In a recent decision, the Appellate Division, Third Department held that a claim arising from the theft of credit card information was not covered under a business liability insurance policy, which contained a standard exclusion for loss of electronic data. RVST Holdings, LLC v. Main St. Am. Assur. Co., 2016 N.Y. Slip. Op. 01230, ____ A.D.3d ___ (3d Dep't, February 18, 2016.)
In RVST Holdings, the plaintiffs were operators of fast food restaurants ("the restaurants") that stored their customers' credit card information on their computer network. The network was infiltrated by unknown third parties who obtained the customers' card information and used it to make numerous fraudulent charges. The restaurants were sued for negligently failing to exercise reasonable care in safeguarding the information of the customers, which caused damages related to the reimbursement of the fraudulent charges.
The restaurants sought coverage under their business owner's insurance policy issued by Main Street America Assurance Company ("Main Street") for liability arising from the above-referenced lawsuit. Main Street denied coverage based on an exclusion in the policy for coverage for third-party claims arising out of the loss of electronic data.
The restaurants filed a separate lawsuit, seeking a declaration requiring Main Street to defend and indemnify them in the underlying action. The trial court granted summary judgment to the restaurants, declaring that Main Street was obligated to defend them in the underlying lawsuit.
Defendant appealed, and the Appellate Division, Third Department reversed and granted judgment in favor of the insurer, holding that Main Street had no duty to defend the restaurants in the underlying lawsuit. The Court noted that it was undisputed that the underlying claim arose out of the theft and misuse of electronic data stored on a computer network, which was not covered by the liability section of the policy. Specifically, the policy "clearly and unmistakably exclude[d] from coverage third-party damages flowing from stolen electronic data." The Court further rejected the restaurants' argument that Main Street owed coverage under a separate section of the policy providing coverage for "property damage," which was expressly limited to claims for "direct physical loss of or damage to" the restaurants' own property and thus was not triggered.
This decision is significant in light of the fact that claims against businesses arising from stolen data and information have become more prevalent in the last few years. New York courts, including the Third Department in RVST, have joined the majority of jurisdictions in holding that such claims generally will not be covered under standard liability policies. Business owners and their carriers should be aware of this decision and should consider whether separate or additional coverage for liability of potential loss from stolen data is appropriate.
Should you have questions regarding the information presented in this alert, please contact Anthony J. Piazza, Chair of the firm's Insurance Coverage & Regulation Practice Area, at (585) 295-4420 or apiazza@barclaydamon.com.