N.Y. Appellate Division Upholds Insurance Policy Exclusion for “Five Guys” Data Breach

Today, the New York State Supreme Court, Appellate Division, Third Department issued a decision enforcing an insurer’s exclusion of coverage for “damages arising out of the loss of . . . electronic data,” stemming from a 2011 credit card data breach at certain locations of the Five Guys Burgers & Fries restaurant chain. The decision should prompt businesses, especially healthcare providers, to review their own insurance policies to understand whether cyber security risks are covered.

In this case, styled RVST Holdings, LLC v. Main Street America Assurance Company, The plaintiffs were a group of Upstate New York Five Guys franchisees.  In late 2011, payment systems at a number of Five Guys locations were apparently compromised.  Several months later, Schenectady-based Trustco Bank filed a lawsuit against RVST, alleging that the debit card data of its account holders was illegally accessed in the Five Guys breach and that the information was used to rack up over $90,000 in fraudulent charges.  Trustco reimbursed its customers for the charges.

RVST sought coverage from its insurer, Main Street, and filed a separate declaratory action when the insurer disclaimed a duty to defend based upon an exclusion in RVST’s policy.  In 2014, A State of New York Supreme Court justice denied Main Street’s motion for summary judgment, and Main Street filed the appeal that resulted in today’s decision.

The Appellate Division reversed in a short opinion, finding that RVST’s liability policy with Main Street contained an exclusion for “damages arising out of the loss of . . . electronic data,” which definitively excused Main Street’s duty to defend RVST.  The Appellate Division also rejected RVST’s claim that a separate “property damage” section of policy required Main Street to provide coverage.  The Court reasoned that the “property damage” coverage only provided “first-party coverage for direct damage to [RVST’s] property, a claim not made by [RVST] here,” and would not apply to Trustco’s “third party” claim.

Today’s decision is a timely reminder to all businesses to carefully review their own policies to ensure adequate coverage from potential liability caused by data breaches.  Given the growing number of reported breaches (and resulting litigation and enforcement), and the tendency of courts to enforce various insurance exclusions under the principle of “freedom to contract”, it is imperative that  business owners understand where coverage gaps may exist for data breaches and cyber security incidents.  This is also especially true for healthcare providers, due to the growing use and transmission of electronic health records and robust regulatory oversight.

For further information about HIPAA and cyber security, please contact Kurt E. Bratten.

Kurt Bratten is a Shareholder of the firm. He represents companies in the healthcare industry and other sectors regarding HIPAA and cyber security matters, including how to prevent and respond to security breaches and incidents under various state and federal laws. He has experience investigating and responding to complex and technologically advanced security breaches. Kurt frequently speaks to trade groups and professional associations regarding HIPAA, breach response and cyber security.