As reported in the Hunton Retail Law Resource blog, a federal judge in Alabama ruled Tuesday that a grocer could not rely on its legacy business insurance policies – including an “electronic data” coverage extension – to protect against third-party claims after customer data was compromised by a point-of-sale cyberattack. The decision in Camp’s Grocery, Inc. v. State Farm Fire and Casualty Company is yet another reminder to policyholders to ensure that their cyber security programs include both adequate cyber security safeguards and appropriate first-party and third-party cyber/crime insurance coverages. Failure to maintain either may jeopardize coverage for resulting cyber losses.

In Camp’s Grocery, three credit unions sued a Piggly Wiggly franchisee after they suffered losses on their cardholders’ accounts when hackers stole card information from the grocer’s computer network. The losses included costs associated with the reissuance of cards, reimbursement of their customers for fraud losses, lost interest and transaction fees, lost customers, diminished good will, and administrative expenses associated with investigating, correcting, and preventing fraud. Camp’s had a business insurance package through State Farm, including property and liability coverages and an inland marine computer property form which covered, among other things, “accidental direct loss” to “electronic data,” including some types of customer data. Camp’s sought coverage under the policy’s third-party liability coverage and the inland marine form.

The court rejected Camp’s argument that the inland marine form would cover the credit unions’ suit, holding that the form only provided “first-party” coverage for loss or damage to the insured itself. In support, the court relied on the policy language (which required “direct . . . loss to” the insured), and the absence in the inland marine form of any explicit duty to defend or indemnify. The court also rejected Camp’s argument that the credit unions’ replacement of the physical debit cards constituted third-party “property damage” under Camp’s business liability form. The court held that the underlying suit did not allege physical harm or damage to the cards themselves, but rather compromise of “intangible electronic data” on the cards – which was not “physical damage” and also fell squarely within the “electronic data” exclusion in the third-party coverage form.

Camp’s Grocery is another example of the gaps that can exist in traditional “legacy” coverages when it comes to cyber-type losses. The decision is also an example of the gaps in endorsements that purport to cover those losses. As we have seen through our cyber policy review and counseling program, these tacked-on forms rarely cover the range of hardware, software, data and risks needed to address policyholders’ basic cyber liabilities. Policyholders should therefore consult with knowledgeable cyber insurance coverage professionals to ensure that their insurance programs are adequately drafted and adequately tailored to protect against their particular cyber risks and exposures.