New York Appellate Court Finds “Electronic Data” Exclusion Applies to Data Breach
The computer network of a Five Guys Burger franchise, RVST Holdings, LLC (RVST), was hacked. Customers’ credit card information was stolen and used to make numerous fraudulent charges. Trustco Bank brought an action against RVST, alleging it was negligent in securing Trustco cardholders’ information, causing Trustco to sustain damages related to reimbursing its cardholders for the fraudulent charges.
RVST sought coverage for the Trustco claim from its insurer, Main Street America Assurance Company (Main Street) under a business owner’s insurance policy. Main Street declined coverage.
RVST then brought an action against Main Street in a New York state trial court. Main Street moved for summary judgment, citing, among other things, the policy’s exclusion for "damages arising out of the loss of … electronic data." The state court judge denied the motion, and Main Street appealed.
In RVST Holdings, LLC v. Main Street America Assurance Co., New York’s appellate division reversed, with orders to enter summary judgment in Main Street’s favor. Notably, the appellate division’s opinion makes evident that the claim was submitted for coverage under the policy’s liability coverage for "sums that [the insured] becomes legally obligated to pay as damages because of … ‘property damage’."
The court held there was no liability coverage for "property damage" (and thus no duty to defend) for two reasons: (1) the definition of "property damage" included the following explicit caveat: "for the purposes of this insurance, electronic data is not tangible property"; and (2) the policy’s "electronic data" exclusion unambiguously applied to the subject data breach, which the court held plainly constituted "damages arising out of the loss of … electronic data." The court also rejected the insured’s contention that because the first-party property coverage did not contain the same exclusion, coverage should somehow obtain. The court was dismissive, noting the first-party property coverage was inapplicable to a third-party claim.
This case may mark the beginning of the end of coverage battles for cyber-risks under traditional, non-cyber policies, which now typically include exclusionary language similar to that relied on by the New York Appellate Division. Thus, questions of whether a data breach might constitute a privacy invasion that constitutes a "personal or advertising injury" or if non-functioning hardware or software might constitute "property damage," will now largely become academic (perhaps until some theory of long-tail delayed trigger brings older pre-exclusion occurrence policies back into play). The decision also counsels policyholders to ensure they carefully review their coverage and fill any possible gaps for ever-evolving cyber risk.
©2023 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.