The Seventh Circuit Court of Appeals ruled on January 11, 2013 that there is no coverage under a homeowner’s policy for an employee of an accounting firm who had a CD stolen from her car. The CD contained financial information and other PII of 30,000 members of a pension fund and client of the accounting firm. The pension fund incurred more than $200,000 for credit monitoring and related mitigation expenses. It sued the accounting firm but also named the employee individually for negligently safeguarding the data. The employee tendered the claim to her homeowner insurer, Nationwide Insurance, which denied coverage on grounds that the policy excludes coverage for (i) damage to property “in the care of” the insured and (ii) a claim arising out of or related to a “business” engaged in by the insured. Applying Illinois law, the Court of Appeals affirmed the finding of no coverage based upon the two policy exclusions.
A company seeking to recover all the costs that come with loss or theft of PII such as credit monitoring, notice, etc. will “follow the money” by looking to as many insurers as possible. In this case, the pension fund also sued the accounting firm, but the employee’s coverage dispute would have been expensive. Who paid to pursue the DJ through the court of appeals? Are employers at risk to defend employees for coverage disputes arising out of work-related cyber breaches? The fact pattern in Nationwide is a common, probably daily occurrence. And a scenario employers and their insurers should consider in advance.
Click here to visit the CyBIR blog and read additional cyber articles.