Skip To The Main Content

Publications

Memos Go Back

Alabama Court Finds That Insurer Has No Duty To Defend Or Indemnify Data Breach Suit

11.29.16
(Article from Insurance Law Alert, November 2016)

For more information, please visit the Insurance Law Alert Resource Center.

An Alabama federal district court ruled that an insurance policy does not provide coverage for claims alleging that the policyholder’s negligence contributed to a data breach that caused financial loss.  Camp’s Grocery, Inc. v. State Farm Fire & Casualty Co., 2016 WL 6217161 (N.D. Ala. Oct. 25, 2016).

Hackers accessed the computer network of Camp’s Grocery Store and gained access to confidential customer data.  Three credit unions sued Camp’s, alleging that it was liable for resulting losses based on its failure to provide adequate computer training to employees and/or to maintain appropriate security systems.  Camp’s sued State Farm seeking a declaration that the insurer was obligated to defend and indemnify against the credit unions’ claims.  The court disagreed and granted State Farm’s summary judgment motion. 

Camp’s sought coverage under Inland Marine endorsements that provide coverage “for accidental and direct physical loss” to computer programs and electronic data.  The endorsements state that State Farm “may elect to defend you” against suits arising from such claims.  The court ruled that the Inland Marine endorsements did not cover data breach claims brought by a third party.  The court explained that by referencing “direct physical loss,” the endorsements unambiguously provide only first-party coverage for losses sustained by Camp’s itself.  The court further held that the phrase “may elect to defend you” gives the insurer discretion to defend but does not create a duty to defend.

The court also ruled that coverage was unavailable under the third-party coverage provision for claims arising out of bodily injury or property damage.  The court explained that the underlying claims allege economic losses and not property damage.  Rejecting Camp’s contention that alleged loss stemming from the issuance of replacement credit or debit cards satisfies the property damage requirement, the court explained:

[E]ven if credit and debit cards are tangible property . . . the Credit Unions do not assert that Camp’s acts or omissions caused physical harm or damage to any cards as tangible property.  Rather, the Credit Unions assert that Camp’s lax computer network security allowed the intangible electronic data contained on the cards to be compromised such that the magnetically encoded card numbers could no longer be used, causing purely economic loss . . . .  (Emphasis in original).