Coverage for Theft of Third Party Property and Data

Joshua Gold


August 1, 2010

In an era where so much third party data is entrusted to policyholders (financial information, customer data, personal information and health records), insurance coverage against data theft is vital.  But many insurance companies will contest loss claims from policyholders after property in their possession but belonging to another party is stolen. Regardless of whether claims fall under commercial crime insurance, financial institution bonds or fidelity insurance, insurers often argue that these are "third party" or "indirect" losses and refuse to pay.

This leaves the policyholder in a difficult position. In addition to potential liability claims from the actual owners of this information, the theft of this information often causes a loss to the policyholder.

But there is good news. Many authorities have established that crime and fidelity policies do cover such theft and that insurers must live up to their coverage obligations.

In one recent case, for example, a policyholder was the victim of a computer hacker. The insurance company refused to pay the claim, but the court rejected the insurers attempts to evade payment and ruled that the policyholder was entitled to crime coverage for the theft of customer data.

Such a ruling is not only supported by the language of many crime policies (which often contain a provision indicating that they provide coverage for the theft of property not owned but in the possession of the policyholder), but also by numerous crime insurance coverage cases over the decades.

Another court case from nearly 60 years ago held that a crime insurance policy held by a hotel owner offered indemnity and liability protection for a guest's property that was stolen from the hotel safe. In fact, whether "direct" is argued to mean "proximate cause," "efficient cause," "but for" causation or "substantial cause," many courts have concluded that crime and fidelity insurance policies cover third party claims as "direct loss."

These days, however, most crime insurance is purchased to cover a lot more than just employee theft. The majority of crime insurance policies cover not only criminal or dishonest conduct of the policyholder's employees, but dishonest and criminal conduct of third parties as well.

One appellate court, for example, upheld a trial court decision that had rejected the insurance company's "indirect loss" defense related to a crime coverage claim. The court held that there was coverage for the policyholder's loss, which included liability to third party broadcasters when a third party media placement service executive absconded with money that was to pay broadcasters for advertising services.

Even a New York case that is widely relied upon by insurance companies to deny coverage under the "indirect loss" defense has ruled that a crime policy's third party coverage would be applicable where the theft involved "third party property held by the insureds." Indeed, jurisdictions around the United States in both state and federal cases have rejected strained and narrow interpretations of the so-called "direct loss" requirement.

Given all this, it appears that the recent trend is toward rejection of overly narrow insurance policy interpretations on this front - good news for policyholders given the amount of property that they routinely possess but do not own.
Joshua Gold is a shareholder in Anderson Kill’s New York office, chair of Anderson Kill’s cyber insurance recovery group and co-chair of the firm’s marine cargo industry group. He is co-author with Daniel J. Healy of Cyber Insurance Claims, Case Law, and Risk Management, published in 2022 by the Practising Law Institute.