Business Owner’s Policy Does Not Cover Data Breach Losses, Says New York Appellate Court
03.28.16
This is only gets display when printing
(Article from Insurance Law Alert, March 2016)
For more information, please visit the Insurance Law Alert Resource Center.
A New York appellate court ruled that a business owner’s policy does not provide coverage for third-party damages stemming from a data breach. RVST Holdings, LLC v. Main St. Am. Assurance Co., 2016 WL 634611 (N.Y. App. Div. 3d Dep’t Feb. 18, 2016).
Restaurant operators stored customers’ credit card information on their computer network. The network was hacked and the credit card information was used to make numerous fraudulent charges. Thereafter, a bank sued the restaurant operators, alleging that they negligently failed to exercise reasonable care in safeguarding the information. When the restaurant operators sought coverage under their business owner’s policy, the insurer refused to defend or indemnify, arguing that the policy excluded coverage for third-party claims arising out of the loss of electronic data. In ensuing litigation, a New York trial court ruled in favor of the restaurant operators. The appellate court reversed.
The policy provided coverage for sums the policyholder is legally obligated to pay because of “property damage,” defined as “[p]hysical injury to tangible property . . . or . . . [l]oss of use of tangible property that is not physically injured.” However, the policy further stated that “electronic data is not tangible property” and expressly excluded “[d]amages arising out of the loss of . . . electronic data.” The court held that in light of this unambiguous language, the alleged negligent handling of electronic data is not a claim for “property damage,” and is, in any event, excluded from coverage. The court rejected the assertion that coverage was provided by a separate policy provision that provided coverage for “direct physical loss of or damage to” the policyholder’s own property. Although that provision did not exclude electronic data, the court reasoned that it was inapplicable to the third-party claims because it related to first-party coverage.