New York Restaurant’s Data Breach Not Covered Under Their Business Owners Policy

Restaurants are prime targets for hackers. Restaurants gather customer credit card information on a daily basis and are responsible for storing and protecting that information. All restaurant owners should have insurance policies that not only cover their physical property damage and business interruption in case of property damage, but data breaches as well. Data breaches, as explained in my earlier blog, are usually not considered “tangible property” and are therefore not covered under most basic property insurance policies.

In RSVT Holdings, LLC v. Main Street America Assurance Company,¹ a fast food restaurant owner brought an action against their Business Owners Policy insurer, stating the insurer had a duty to defend and indemnify them in an action arising from owner’s negligent handling of electronic credit card data.

Plaintiff’s network was hacked by an unknown third party who unlawfully obtained the customers’ card information and then used that information to make numerous fraudulent charges. A non-party, Trustco Bank, filed suit against Plaintiffs alleging they failed to exercise reasonable care in safeguarding the information of their cardholders, which caused Trustco to sustain damages related to its reimbursement of the fraudulent charges. Plaintiffs then sought coverage under their business owners insurance policy issued by Defendant.

In its reversal of the trial court’s ruling, the Third Department stated that the insured’s attempt to couch this as a property damage claim was unavailing:

“In light of this unambiguous language, we agree with defendant that Trustco’s claim for damages arising out of plaintiffs’ negligent handling of electronic data is not a claim for “property damage” under the policy and is excluded from coverage. Accordingly, defendant has no duty to defend plaintiffs against Trustco.”

The court went on to say, “the coverage provided under that section is expressly limited to plaintiffs’ claims for “direct physical loss of or damage to” plaintiffs’ own property. This policy, as in many business owner’s policies, included a provision that stated, “[f]or purposes of this insurance, electronic data is not tangible property,” which would exclude coverage under any property damage portion of the policy.

The issue as to whether data is considered tangible or intangible has not been definitively decided by all New York courts regarding all versions of “data”. The New York Court of Appeals decision in People v. Kent,² sheds some light on this issue. In Kent, the defendant was charged with procuring and possessing child pornography on his computer. The evidence showed that some of the images and videos had been downloaded onto the defendant’s computer. The court upheld the defendant’s conviction relating to these items because “[the] defendant downloaded and/or saved the video and the images, thereby committing them to the allocated space of his computer.” The court also observed that a “hard drive” is “tangible”, and described the “tangibility of [a computer] image” as “its permanent placement on [a] hard drive and [the] ability to access it later.”

The Kent decision supports the notion that a “tangible reproduction or representation” of source code is made when it is saved to a physical medium, such as a hard drive.

I’m proud to say that Merlin Law Group is now a member of the New York State Restaurant Association and we look forward to working with its members and educating them on the necessities of their property and cyber insurance policies.

I leave you with a quote from former Governor of Maryland, Bob Ehrlich: “I don’t know what leadership is. You can’t touch it. You can’t feel it. It’s not tangible. But I do know this: you recognize it when you see it.”
____________
¹ RSVT Holdings, LLC, et al. v. Main Street America Assurance Co., 136 A.D.3d 1196 (N.Y. App. 3rd Dept 2016).
² People v. Kent, 19 N.Y.3d 290 (2012).