Here’s the glitch however: the shoe mecca didn’t suffer any direct losses that it could prove from the data theft itself. The award was made despite the fact that the retailer had not suffered losses directly attributable to the theft. It is the theft in and of itself that is the injury, a three-judge panel of the 6th U.S. Circuit Court of Appeals found.
The insurance policy, provided by National Union, a unit of New York-based Chartis, "provided coverage for loss that the insured sustained 'resulting from' the 'theft of any insured property by computer fraud' which includes the 'wrongful conversion of assets under the direct or indirect control of a computer system by means of fraudulent accessing of such computer system,’” noted the ruling.
The ruling upholds a lower court's ruling: "Despite defendant's arguments to the contrary, we find that the phrase 'resulting directly from' does not unambiguously limit coverage to loss resulting 'solely' or 'immediately' from the theft itself.”
Data theft is squarely on the radar screen of businesses but what the spectrum of risk is remains to be fully quantified. To that end, the Cyber Risk Insurance Forum (CRIF) has been developing a security framework for companies taking out cyber insurance.
Global information assurance firm NCC Group, with Liberty International Underwriters (LIU), Zurich Insurance, CNA Europe and Oval, established the group earlier this year under the Cyber Insurance Working Group title. The founding members have now increased to include Thales, Continuity Forum, ACE Insurance and Hill & Knowlton.
“Cyber insurance doesn’t mitigate the risk of suffering a cyber attack in itself, but if combined with cyber risk best practice, it will,” said CRIF Chairman, Daljitt Barn. “Driving development of those guidelines depends on making organizations aware of the risks that they face.”