The insurer for Midwestern supermarket chain Schnucks, whose systems were hacked last winter to steal 2.4 million credit card numbers, is claiming in court that the grocer's policy doesn't cover the cost of lawsuits arising from the breach.
Liberty Mutual Insurance Co. last week filed documents in a Missouri court contending that the general liability policy it issued St. Louis-based Schnucks, which does business as Schnuck Markets, was not designed to insure “suits and claims arising from the data breach” it recently experienced.
In the court filings, Boston-based Liberty Mutual argued that the policy, which covers bodily injury and property damage, doesn't make provisions for damage to electronic data.
Schnucks, which operates some 100 stores, learned that it had sustained a major breach in March after hackers raided its systems to steal 2.4 million credit and debit card numbers.The company said the unauthorized access may have continued for up to four months, from last December through March 29, which led to card numbers being compromised that belonged to shoppers at 79 of its locations.
Last Thursday, Main Justice published the documents filed by Liberty Mutual (PDF). The insurer said eight lawsuits filed by impacted Schnucks customers would not be covered by the supermarket chain's insurance policy. In addition, (non-suit) claims by four banks and a payment solutions firm that requested to be reimbursed for costs allegedly arising from the breach should also be the responsibility of Schnucks, according to court documents.
Security Bank, Stillman Bank, First Data Merchant Services Corp., Think Mutual Bank and First Federal Savings Bank sent claims letters to Schnucks seeking reimbursement or restitution for lost funds.
In the filing, Liberty Mutual argued that electronic data was not considered “tangible property,” which would fall under the umbrella of property damage insurance.
“For the purposes of this insurance, electronic data is not tangible property,” Liberty Mutual argued. “The claims described in the complaints and claims are not for physical injury to or loss of use of any tangible property, but rather for the loss of personal information. Such a loss is not for ‘property damage.'”
Jason Weinstein, a partner at New York-based Steptoe & Johnson who specializes in data privacy and security litigation, said the Schnucks case is a reminder that organizations should not only expect to be breached, but also have a good handle on what their insurance policy covers, prior to an incident happening.
"A lot of these policies were written before anyone knew what a data breach was," he told SCMagazine.com on Tuesday. "It's better to take a proactive review of your insurance coverage and confirm it's adequate before you need it."
Entertainment company Sony is engaged in an ongoing legal battle with its insurer Zurich, which has said it's not liable for customer suits stemming from Sony's 2011 PlayStation Network (PSN) breach.
Executive Editor Dan Kaplan contributed to this report.