Hunton Retail Law Resource

As reported in the Hunton Insurance Recovery blog, a federal judge in Alabama ruled Tuesday that a grocer could not rely on its legacy business insurance policies – including an “electronic data” coverage extension – to protect against third-party claims after customer data was compromised by a point-of-sale cyber attack. The decision in Camp’s Grocery, Inc. v. State Farm Fire and Casualty Company is another reminder to retail policyholders to ensure that their cybersecurity programs include both adequate cybersecurity safeguards and appropriate first-party and third-party cyber/crime insurance coverages. Failure to maintain either may jeopardize coverage for resulting cyber losses.

In Camp’s Grocery, three credit unions sued a Piggly Wiggly franchisee after they suffered losses on their cardholders’ accounts when hackers stole card information from the grocer’s computer network. The losses included costs associated with the reissuance of cards, reimbursement of their customers for fraud losses, lost interest and transaction fees, lost customers, diminished good will and administrative expenses associated with investigating, correcting and preventing fraud. Camp’s had a business insurance package through State Farm, including property and liability coverages and an inland marine computer property form which covered, among other things, “accidental direct loss” to “electronic data,” including some types of customer data. Camp’s sought coverage under the policy’s third-party liability coverage and the inland marine form.

The court rejected Camp’s argument that the inland marine form would cover the credit unions’ suit, holding that the form only provided “first-party” coverage for loss or damage to the insured itself. In support, the court relied on the policy language (which required “direct...loss to” the insured), and the absence on the inland marine form of any explicit duty to defend or indemnify. The court also rejected Camp’s argument that the credit unions’ replacement of the physical debit cards constituted third-party “property damage” under Camp’s business liability form. The court held that the underlying suit did not allege physical harm or damage to the cards themselves, but rather compromise of “intangible electronic data” on the cards – which was not “physical damage” and also fell squarely within the “electronic data” exclusion on the third-party coverage form.