Fluke DSW Win Shouldn't Erase Breach Insurance Needs

A recent $6.8 million lawsuit win by DSW Shoe Warehouse against its insurance company for 2005 data breach losses claimed against its blanket crime policy may have some enterprise risk managers wondering about the necessity of a data-breach liability policy. But legal and insurance experts warn enterprises not to be so hasty in drawing conclusions from the case.

[Using SQL injection to attack PDFs. See Serving Up Malicious PDFs Through SQL Injection.]

They say the way insurance companies have changed language in general policies to exclude breaches over the last few years, combined with the individualistic nature of insurance coverage, will likely contribute to this case being more of a fluke than a precedence-setter.

"I wouldn't bet on it happening again if it was my data," says Josh Glazov, principal in the litigation and dispute resolution practice group at Chicago law firm Much Shelist. "If you're expecting your traditional insurance to cover the security of your data, you're exposing yourself to a dramatic risk."

Adjudicated in the 6th U.S. Circuit Court of Appeals, the case dealt with a breach that exposed 1.4 million credit cards DSW Shoe Warehouse was entrusted to protect. A three-judge panel upheld a previous ruling supporting DSW in its claim to make National Union, a division of Chartis, pay expenses related to the event. Glazov says that DSW likely won based on "archaic" language in the sections of the crime policy having to do with employee involvement in computer theft. Regardless, the whole case should be seen as the exception rather than the rule.

"It may be a great case for you if you're in federal court, if you're in Ohio and i f you have a policy that was identical to DSW," he says. "The odds of that? They're really, really slim."

According to Glazov, if they haven't already closely scrutinized their general liability and crime policies with regard to breaches, they likely will in light of this judgment. But chances are that they've probably closed all the loopholes already, says Albert E. Lietzau V, cyberliability insurance specialist for Cyber Risk Solutions.

"Often, general liability policies will have a flat-out exclusion that says 'We will not cover any sort of cyber-liability information loss,'" he says. "So if a customer or client wants to make sure they're fully protected, they shouldn't rely on just a general liability or crime policy"

He believes that companies who'd take this ruling as a green-light to save on specific cyber risk and breach insurance would be "pushing their luck," because even if their policies still offered some gray area around breach events, the likelihood is extremely high that the insurance company would fight the claim.

Courtroom duels are risky propositions. And with it being a near lock that the insurer would send the battle through the courts in the event that the insured try to make a breach claim on a general policy, that kind of defeats the purpose of insurance, says Christine Marciano, president of Cyber Data Risk Managers, an insurance agency specializing in cyber liability risk.

"While in DSW's case they were able to get their claim paid, insurance claims cannot be left up to the courts if it's the insured's true intention to have coverage for a cyber attack or a data breach," she says.

As more enterprises contemplate how to manage the risk of database and data security, particularly given the gap left by exclusions in their general liability policies, Glazov says they should at least consider shopping for data security insurance and compare the premiums and coverage against the substantial potential costs should the worst occur.

While breach coverage has occupied the wild west fringes of technology insurance in the past with regard to widely varying coverage limits and exclusions, Glazov believes that these cyber policies have matured considerably over the past few years. And he says that enterprises may stumble into upsides beyond monetary payouts when databases are breached. One example: the notification services insurers frequently offer as a value-add for these policies. It's akin to car insurers covering the cost of rental cars when their insureds wreck their cars, he says.

"So you're not scrambling around finding the right service providers to help you send out those notices," he says. "There is less crises management to be done and you can focus on your principal business."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.