A data breach at American grocery store Schnucks between December 2012 and March 2013 exposed an estimated 2.4 million credit and debit cards. This widespread breach resulted in an estimated $80m loss and sparked state and federal consumer lawsuits against the grocer, as well as another suit by the grocer’s insurer.
Following the initial news of the mass data breach, Schnucks sought coverage for the breach under both their commercial general liability and cyber policies in May 2013.
However, in August their excess CGL carrier filed a suit in the US courts to pre-empt coverage under the CGL form. Schnucks’ CGL carrier stated that the claim is a pure financial loss and is therefore precluded from cover for a variety of reasons which include cover only being provided for bodily injury or tangible property damage, the fact that data is not considered tangible property under the policy, and that there exists an exclusion for contractual liability.
This case should serve as a warning that insurance companies are increasingly pursuing legal action to avoid paying for losses linked to data breaches of this nature when filed under CGL policies.
Conversely, last week Schnucks’ specialist cyber insurer also filed a similar suit as the CGL carrier, but for very different reasons, which included late notification as the claim was reported more than 90 days after the discovery of the breach and no prior consent obtained before incurring costs.
As this case demonstrates, data loss can give rise to very large losses. CGL forms rarely explicitly cover the costs and even claiming on cyber insurance policies can be difficult if the insured is unaware of the conditions of the policy and how they operate.