Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Cybersecurity & Data Breaches

Insurance Company Sues, Seeking Declaration of No Coverage in Data Security Matter

This entry is provided by Hogan Lovells litigation partner Michelle Kisloff, who works frequently on Privacy and Information Management matters.

Companies facing claims for failing to properly secure their customers’ data may also find themselves in litigation with their insurance carriers over whether the claims that arise from such data security incidents are covered under their existing insurance policies.  As is often the case, the language of the policies matter.

Arch Insurance Company recently commenced a lawsuit in federal court in Chicago, seeking a declaration that it is not obligated to defend or indemnify Michaels Stores, Inc. for its losses in various litigation arising from the use of PIN pad terminals in its stores. A copy of the Complaint is here.

The dispute relates to the use of PIN pad terminals for payment in Michaels craft stores:

  • Michaels customers have filed complaints in a number of states, alleging that Michaels failed to safeguard PIN pad terminals in its stores, thereby allowing criminals to access the customers’ financial information and to make unauthorized withdrawals and unauthorized purchases from their bank accounts. 
  • The customers also allege that Michaels failed to provide them with prompt and adequate notice of security breaches.

 In a consolidated case based in Illinois, the Michaels customer-plaintiffs seek certification of a nationwide class, comprised of “of any person in the US who made in-store purchases at a Michaels store in the U.S. using a credit card or debit card that was swiped through a PIN pad at any time from December 1, 2010 to the present.” In other cases, plaintiffs allege a putative class on behalf of the purchasers located within particular states, based on the terms of the data breach statutes in those states.

Arch denies that it has any duty to defend or indemnify Michaels for its losses in those actions, and filed the lawsuit to obtain a declaration on the question. Arch issued a Commercial General Liability (“CGL”) policy to Michaels, in which it agreed to pay Michaels’ damages because of “bodily injury” or “property damage”, as those terms are defined in the policy, and to defend Michaels in litigation seeking such damages.  

According to Arch’s complaint:

  • The CGL policy excludes electronic data from the definition of tangible property, for purposes of determining whether “property damage” has been alleged. 
  • The CGL policy also excludes damages arising out of the loss or, loss of use or, damage to, corruption of, inability to access, or inability to manipulate electronic data.

 Arch’s complaint asks the court to declare that it has no duty to defend Michaels in the PIN pad lawsuits, or to indemnify Michaels for any damages or settlement it may pay in those cases. 

The Arch v. Michaels coverage litigation is not a unique dispute. Zurich American Insurance Company filed a similar declaratory judgment action against Sony last year, following revelations of the massive Sony PlayStation hacking incidents. 

With more and more companies facing data breaches and follow-on lawsuits, companies should make a careful review of their insurance coverage to ensure they have the protection they need.