Retail Ventures, Inc. v. National Union Fire Insurance

RECOMMENDED FOR FULL-TEXT PUBLICATION Pursuant to Sixth Circuit Rule 206 File Name: 12a0279p.06 UNITED STATES COURT OF APPEALS FOR THE SIXTH CIRCUIT _________________ X - RETAIL VENTURES, INC.; DSW INC.; DSW Plaintiffs-Appellees/Cross-Appellants, -- SHOE WAREHOUSE, INC., - Nos. 10-4576/4608 , > - v. NATIONAL UNION FIRE INSURANCE COMPANY - - - OF PITTSBURGH, PA., Defendant-Appellant/Cross-Appellee. N Appeal from the United States District Court for the Southern District of Ohio at Columbus. No. 2:06-cv-443—Michael H. Watson, District Judge. Argued: July 17, 2012 Decided and Filed: August 23, 2012 Before: GUY, and CLAY, Circuit Judges; HOOD, District Judge.* _________________ COUNSEL ARGUED: Steven G. Janik, JANIK L.L.P., Cleveland, Ohio, for Appellant/Cross- Appellee. James E. Arnold, JAMES E. ARNOLD & ASSOCIATES, LPA, Columbus, Ohio, for Appellees/Cross-Appellants. ON BRIEF: Steven G. Janik, Thomas D. Lambros, Crystal L. Maluchnik, JANIK L.L.P., Cleveland, Ohio, for Appellant/Cross- Appellee. James E. Arnold, Gerhardt A. Gosnell II, JAMES E. ARNOLD & ASSOCIATES, LPA, Columbus, Ohio, Joshua Gold, ANDERSON KILL & OLICK, P.C., New York, New York, for Appellees/Cross-Appellants. * The Honorable Denise Page Hood, United States District Judge for the Eastern District of Michigan, sitting by designation. 1 Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 2 _________________ OPINION _________________ RALPH B. GUY, JR., Circuit Judge. Defendant National Union Fire Insurance Company of Pittsburgh, PA, a subsidiary of AIG, Inc., appeals from the final judgment entered in favor of plaintiffs Retail Ventures, Inc., DSW Inc., and DSW Shoe Warehouse, Inc., for more than $6.8 million in stipulated losses and prejudgment interest. Plaintiffs prevailed on cross-motions for summary judgment with respect to the claim for coverage under a computer fraud rider to a “Blanket Crime Policy” for losses resulting from a computer hacking scheme that compromised customer credit card and checking account information. Defendant claims the district court erred: (1) in finding that plaintiffs suffered a loss “resulting directly from” the “theft of any Insured property by Computer Fraud”; and (2) in rejecting application of the exclusion of “any loss of proprietary information, Trade Secrets, Confidential Processing Methods or other confidential information of any kind.” Plaintiffs’ cross-appeal challenges the district court’s rejection of the tort claim for breach of the duty of good faith and fair dealing. After review of the record and consideration of the arguments presented on appeal, the judgment of the district court is affirmed. I. The circumstances surrounding the hacking incident are not at issue on appeal, although it is now known that it was part of a larger scheme led by convicted computer hacker Albert Gonzalez. Briefly, between February 1 and February 14, 2005, hackers used the local wireless network at one DSW store to make unauthorized access to plaintiffs’ main computer system and download credit card and checking account information pertaining to more than 1.4 million customers of 108 stores.1 Fraudulent transactions followed using the stolen customer payment information, to which plaintiffs 1 Information from the magnetic stripe on the back of customer credit cards and customer bank account and driver’s license information was received and stored electronically on plaintiffs’ computer system. Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 3 were first alerted by one of the affected credit card companies on March 2, 2005. Plaintiffs launched an investigation that quickly revealed the data breach; National Union was notified of the insurance claim at issue; and, in April 2005, National Union, through its affiliate AIG Technical Services, Inc., advised plaintiffs that an investigation would be carried out “under a full reservation of all rights and defenses at law, in equity, and under the terms and conditions of the bond.” In the wake of the data breach, plaintiffs incurred expenses for customer communications, public relations, customer claims and lawsuits, and attorney fees in connection with investigations by seven state Attorney Generals and the Federal Trade Commission (FTC). The FTC’s inquiry was resolved administratively with a consent decree requiring, inter alia, that plaintiffs establish and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. In the Matter of DSW, Inc., No. C-4157, 2006 WL 752215 (FTC Mar. 7, 2006). The largest share of the losses—more than $4 million—arose from the compromised credit card information: namely, costs associated with charge backs, card reissuance, account monitoring, and fines imposed by VISA/MasterCard. That amount was determined by the settlement of plaintiffs’ contractual obligations with credit card processor, National Processing Company, LLC (a/k/a BA Merchant Services, LLC). Plaintiffs submitted an initial partial proof of loss and supporting information in September 2005. Defendant sent that partial claim to outside counsel for analysis of the coverage question—first to John Petro, Esq., and then to Thomas Hanlon, Esq.—before denying coverage for the reasons stated in a letter dated January 30, 2006. Petro initially opined that there was coverage under the computer fraud rider, but he later backtracked and agreed with Hanlon’s assessment that the loss was excluded. Asserting that defendant’s investigation was so inadequate or “one-sided” as to establish bad faith, plaintiffs point to defendant’s pursuit of the second opinion from an attorney whose firm regularly provided services to AIG and Petro’s explanation of how he “missed” the exclusion pointed out by Hanlon. Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 4 The January 2006 denial letter questioned the “location” of the loss; stated that the loss appeared to be excluded because it related to the theft of confidential customer information excluded by Paragraph 9 of the computer fraud rider; and added in a footnote that the policy did not cover “indirect loss” in light of Exclusion 2(m). Plaintiffs responded by disclosing additional information—including the forensic analysis of the computer breach prepared a year earlier—to defendant on April 24, 2006; submitting a supplemental partial proof of loss on May 8, 2006; and commencing this lawsuit on May 9, 2006. Defendant subsequently clarified its position, but continued to deny coverage in a letter dated May 12, 2006. That letter explained that coverage would still be excluded because the claims arose from “third party theft of proprietary confidential customer credit card information.” A final proof of loss was not submitted by plaintiffs until June 29, 2007. Plaintiffs’ claims for declaratory judgment, breach of contract, and breach of the duty of good faith and fair dealing were answered by defendant’s counterclaim seeking declaratory judgment in its favor. Defendant alleged that plaintiffs had not sustained loss “resulting directly from” the theft of customer information; that general exclusions in Paragraph 2(k), (m) and (n) applied; and that coverage was specifically excluded under Paragraph 9 of Endorsement 17. After discovery, cross-motions for summary judgment were filed in two waves. The district court resolved the coverage and exclusion issues in plaintiffs’ favor in the opinion and order issued March 30, 2009, and rejected plaintiffs’ claims of bad faith in a separate opinion and order issued September 28, 2010. Then, to resolve the issues that remained for trial without waiving the right to appeal, the parties stipulated to a summary of losses incurred by plaintiffs (minus the self-insured retention) totaling more than $5.3 million and the calculation of associated prejudgment interest in excess of $1.49 million. Judgment was entered accordingly. Defendant appealed, and plaintiffs have cross-appealed.2 2 Defendant filed a motion to strike a large part of plaintiffs’ fourth brief on the grounds that it improperly addressed the coverage and exclusion issues that were raised in defendant’s appeal. Because plaintiffs’ fourth brief permissibly addressed the related issues of its cross-appeal challenging the finding that defendant was reasonably justified in denying coverage, the motion to strike is DENIED. Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 5 II. Summary judgment is appropriate when, viewing the factual inferences and all reasonable inferences in favor of the nonmoving party, there are no genuine issues of material fact in dispute and the moving party is entitled to judgment as a matter of law. See FED. R. CIV. P. 56(a). Our review of the district court’s decision granting summary judgment is de novo. La Quinta Corp. v. Heartland Props. LLC, 603 F.3d 327, 335 (6th Cir. 2010). We apply the same standard in reviewing decisions on cross-motions for summary judgment, evaluating each motion on its own merits. Id. A. Defendant’s Appeal In this diversity action governed by Ohio law, contract interpretation is a question of law for the court. Leber v. Smith, 639 N.E.2d 1159, 1163 (Ohio 1994). The district court correctly summarized the general principles of contract interpretation as follows: In interpreting an insurance contract, the court is to give effect to the intent of the parties to the agreement. Hamilton Ins. Serv., Inc. v. Nationwide Ins. Cos., 86 Ohio St. 3d 270, 273 (1999), citing Employers’ Liab. Assur. Corp. v. Roehm, 99 Ohio St. 343 (1919) (syllabus). Ohio courts shall give insurance contract terms their plain and ordinary meaning unless another meaning is clearly apparent from the contents of the policy. Alexander v. Buckeye Pipe Line Co., 53 Ohio St. 2d 241 (1978) (syllabus ¶ 2). Further, a court must give meaning to every paragraph, clause, phrase, and word. Affiliated FM Ins. Co. v. Owens- Corning Fiberglas Corp., 16 F.3d 684, 686 (6th Cir. 1994). When the language of a written contract is clear, a court may look no further than the writing itself to find the intent of the parties. Id. As a matter of law, a contract is unambiguous if it can be given a definite legal meaning. Westfield Ins. Co. v. Galatis, 100 Ohio St. 3d 216, 219 (2003), citing Gulf Ins. Co. v. Burns Motors, Inc., 22 S.W.3d 417, 423 (Tex. 2000). A term is ambiguous if it is reasonably susceptible of more than one meaning. St. Mary’s Foundry, Inc. v. Employers Ins. of Wausau, 332 F.3d 989, 992 (6th Cir. 2003) (citations omitted). Where the written contract is standardized and between parties of unequal bargaining power, an ambiguity in the writing will be interpreted strictly against the drafter and in favor of the nondrafting party. Cent. Realty Co. v. Clutter, 62 Ohio St. 2d 411, 413 (1980). In the insurance context, as the insurer Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 6 customarily drafts the contract, an ambiguity in an insurance contract is ordinarily interpreted against the insurer and in favor of the insured. King v. Nationwide Ins. Co., 35 Ohio St. 3d 208 (1988) (syllabus). Nonetheless, this rule “will not be applied so as to provide an unreasonable interpretation of the words of the policy.” Morfoot v. Stake, 174 Ohio St. 506 (1963) (syllabus ¶ 1). We must determine how the Ohio courts would interpret the policy by looking first to Ohio law as determined by the Ohio Supreme Court, and then to all other sources. Bovee v. Coopers & Lybrand CPA, 272 F.3d 356, 361 (6th Cir. 2001). 1. Coverage The only coverage provisions at issue are found in Endorsement 17’s “Insuring Agreement XVIII,” entitled “Computer & Funds Transfer Fraud Coverage.” Specifically, defendant agreed in pertinent part to pay the insured for: XVIII. Loss which the Insured shall sustain resulting directly from: A. The theft of any Insured property by Computer Fraud; . . . . Endorsement 17 defines “Computer Fraud” to mean “the wrongful conversion of assets under the direct or indirect control of a Computer System by means of: (1) The fraudulent accessing of such Computer System; (2) The insertion of fraudulent data or instructions into such Computer System; or (3) The fraudulent alteration of data, programs, or routines in such Computer System.” As for “Insured property,” the policy generally defines the property interests covered as follows: Section 5. The Insured property may be owned by the Insured, or held by the Insured in any capacity whether or not the Insured is liable for the loss thereof, or may be property as respects which the Insured is legally liable; provided, Insuring Agreements II, III and IV apply only to the interest of the Insured in such property, . . . . Endorsement 17 adds that coverage applied “only with respect to . . . Money or Securities or Property located on the premises of the Insured.” Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 7 Three general exclusions, which Endorsement 17 made applicable to Insuring Agreement XVIII, are relied upon by defendant to support the contention that only first party coverage was intended. Those exclusions, found in Section 2(k), (m), and (n) provide that the policy “does not apply”: (k) to the defense of any legal proceeding brought against the Insured, or to fees, costs or expenses incurred or paid by the Insured in prosecuting or defending any legal proceeding whether or not such proceeding results or would result in a loss to the Insured covered by this Policy, except as may be specifically stated to the contrary in this Policy; .... (m) to damages of any type for which the Insured is legally liable, except direct compensatory damages arising from a loss covered under this Policy; (n) to costs, fees and other expenses incurred by the Insured in establishing the existence of or amount of loss covered under this Policy. Except for (m), these exclusions represent limits placed on coverage for an insured’s own damages and do not speak to third party losses.3 Defendant does not dispute that the unauthorized access and copying of customer information stored on plaintiffs’ computer system involved the “theft of any Insured property by Computer Fraud,” (although there is no indication whether it was property owned by plaintiffs, held in some capacity by plaintiffs, or was property for which plaintiffs were legally liable). What is disputed, however, is whether the district court was correct in concluding in this case of first impression that the loss plaintiffs sustained was loss resulting directly from the theft of insured property by computer fraud. The 3 Defendant contends that the district court erred in rejecting its claim that attorney fees and costs incurred in responding to the FTC inquiry were specifically excluded by Section 2(k). Plaintiffs respond that its general liability insurer covered its defense costs for all “legal proceedings,” and that the claim in this case was limited to the attorney fees associated with the security breach itself and the FTC’s “nonpublic inquiry.” The term “legal proceeding” is not defined by the policy, but FTC regulations distinguish “inquiries” and “investigations” from “formal adjudicative proceedings.” Compare 16 C.F.R. §§ 2.1, 2.4 and 2.8, with 16 C.F.R. §§ 3.1 and 3.2. An exclusion in an insurance policy will be interpreted to apply only to that which is clearly intended to be excluded. Hybud Equip. Corp. v. Sphere Drake Ins. Co., 597 N.E.2d 1096, 1102 (Ohio 1992). The district court did not err in this regard. Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 8 district court predicted that the Ohio Supreme Court would follow those cases that interpret “resulting directly from” as imposing a traditional proximate cause standard in this context. Accordingly, the district court concluded that “there is a sufficient link between the computer hacker’s infiltration of Plaintiffs’ computer system and Plaintiffs’ financial loss to require coverage under Endorsement 17.” Defendant argues that it was error to apply a proximate cause standard for several reasons. a. Fidelity Bond Defendant argues first that the commercial crime policy is a “fidelity bond” and therefore must be interpreted to provide only first party coverage. The district court found that the policy was “not a fidelity bond, in toto, as it provided more than fidelity coverage.” Further, the district court explained that Endorsement 17 “is not a fidelity bond as there is no mention of employee dishonesty” and that “the terms of Endorsement 17 indicate coverage for losses to third-party assets.” While it is true that “fidelity bonds,” or “financial institution bonds,” typically provide more than just fidelity coverage (i.e., fidelity, forgery, on-premises and off-premises coverage), defendant overstates the significance of the analogy to the fidelity bond cases and the Standard Form 24, Standard Financial Institution Bond. See First State Bank of Monticello v. Ohio Cas. Ins. Co., 555 F.3d 564, 568 (7th Cir. 2009) (Ill. law) (discussing fidelity bonds). Nonetheless, to the extent that the district court may have erroneously (or inconsistently) disregarded some fidelity bond cases on that basis, it is clear that the label given to a policy is not determinative of coverage. See Hillyer v. State Farm Fire & Cas. Co., 780 N.E.2d 262, 265 (Ohio 2002) (holding that “it is the type of coverage provided, not the label affixed by the insurer, that determines the type of policy”). Moreover, even in the context of fidelity or dishonest employee coverage, there is no universal agreement among the courts concerning the meaning of the phrase “resulting directly from.” See Universal Mortg. Corp. v. Wurttembergische Versicherung AG, 651 F.3d 759, 762 (7th Cir. 2011) (describing two competing “interpretive camps”); The Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 9 Question of Causation in Loan Loss Cases, 11 FIDELITY L. ASS’N J. 97, 98 (2005) (noting “split” of authority). i. Direct-Means-Direct Approach Defendant urges this court to interpret the “resulting directly from” language as unambiguously requiring that the theft of property by computer fraud be the “sole” and “immediate” cause of the insured’s loss. See, e.g., RBC Mortg. Co. v. Nat’l Union Fire Ins. Co. of Pittsburgh, 812 N.E.2d 728 (Ill. App. 2004) (Ill. law) (adopting a direct- means-direct standard). Under this approach, loss “resulting directly from” employee misconduct refers only to the insured’s own loss from employee misconduct and not the insured’s vicarious liability to third parties. See Vons Cos. v. Fed. Ins. Co., 212 F.3d 489, 492-93 (9th Cir. 2000) (direct means no vicarious liability); Aetna Cas. & Sur. Co. v. Kidder, Peabody & Co., 246 A.D.2d 202, 209-10 (N.Y. App. 1998) (finding no coverage for third-party claims arising out of misconduct of employee who disclosed confidential information to others that resulted in massive insider trading losses). The Seventh Circuit describes this line of authority as holding that “when an insured incurs liability to a third party—whether in contract or tort—as a result of employee misconduct, financial loss resulting from that liability is not ‘directly’ caused by the employee misconduct and therefore is not covered by fidelity bonds containing direct- loss language.” Universal Mortg., 651 F.3d at 762 (discussing RBC (Ill. law) and Tri City Nat’l Bank v. Fed. Ins. Co., 674 N.W.2d 617, 622-24 (Wis. App. 2003) (Wis. law)). Courts that have adopted the direct-means-direct approach generally emphasize the historical context of fidelity bonds, which typically bundle indemnity coverage for specific risks, as well as the specific modification to Standard Form 24, Financial Institution Bond, that adopted the loss “resulting directly from” language with the purported intention of narrowing coverage. See id. at 761-62; Monticello, 555 F.3d at 570 (discussing revisions to standard form). These decisions also reason that “resulting directly from” suggests stricter causation than proximate cause because “directly” implies an immediacy to the fraud. See RBC, 812 N.E.2d at 736-37 (rejecting proximate cause as “too broad to capture accurately the intent behind the phrase ‘loss resulting Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 10 directly from’”). In Universal Mortgage, the Seventh Circuit also relied on the fact that the state courts in Wisconsin had already adopted the direct-means-direct approach in Tri City. 651 F.3d at 762; see also Direct Mortg. Corp. v. Nat’l Union Fire Ins. Co. of Pittsburgh, 625 F. Supp. 2d 1171, 1176 (D. Utah 2008) (concluding that the Utah Supreme Court would most likely adopt the direct-means-direct approach as better reasoned and more consistent with the traditional nature of fidelity bonds and the specific language at issue).4 ii. Flagstar Bank Defendant argues next that this court has already adopted a “heightened” standard for demonstrating “loss resulting directly from” forgery under a fidelity bond. Flagstar Bank, FSB v. Fed. Ins. Co., 260 F. App’x 820 (6th Cir. 2008) (Mich. law) (unpublished); see also Merchants Bank & Trust v. Cincinnati Ins. Co., No. 06-cv-561, 2008 WL 728332, at *4 (S.D. Ohio Mar. 14, 2006) (unpublished). However, this argument overstates both the holding in Flagstar and its application to this case. First, there was no issue of liability to third parties in Flagstar as the insured was seeking coverage for its own losses incurred when a mortgage broker defaulted on a $20 million line of credit obtained using fraudulent mortgage documents that were premised on fictitious collateral. Flagstar, 260 F. App’x at 821. This court held that because the forged promissory notes “would not have held value even if they had authentic signatures,” Flagstar’s loss did not result directly from the forgery. Id. at 822- 23. We explained that: “The district court correctly followed the logic of cases holding that financial institution bonds, which cover losses resulting either directly or indirectly from forgery, do not cover losses arising from the extension of loans based on fictitious 4 Even these cases, however, recognize that “there are instances when third party losses may be covered under fidelity bonds.” Tri City, 674 N.W.2d at 805, n.9. A direct loss may be caused by an “employee’s theft of property for which it is legally liable, the typical case being where the insured is a bailee or trustee of property.” Vons, 212 F.3d at 491; see also First Defiance Fin. Corp. v. Progressive Cas. Ins. Co., 688 F. Supp. 2d 703, 707 (N.D. Ohio 2010) (holding that employer incurred direct loss resulting from the theft of customer funds held in trust by the employer under fidelity bond), aff’d in part, __ F.3d __, 2012 WL 3104517 (6th Cir. Aug. 1, 2012). We do not reach plaintiffs’ alternative argument that even under a direct-means-direct approach the losses would not be excluded because this case involves “theft” of insured property from plaintiffs’ computer system. Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 11 collateral.” Id. at 823 (citations omitted); see also Beach Comm. Bank v. St. Paul Mercury Ins. Co., 635 F.3d 1190, 1196 (11th Cir. 2011). This was also the basis for distinguishing this court’s prior decision in Union Planters Bank, which involved forged signatures on duplicate mortgages. See Union Planters Bank, NA v. Cont’l Cas. Co., 478 F.3d 759 (6th Cir. 2007). Further, Flagstar’s reference to a “heightened” causation standard arose in distinguishing First National Bank of Manitowoc v. Cincinnati Insurance Co., 485 F.3d 971, 979 (7th Cir. 2007), which held that loss involving fictitious collateral could be covered as loss “by reason of” the forgery under Insuring Agreement E (even if it would not be covered as a loss “resulting directly from” forgery under Insuring Agreement D). This court also distinguished dicta from Manitowoc that criticized a decision of the Georgia Court of Appeals for failing to address the separate language of Insuring Agreements D and E. Flagstar, 260 F. App’x at 824 n.1. Despite this court’s implicit acceptance of the distinction drawn in Manitowoc, it overstates the case to say Flagstar adopted a heightened causation standard for the phrase “resulting directly from” in a financial institution bond or commercial crime policy. Cf. Union Planters, 478 F.3d at 764 (applying Tennessee’s proximate cause standard to determine whether loss “resulted directly from” loans extended on the basis of forged collateral). iii. Proximate Cause Plaintiffs maintain that the district court correctly concluded that the Ohio Supreme Court would follow those courts that have adopted proximate cause as the standard for determining “direct loss” in the fidelity coverage context. See, e.g., Auto Lenders Acceptance Corp. v. Gentilini Ford, Inc., 854 A.2d 378, 385-86 (N.J. 2004) (N.J. law); Frontline Processing Corp. v. Am. Econ. Ins. Co., 149 P.3d 906, 909-11 (Mont. 2006); Scirex Corp. v. Fed. Ins. Co., 313 F.3d 841, 850 (3d Cir. 2002) (Pa. law); FDIC v. Nat’l Union Fire Ins. Co. of Pittsburgh, 205 F.3d 66, 76 (2d Cir. 2000) (N.J. law); Resolution Trust Corp. v. Fid. & Deposit Co. of Md., 205 F.3d 615, 655 (3d Cir. 2000) (N.J. law); Jefferson Bank v. Progressive Cas. Ins. Co., 965 F.2d 1274, 1281-82 (3d Cir. 1992) (Pa. law). Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 12 In Auto Lenders, the most prominently cited of these cases, the insurer argued that losses incurred by the insured in repurchasing fraudulent installment loan contracts were not covered because there was no “direct loss of or damage to” property, money, or securities as a result of employee dishonesty. Rejecting this contention, the New Jersey Supreme Court adopted “the conventional proximate cause test as the correct standard to apply when determining whether a loss resulted from the dishonest acts of an employee.” Auto Lenders, 854 A.2d at 387. The Court explained (1) that although the New Jersey courts had not decided the issue in the context of fidelity or dishonest employee coverage, proximate cause had been applied in determining direct loss under other kinds of insurance; (2) that federal courts, including the Second and Third Circuits in Scirex, FDIC, and Resolution Trust, had adopted a proximate cause standard for determining “direct loss” as a result of employee dishonesty; and (3) that this standard was consistent with the general principle of New Jersey law that coverage provisions are to be interpreted broadly. Similarly, the Montana Supreme Court held that “the term ‘direct loss’ when used in the context of employee dishonesty coverage afforded under a business owner’s liability policy, applies to consequential damages incurred by the insured that were proximately caused by the alleged dishonesty.” Frontline Processing, 149 P.3d at 911. After its CFO embezzled funds and failed to pay its payroll and income taxes, Frontline sought coverage for costs it incurred to investigate its employee’s misconduct, address the financial condition of the company, and pay costs, fees, penalties and interest assessed by the IRS. The Court distinguished Tri City, RBC, and Vons because they involved third party claims; concluded that—as in Jefferson, Scirex, and Auto Lenders—“a proximate cause analysis [was] appropriate in determining whether a loss is ‘direct’ under a fidelity insurance policy”; and added that this comported with the general application of proximate cause to losses under other kinds of insurance policies under state law. Id. at 911. Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 13 b. Analysis Without ignoring that this is a commercial crime policy directed at the insured’s loss and not a commercial liability policy, our task is to determine the intention of the parties from the plain and ordinary meaning of the specific language used. A policy prepared by an insurer “must be construed liberally in favor of the insured and strictly against the insurer if the language used is doubtful, uncertain or ambiguous.” Am. Fin. Corp. v. Fireman’s Fund Ins. Co., 239 N.E.2d 33, 35 (Ohio 1968). Despite defendant’s arguments to the contrary, we find that the phrase “resulting directly from” does not unambiguously limit coverage to loss resulting “solely” or “immediately” from the theft itself. In fact, Endorsement 17 provided coverage for loss that the insured sustained “resulting directly from” the “theft of any Insured property by Computer Fraud,” which includes the “wrongful conversion of assets under the direct or indirect control of a Computer System by means of . . . fraudulent accessing of such Computer System.” Nor are we persuaded that the general exclusions in Section 2(k), (m), and (n) clarify the scope of the computer fraud coverage under Endorsement 17. When the exclusionary language is taken with the computer fraud coverage provisions in Endorsement 17, the meaning of the phrase “resulting directly from” is still ambiguous. The Ohio courts have not decided whether to apply proximate cause in the context of a fidelity bond or commercial crime policy. Despite plaintiffs’ suggestion otherwise, no implicit holding on the issue of causation can be read into the one Ohio court decision that involved a claim for loss “resulting directly from” forgery under a financial institution bond. See Bank One, Steubenville, NA v. Buckeye Union Ins. Co., 683 N.E.2d 50 (Ohio App. 1996) (holding that use of a signature stamp without authorization constituted forgery), appeal not allowed, 674 N.E.2d 1186 (Ohio Jan. 29, 1997). Nonetheless, plaintiffs have identified a few Ohio court decisions in which the court applied a proximate cause standard to determine whether there was a “direct loss” under other kinds of first party coverage. See, e.g., Amstutz Hatcheries of Celina, Inc. v. Grain Dealers Mut. Ins. Co., No. 4-77-4, 1978 WL 215799, at *1-2 (Ohio App. Mar. 15, 1978) (finding coverage against loss of chickens “directly and Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 14 immediately resulting from” lightning included suffocation when lightning knocked out power to ventilation system); Yunker v. Republic-Franklin Ins. Co., 442 N.E.2d 108, 113-14 (Ohio App. 1982) (applying proximate cause standard to determine “direct loss” under windstorm policy). Defendant argues that these cases are distinguishable, but has not identified any Ohio decisions that decline to apply a proximate cause standard in determining “direct” loss. Although not relied upon by the district court, these cases support the conclusion that the Ohio courts would apply a proximate cause standard to determine whether the loss was covered in this case. Consistent with general principles of insurance contract interpretation under Ohio law, we agree with the district court’s determination that the Ohio Supreme Court would apply a proximate cause standard to determine whether plaintiffs sustained loss “resulting directly from” the “theft of Insured property by Computer Fraud.” 2. Exclusion 9 There is a general presumption under Ohio law that what is not clearly excluded from coverage is included. Moorman v. Prudential Ins. Co. of Am., 445 N.E.2d 1122, 1124 (Ohio 1983). That is, “an exclusion from liability must be clear and exact in order to be given effect.” Lane v. Grange Mut. Cos., 543 N.E.2d 488, 490 (Ohio 1989). If an exclusion is ambiguous, it is construed in favor of affording coverage to the insured. St. Marys Foundry, Inc. v. Emp’rs Ins. of Wausau, 332 F.3d 989, 993 (6th Cir. 2003) (Ohio law). The insurer bears the burden of proving the applicability of an exclusion in its policy. Cont’l Ins. Co. v. Louis Marx Co., 415 N.E.2d 315, 317 (Ohio 1980). Apart from the question of coverage, defendant relied on the following specific exclusion in Paragraph 9 of Endorsement 17: 9. Coverage does not apply to any loss of proprietary information, Trade Secrets, Confidential Processing Methods, or other confidential information of any kind. Defendant argues that the district court erred in finding that this exclusion did not bar coverage in this case. Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 15 Relying on dictionary definitions for the word “loss,” the district court found that “loss of” was ambiguous because it could reasonably mean either “destruction of” or “deprivation/losing possession of” the specified items. However, as defendant argues, the existence of more than one dictionary definition does not make a term ambiguous. See AGK Holdings, Inc. v. Essex Ins. Co., 142 F. App’x 889, 892 (6th Cir. 2005) (unpublished). By excluding coverage for any loss, Paragraph 9 plainly excludes coverage for both loss by destruction and loss of possession of the specified items. Plaintiffs also argue that “any loss” should not be read to include fraudulent accessing and copying of information without removing, interfering with access, or destroying the data on plaintiffs’ computer system. However, the plain and ordinary meaning of “any loss” encompasses the “theft” of such data even if it is not destroyed or rendered inaccessible in the process. Finally, the district court found that the exclusion did not clearly include financial loss because “any loss of” an item is not the same as financial loss attributed to the loss of an item. However, if there were no coverage for the loss of the information itself, there would also be no coverage for damages resulting from the loss of the information. Nonetheless, the district court also concluded that even if the copying of customer information was a “loss” it was not a loss of “proprietary information . . . or other confidential information of any kind.” Defendant has not shown that this was error. Defendant argues first that plaintiffs should be bound to an interpretation consistent with the assertions made by counsel in five short cover letters to the FTC stating that plaintiffs considered “the enclosed documents to be highly confidential, as the documents address security measures used by DSW to maintain the confidentiality of its trade secret and proprietary information (which includes customer information).” On the contrary, the parenthetical reference to “customer information” cannot be considered an admission regarding the applicability of the Exclusion in paragraph 9. Moreover, plaintiffs respond that the documents which were disclosed under these cover letters did not actually include the downloaded customer payment information in question. Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 16 Examining the exclusion for its plain and ordinary meaning, the district court concluded that loss of proprietary information would mean the loss of information “to which Plaintiffs own or hold single or sole right.” In fact, as the district court found, the stolen customer information was not “proprietary information” at all, since the information is owned or held by many, including the customer, the financial institution, and the merchants to whom the information is provided in the ordinary stream of commerce. The district court did not err in finding that the stored data consisting of customer credit card and checking account information would not come within the plain and ordinary meaning of “proprietary information.”5 Defendant made no claim that the customer information constituted “Trade Secrets” or “Confidential Processing Methods,” but argued that the customer information came within the broad “catch-all” clause excluding coverage for “loss of . . . confidential information of any kind.” As defendant argued, the evidence shows that plaintiffs recognized in contracts with credit card companies, under standards applicable to the processing of credit card payments, and in internal policies and procedures, that the confidentiality of customer credit card and checking account information would and should be protected from unauthorized access or disclosure. However, to interpret “other confidential information of any kind” as defendant urges—to mean any information belonging to anyone that is expected to be protected from unauthorized disclosure—would swallow not only the other terms in this exclusion but also the coverage for computer fraud. The district court rejected the broad interpretation of “confidential information” urged by defendant because, under the principle of ejusdem generis, the general term must take its meaning from the specific terms with which it appears. See Allinder v. Inter-City Prods. Corp., 152 F.3d 544, 549 (6th Cir. 1998). Although defendant argues 5 Defendant cites to a partially reversed decision that described extensive and detailed customer profiles (including personal information, preferences, and travel histories) kept by the Four Seasons Hotels as proprietary in a case alleging misappropriation of trade secrets and violation of federal statutes. See Four Seasons Hotels & Resorts BV v. Consorcio Barr, SA., 267 F. Supp. 2d 1268, 1276-78 (S.D. Fla. 2003), rv’d in part without opinion, 138 F. App’x 297 (11th Cir. 2005). There is no indication that plaintiffs’ centrally stored file of customer payment data contained similarly proprietary information. Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 17 that this rule of statutory construction does not apply to insurance contracts, the Ohio courts have used the doctrine of ejusdem generis in interpreting insurance and other contracts. See, e.g., Sherwin-Williams Co. v. Travelers Cas. & Sur. Co., No. 82867, 2003 WL 22671621, at *4 (Ohio App. Nov. 13, 2003) (applying doctrine to limit “invasion of right to private occupancy” to preceding terms “wrongful entry” and “eviction”); Direct Carpet Mills Outlet v. Amalg. Realty Co., No. 87AP-101, 1988 WL 84405, at *3 (Ohio App. Aug. 11, 1988) (finding “accident of any kind” in exclusion must be read to refer to accidents similar in kind to the terms “fire, explosion, and wind” that preceded it). Moreover, defendant’s contention that the doctrine does not apply because the exclusion does not list specific terms followed by a general term is without merit. The terms “Trade Secrets” and “Confidential Processing Methods” were capitalized, suggesting a specific meaning, although they were not defined in the policy. Looking to the common law definition of “trade secrets,” and dictionary definitions for “confidential” “processing” and “method,” the district court reasonably concluded that the term “Trade Secrets” means “Plaintiffs’ information which is used in Plaintiffs’ business, and which gives Plaintiff an opportunity to obtain advantage over competitors who do not know or use the information.” Similarly, “Confidential Processing Methods” means plaintiffs’ secret process or technique for doing something, “which in the context of the Exclusion, relates to Plaintiff[s’] business operation.” The district court did not err in finding that “proprietary information,” “Trade Secrets,” and “Confidential Processing Methods,” are specific terms that all pertain to secret information of plaintiffs involving the manner in which the business is operated. The last item, “other confidential information of any kind,” is most certainly general and should be interpreted as part of the sequence to refer to “other secret information of Plaintiffs which involves the manner in which the business is operated.” The “stolen” customer information was not plaintiffs’ confidential information, but was obtained from customers in order to receive payment, and did not involve the manner in which the business is operated. The district court did not err in finding that the loss in this case was not clearly excluded by Paragraph 9 of Endorsement 17. Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 18 B. Plaintiffs’ Cross-Appeal Plaintiffs appeal the decision granting summary judgment to defendant on the tort claim for breach of the duty of good faith and fair dealing under Ohio law. See Hoskins v. Aetna Life Ins. Co., 452 N.E.2d 1315, 1316 (Ohio 1983). An insurer fails to exercise good faith when it refuses to pay a claim without “reasonable justification.” Zoppo v. Homestead Ins. Co., 644 N.E.2d 397, 399-400 (Ohio 1994) (holding that actual intent is not an element of the tort of bad faith); see also Corbo Props., Ltd. v. Seneca Ins. Co., 771 F. Supp. 2d 877, 880 (N.D. Ohio 2011). Denial of a claim may be reasonably justified when “the claim was fairly debatable and the refusal was premised on either the status of the law at the time of the denial or the facts that gave rise to the claim.” Tokles & Son, Inc. v. Midwestern Indemn. Co., 605 N.E.2d 936, 943 (Ohio 1992). First, arguing that the district court applied the wrong legal standard, plaintiffs contend that Ohio’s default-ambiguity rule of construction means that an insurer can deny coverage in good faith only if it had reason to believe that its interpretation was the only reasonable one. There is no support for this proposition in Ohio law, which recognizes distinct standards for determining breach of contract and breach of the duty of good faith. In fact, the Ohio Supreme Court has stated that “[m]ere refusal to pay insurance is not, in itself, conclusive of bad faith.” Hoskins, 452 N.E.2d at 1320; see Schuetz v. State Farm Fire & Cas. Co., 890 N.E.2d 374, 393-94 (Ohio Ct. Com. Pl. 2007) (rejecting argument that breach of the duty to defend also establishes bad faith). To incorporate the default-ambiguity cannon into a bad faith claim as plaintiffs suggest would conflate the two claims and equate bad faith with breach of contract.6 Next, plaintiffs challenge the district court’s conclusion that the coverage question was “fairly debatable” on the grounds that the defendant did not, in fact, rely on the “direct loss” issue in denying coverage. Although the denial letters did not specifically reference the “resulting directly from” language, there was mention of the fact that the policy did not cover “indirect losses” such as fines, penalties and interest. 6 Plaintiffs’ reliance on the Tenth Circuit’s decision to the contrary in Wolf v. Prudential Insurance Co. of America, 50 F.3d 793, 800 (10th Cir. 1995), is misplaced. Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 19 Further, as the district court concluded, the failure to reference the “resulting directly from” language in the claim file itself does not demonstrate bad faith on the part of the insurer. Moreover, the district court also concluded that defendant had reasonable justification for the refusal to pay because its interpretation of the Exclusion in paragraph 9 was incorrect but not unreasonable. Plaintiffs disagree and again argue that defendant did not have an objectively reasonable basis to believe that its interpretation of the exclusion was the only reasonable one. On the contrary, as the district court found, defendant’s claim that the consumer information fell within the plain and ordinary meaning of “other confidential information of any kind” was factually and legally reasonable in light of the confidential nature of the customer information and the claim that esjudem generis did not apply. Nor is there a question about the adequacy or reasonableness of defendant’s investigation of the claim. In truth, plaintiffs’ complaint is not really that the investigation was inadequate, but rather that defendant was not satisfied with the first legal opinion it received. We cannot conclude, however, that requesting a second opinion under the circumstances made the investigation so one-sided as to constitute bad faith. AFFIRMED.