the Insurance Recovery team in Hirschler Fleischer’s Richmond office. He handles insurance recovery and coverage litigation nationally in the areas of business interruption, cyber/data breaches, construction, business torts, products liability, directors’ and officers’ liability, employee dishonesty, intellectual property, environmental and bad faith matters. For more information, please contact Collin at 804-771-9595 or [email protected].