On October 25, in the case of Camp’s Grocery, Inc. v. State Farm Fire & Casualty Company, the District Court for the Northern District of Alabama granted summary judgment in favor of State Farm Fire and Casualty Company (“State Farm”), concluding that State Farm did not have to defend or indemnify its policyholder, Camp’s Grocery Inc. (“Camp’s”) in an underlying lawsuit brought by credit unions following a breach of Camp’s computer network.  Camp’s Grocery illustrates the importance of carefully evaluating an insurance policy terms and conditions and having a complete understanding as to which losses are covered and which are not.  Additionally, this case highlights the different entities (here, credit unions) that may sue a policyholder after a data breach.

In August 2015, three credit unions sued Camp’s in an Alabama circuit court alleging that a hack of Camp’s computer network compromised customers’ confidential data, such as credit card, debit card, and check card information.  The credit unions argued they suffered losses as a result of the breach.  For example, the credit unions had to reissue cards to customer and reimburse customers for fraud losses.  Among other things, the credit unions also incurred administrative expenses associated with investigating, correcting and preventing fraud.

State Farm had issued a business owners insurance policy to Camp’s.  This policy covered damages because of “bodily injury, “property damage,” or “personal and advertising injury.”  However, “property damage” was limited to harm to “tangible property.” And “tangible property” was defined not to include “electronic data.”  The policy also expressly excluded “damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”

The State Farm policy also included two endorsements: (1) Inland Marine Conditions (“IMC”), and (2) Inland Marine Computer Property Form (“IMCPF).  The IMCPF specifically covered accidental direct physical loss to computer equipment and removable data storage media used in Camp’s business.

In February 2016, Camp’s sued State Farm in an Alabama federal district court seeking a declaration that State Farm had a duty to defend and indemnify Camp’s in the credit unions’ lawsuit.  Both Camp’s and State Farm filed motions for summary judgment.  State Farm argued that coverage was not available under the policy because the Credit Unions’ claims in the underlying suit did not allege “bodily injury”, “property damage,” or “personal and advertising injury” as defined in the policy.  It also argued that, to the extent, Camp’s was relying on IMCPF for coverage, the endorsement was a “first party” insuring agreement, not a “third party” insuring agreement.  As a result, the endorsement only covered losses sustained directly by Camp’s, not claims brought by third parties.

Camp’s relied primarily on the two endorsements to argue that State Farm was obligated to provide defense and indemnity. It argued that State Farm assumed a duty to defend the underlying lawsuit based on a provision in the IMC which stated that State Farm “may elect to defend” Camp’s at State Farm’s expense, “against suits arising from claims of owners of property.” According to Camp’s, the phrase “may elect to defend” was ambiguous.

The district court agreed with State Farm. The court explained that IMCPF covered “accidental direct physical loss.” This phrase unambiguously afforded first-party coverage.  It did not impose a duty to defend or indemnify Camp’s against claims for harm allegedly suffered by third parties.  The court also explained that coverage was not otherwise available under the policy because the underlying suit was brought by plaintiffs alleging purely economic loss (not “bodily injury” or “personal and advertising injury”).  The court also rejected Camp’s argument that the phrase “may elect to defend” obligated State Farm to defend Camp’s in the underlying suit.  The court concluded that on its face this phrase unambiguously vested discretion in the insurance carrier.  As a result, the carrier had the option to defend Camp’s but it did not have a duty to do so.

Camp’s had also argued that physical debit cards were “tangible property” that could be “touched and handled,” and as a result, the credit unions’ loss in connection with replacing these cards was covered “property damage” under the State Farm policy.  Again, the court disagreed, explaining that (1) the credit unions’ claims were based on the compromised intangible electronic data contained on the cards that rendered the cards unusable, and (2) the policy specifically excluded damages arising out of the loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”

For years courts have grappled with and have been split on the issue of whether cyber-related losses constitute harm to tangible property; the court in this case came down on the side of a data breach not constituting harm to tangible property.  This case also emphasizes the importance of policy wording (particularly exclusions concerning electronic data) and, as mentioned above, it highlights the different entities that may sue policyholders following a data breach.