RECOMMENDED FOR FULL-TEXT PUBLICATION
Pursuant to Sixth Circuit Rule 206
File Name: 12a0279p.06
UNITED STATES COURT OF APPEALS
FOR THE SIXTH CIRCUIT
_________________
X
-
RETAIL VENTURES, INC.; DSW INC.; DSW
Plaintiffs-Appellees/Cross-Appellants, --
SHOE WAREHOUSE, INC.,
-
Nos. 10-4576/4608
,
>
-
v.
NATIONAL UNION FIRE INSURANCE COMPANY -
-
-
OF PITTSBURGH, PA.,
Defendant-Appellant/Cross-Appellee. N
Appeal from the United States District Court
for the Southern District of Ohio at Columbus.
No. 2:06-cv-443—Michael H. Watson, District Judge.
Argued: July 17, 2012
Decided and Filed: August 23, 2012
Before: GUY, and CLAY, Circuit Judges; HOOD, District Judge.*
_________________
COUNSEL
ARGUED: Steven G. Janik, JANIK L.L.P., Cleveland, Ohio, for Appellant/Cross-
Appellee. James E. Arnold, JAMES E. ARNOLD & ASSOCIATES, LPA, Columbus,
Ohio, for Appellees/Cross-Appellants. ON BRIEF: Steven G. Janik, Thomas D.
Lambros, Crystal L. Maluchnik, JANIK L.L.P., Cleveland, Ohio, for Appellant/Cross-
Appellee. James E. Arnold, Gerhardt A. Gosnell II, JAMES E. ARNOLD &
ASSOCIATES, LPA, Columbus, Ohio, Joshua Gold, ANDERSON KILL & OLICK,
P.C., New York, New York, for Appellees/Cross-Appellants.
*
The Honorable Denise Page Hood, United States District Judge for the Eastern District of
Michigan, sitting by designation.
1
Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 2
_________________
OPINION
_________________
RALPH B. GUY, JR., Circuit Judge. Defendant National Union Fire Insurance
Company of Pittsburgh, PA, a subsidiary of AIG, Inc., appeals from the final judgment
entered in favor of plaintiffs Retail Ventures, Inc., DSW Inc., and DSW Shoe
Warehouse, Inc., for more than $6.8 million in stipulated losses and prejudgment
interest. Plaintiffs prevailed on cross-motions for summary judgment with respect to the
claim for coverage under a computer fraud rider to a “Blanket Crime Policy” for losses
resulting from a computer hacking scheme that compromised customer credit card and
checking account information. Defendant claims the district court erred: (1) in finding
that plaintiffs suffered a loss “resulting directly from” the “theft of any Insured property
by Computer Fraud”; and (2) in rejecting application of the exclusion of “any loss of
proprietary information, Trade Secrets, Confidential Processing Methods or other
confidential information of any kind.” Plaintiffs’ cross-appeal challenges the district
court’s rejection of the tort claim for breach of the duty of good faith and fair dealing.
After review of the record and consideration of the arguments presented on appeal, the
judgment of the district court is affirmed.
I.
The circumstances surrounding the hacking incident are not at issue on appeal,
although it is now known that it was part of a larger scheme led by convicted computer
hacker Albert Gonzalez. Briefly, between February 1 and February 14, 2005, hackers
used the local wireless network at one DSW store to make unauthorized access to
plaintiffs’ main computer system and download credit card and checking account
information pertaining to more than 1.4 million customers of 108 stores.1 Fraudulent
transactions followed using the stolen customer payment information, to which plaintiffs
1
Information from the magnetic stripe on the back of customer credit cards and customer bank
account and driver’s license information was received and stored electronically on plaintiffs’ computer
system.
Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 3
were first alerted by one of the affected credit card companies on March 2, 2005.
Plaintiffs launched an investigation that quickly revealed the data breach; National
Union was notified of the insurance claim at issue; and, in April 2005, National Union,
through its affiliate AIG Technical Services, Inc., advised plaintiffs that an investigation
would be carried out “under a full reservation of all rights and defenses at law, in equity,
and under the terms and conditions of the bond.”
In the wake of the data breach, plaintiffs incurred expenses for customer
communications, public relations, customer claims and lawsuits, and attorney fees in
connection with investigations by seven state Attorney Generals and the Federal Trade
Commission (FTC). The FTC’s inquiry was resolved administratively with a consent
decree requiring, inter alia, that plaintiffs establish and maintain a comprehensive
information security program designed to protect the security, confidentiality, and
integrity of personal information collected from or about consumers. In the Matter of
DSW, Inc., No. C-4157, 2006 WL 752215 (FTC Mar. 7, 2006). The largest share of the
losses—more than $4 million—arose from the compromised credit card information:
namely, costs associated with charge backs, card reissuance, account monitoring, and
fines imposed by VISA/MasterCard. That amount was determined by the settlement of
plaintiffs’ contractual obligations with credit card processor, National Processing
Company, LLC (a/k/a BA Merchant Services, LLC).
Plaintiffs submitted an initial partial proof of loss and supporting information in
September 2005. Defendant sent that partial claim to outside counsel for analysis of the
coverage question—first to John Petro, Esq., and then to Thomas Hanlon, Esq.—before
denying coverage for the reasons stated in a letter dated January 30, 2006. Petro initially
opined that there was coverage under the computer fraud rider, but he later backtracked
and agreed with Hanlon’s assessment that the loss was excluded. Asserting that
defendant’s investigation was so inadequate or “one-sided” as to establish bad faith,
plaintiffs point to defendant’s pursuit of the second opinion from an attorney whose firm
regularly provided services to AIG and Petro’s explanation of how he “missed” the
exclusion pointed out by Hanlon.
Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 4
The January 2006 denial letter questioned the “location” of the loss; stated that
the loss appeared to be excluded because it related to the theft of confidential customer
information excluded by Paragraph 9 of the computer fraud rider; and added in a
footnote that the policy did not cover “indirect loss” in light of Exclusion 2(m).
Plaintiffs responded by disclosing additional information—including the forensic
analysis of the computer breach prepared a year earlier—to defendant on April 24, 2006;
submitting a supplemental partial proof of loss on May 8, 2006; and commencing this
lawsuit on May 9, 2006. Defendant subsequently clarified its position, but continued to
deny coverage in a letter dated May 12, 2006. That letter explained that coverage would
still be excluded because the claims arose from “third party theft of proprietary
confidential customer credit card information.” A final proof of loss was not submitted
by plaintiffs until June 29, 2007.
Plaintiffs’ claims for declaratory judgment, breach of contract, and breach of the
duty of good faith and fair dealing were answered by defendant’s counterclaim seeking
declaratory judgment in its favor. Defendant alleged that plaintiffs had not sustained
loss “resulting directly from” the theft of customer information; that general exclusions
in Paragraph 2(k), (m) and (n) applied; and that coverage was specifically excluded
under Paragraph 9 of Endorsement 17. After discovery, cross-motions for summary
judgment were filed in two waves. The district court resolved the coverage and
exclusion issues in plaintiffs’ favor in the opinion and order issued March 30, 2009, and
rejected plaintiffs’ claims of bad faith in a separate opinion and order issued September
28, 2010. Then, to resolve the issues that remained for trial without waiving the right
to appeal, the parties stipulated to a summary of losses incurred by plaintiffs (minus the
self-insured retention) totaling more than $5.3 million and the calculation of associated
prejudgment interest in excess of $1.49 million. Judgment was entered accordingly.
Defendant appealed, and plaintiffs have cross-appealed.2
2
Defendant filed a motion to strike a large part of plaintiffs’ fourth brief on the grounds that it
improperly addressed the coverage and exclusion issues that were raised in defendant’s appeal. Because
plaintiffs’ fourth brief permissibly addressed the related issues of its cross-appeal challenging the finding
that defendant was reasonably justified in denying coverage, the motion to strike is DENIED.
Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 5
II.
Summary judgment is appropriate when, viewing the factual inferences and all
reasonable inferences in favor of the nonmoving party, there are no genuine issues of
material fact in dispute and the moving party is entitled to judgment as a matter of law.
See FED. R. CIV. P. 56(a). Our review of the district court’s decision granting summary
judgment is de novo. La Quinta Corp. v. Heartland Props. LLC, 603 F.3d 327, 335
(6th Cir. 2010). We apply the same standard in reviewing decisions on cross-motions
for summary judgment, evaluating each motion on its own merits. Id.
A. Defendant’s Appeal
In this diversity action governed by Ohio law, contract interpretation is a
question of law for the court. Leber v. Smith, 639 N.E.2d 1159, 1163 (Ohio 1994). The
district court correctly summarized the general principles of contract interpretation as
follows:
In interpreting an insurance contract, the court is to give effect to
the intent of the parties to the agreement. Hamilton Ins. Serv., Inc. v.
Nationwide Ins. Cos., 86 Ohio St. 3d 270, 273 (1999), citing Employers’
Liab. Assur. Corp. v. Roehm, 99 Ohio St. 343 (1919) (syllabus). Ohio
courts shall give insurance contract terms their plain and ordinary
meaning unless another meaning is clearly apparent from the contents of
the policy. Alexander v. Buckeye Pipe Line Co., 53 Ohio St. 2d 241
(1978) (syllabus ¶ 2). Further, a court must give meaning to every
paragraph, clause, phrase, and word. Affiliated FM Ins. Co. v. Owens-
Corning Fiberglas Corp., 16 F.3d 684, 686 (6th Cir. 1994). When the
language of a written contract is clear, a court may look no further than
the writing itself to find the intent of the parties. Id. As a matter of law,
a contract is unambiguous if it can be given a definite legal meaning.
Westfield Ins. Co. v. Galatis, 100 Ohio St. 3d 216, 219 (2003), citing
Gulf Ins. Co. v. Burns Motors, Inc., 22 S.W.3d 417, 423 (Tex. 2000).
A term is ambiguous if it is reasonably susceptible of more than
one meaning. St. Mary’s Foundry, Inc. v. Employers Ins. of Wausau,
332 F.3d 989, 992 (6th Cir. 2003) (citations omitted). Where the written
contract is standardized and between parties of unequal bargaining
power, an ambiguity in the writing will be interpreted strictly against the
drafter and in favor of the nondrafting party. Cent. Realty Co. v. Clutter,
62 Ohio St. 2d 411, 413 (1980). In the insurance context, as the insurer
Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 6
customarily drafts the contract, an ambiguity in an insurance contract is
ordinarily interpreted against the insurer and in favor of the insured.
King v. Nationwide Ins. Co., 35 Ohio St. 3d 208 (1988) (syllabus).
Nonetheless, this rule “will not be applied so as to provide an
unreasonable interpretation of the words of the policy.” Morfoot v.
Stake, 174 Ohio St. 506 (1963) (syllabus ¶ 1).
We must determine how the Ohio courts would interpret the policy by looking first to
Ohio law as determined by the Ohio Supreme Court, and then to all other sources.
Bovee v. Coopers & Lybrand CPA, 272 F.3d 356, 361 (6th Cir. 2001).
1. Coverage
The only coverage provisions at issue are found in Endorsement 17’s “Insuring
Agreement XVIII,” entitled “Computer & Funds Transfer Fraud Coverage.”
Specifically, defendant agreed in pertinent part to pay the insured for:
XVIII. Loss which the Insured shall sustain resulting directly from:
A. The theft of any Insured property by Computer Fraud; . . . .
Endorsement 17 defines “Computer Fraud” to mean “the wrongful conversion of assets
under the direct or indirect control of a Computer System by means of: (1) The
fraudulent accessing of such Computer System; (2) The insertion of fraudulent data or
instructions into such Computer System; or (3) The fraudulent alteration of data,
programs, or routines in such Computer System.” As for “Insured property,” the policy
generally defines the property interests covered as follows:
Section 5. The Insured property may be owned by the Insured, or held
by the Insured in any capacity whether or not the Insured is liable for the
loss thereof, or may be property as respects which the Insured is legally
liable; provided, Insuring Agreements II, III and IV apply only to the
interest of the Insured in such property, . . . .
Endorsement 17 adds that coverage applied “only with respect to . . . Money or
Securities or Property located on the premises of the Insured.”
Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 7
Three general exclusions, which Endorsement 17 made applicable to Insuring
Agreement XVIII, are relied upon by defendant to support the contention that only first
party coverage was intended. Those exclusions, found in Section 2(k), (m), and (n)
provide that the policy “does not apply”:
(k) to the defense of any legal proceeding brought against the
Insured, or to fees, costs or expenses incurred or paid by
the Insured in prosecuting or defending any legal
proceeding whether or not such proceeding results or
would result in a loss to the Insured covered by this
Policy, except as may be specifically stated to the
contrary in this Policy;
....
(m) to damages of any type for which the Insured is legally
liable, except direct compensatory damages arising from
a loss covered under this Policy;
(n) to costs, fees and other expenses incurred by the Insured
in establishing the existence of or amount of loss covered
under this Policy.
Except for (m), these exclusions represent limits placed on coverage for an insured’s
own damages and do not speak to third party losses.3
Defendant does not dispute that the unauthorized access and copying of customer
information stored on plaintiffs’ computer system involved the “theft of any Insured
property by Computer Fraud,” (although there is no indication whether it was property
owned by plaintiffs, held in some capacity by plaintiffs, or was property for which
plaintiffs were legally liable). What is disputed, however, is whether the district court
was correct in concluding in this case of first impression that the loss plaintiffs sustained
was loss resulting directly from the theft of insured property by computer fraud. The
3
Defendant contends that the district court erred in rejecting its claim that attorney fees and costs
incurred in responding to the FTC inquiry were specifically excluded by Section 2(k). Plaintiffs respond
that its general liability insurer covered its defense costs for all “legal proceedings,” and that the claim in
this case was limited to the attorney fees associated with the security breach itself and the FTC’s
“nonpublic inquiry.” The term “legal proceeding” is not defined by the policy, but FTC regulations
distinguish “inquiries” and “investigations” from “formal adjudicative proceedings.” Compare 16 C.F.R.
§§ 2.1, 2.4 and 2.8, with 16 C.F.R. §§ 3.1 and 3.2. An exclusion in an insurance policy will be interpreted
to apply only to that which is clearly intended to be excluded. Hybud Equip. Corp. v. Sphere Drake Ins.
Co., 597 N.E.2d 1096, 1102 (Ohio 1992). The district court did not err in this regard.
Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 8
district court predicted that the Ohio Supreme Court would follow those cases that
interpret “resulting directly from” as imposing a traditional proximate cause standard in
this context. Accordingly, the district court concluded that “there is a sufficient link
between the computer hacker’s infiltration of Plaintiffs’ computer system and Plaintiffs’
financial loss to require coverage under Endorsement 17.” Defendant argues that it was
error to apply a proximate cause standard for several reasons.
a. Fidelity Bond
Defendant argues first that the commercial crime policy is a “fidelity bond” and
therefore must be interpreted to provide only first party coverage. The district court
found that the policy was “not a fidelity bond, in toto, as it provided more than fidelity
coverage.” Further, the district court explained that Endorsement 17 “is not a fidelity
bond as there is no mention of employee dishonesty” and that “the terms of Endorsement
17 indicate coverage for losses to third-party assets.” While it is true that “fidelity
bonds,” or “financial institution bonds,” typically provide more than just fidelity
coverage (i.e., fidelity, forgery, on-premises and off-premises coverage), defendant
overstates the significance of the analogy to the fidelity bond cases and the Standard
Form 24, Standard Financial Institution Bond. See First State Bank of Monticello v.
Ohio Cas. Ins. Co., 555 F.3d 564, 568 (7th Cir. 2009) (Ill. law) (discussing fidelity
bonds).
Nonetheless, to the extent that the district court may have erroneously (or
inconsistently) disregarded some fidelity bond cases on that basis, it is clear that the
label given to a policy is not determinative of coverage. See Hillyer v. State Farm Fire
& Cas. Co., 780 N.E.2d 262, 265 (Ohio 2002) (holding that “it is the type of coverage
provided, not the label affixed by the insurer, that determines the type of policy”).
Moreover, even in the context of fidelity or dishonest employee coverage, there is no
universal agreement among the courts concerning the meaning of the phrase “resulting
directly from.” See Universal Mortg. Corp. v. Wurttembergische Versicherung AG, 651
F.3d 759, 762 (7th Cir. 2011) (describing two competing “interpretive camps”); The
Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 9
Question of Causation in Loan Loss Cases, 11 FIDELITY L. ASS’N J. 97, 98 (2005)
(noting “split” of authority).
i. Direct-Means-Direct Approach
Defendant urges this court to interpret the “resulting directly from” language as
unambiguously requiring that the theft of property by computer fraud be the “sole” and
“immediate” cause of the insured’s loss. See, e.g., RBC Mortg. Co. v. Nat’l Union Fire
Ins. Co. of Pittsburgh, 812 N.E.2d 728 (Ill. App. 2004) (Ill. law) (adopting a direct-
means-direct standard). Under this approach, loss “resulting directly from” employee
misconduct refers only to the insured’s own loss from employee misconduct and not the
insured’s vicarious liability to third parties. See Vons Cos. v. Fed. Ins. Co., 212 F.3d
489, 492-93 (9th Cir. 2000) (direct means no vicarious liability); Aetna Cas. & Sur. Co.
v. Kidder, Peabody & Co., 246 A.D.2d 202, 209-10 (N.Y. App. 1998) (finding no
coverage for third-party claims arising out of misconduct of employee who disclosed
confidential information to others that resulted in massive insider trading losses). The
Seventh Circuit describes this line of authority as holding that “when an insured incurs
liability to a third party—whether in contract or tort—as a result of employee
misconduct, financial loss resulting from that liability is not ‘directly’ caused by the
employee misconduct and therefore is not covered by fidelity bonds containing direct-
loss language.” Universal Mortg., 651 F.3d at 762 (discussing RBC (Ill. law) and Tri
City Nat’l Bank v. Fed. Ins. Co., 674 N.W.2d 617, 622-24 (Wis. App. 2003) (Wis. law)).
Courts that have adopted the direct-means-direct approach generally emphasize
the historical context of fidelity bonds, which typically bundle indemnity coverage for
specific risks, as well as the specific modification to Standard Form 24, Financial
Institution Bond, that adopted the loss “resulting directly from” language with the
purported intention of narrowing coverage. See id. at 761-62; Monticello, 555 F.3d at
570 (discussing revisions to standard form). These decisions also reason that “resulting
directly from” suggests stricter causation than proximate cause because “directly”
implies an immediacy to the fraud. See RBC, 812 N.E.2d at 736-37 (rejecting proximate
cause as “too broad to capture accurately the intent behind the phrase ‘loss resulting
Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 10
directly from’”). In Universal Mortgage, the Seventh Circuit also relied on the fact that
the state courts in Wisconsin had already adopted the direct-means-direct approach in
Tri City. 651 F.3d at 762; see also Direct Mortg. Corp. v. Nat’l Union Fire Ins. Co. of
Pittsburgh, 625 F. Supp. 2d 1171, 1176 (D. Utah 2008) (concluding that the Utah
Supreme Court would most likely adopt the direct-means-direct approach as better
reasoned and more consistent with the traditional nature of fidelity bonds and the
specific language at issue).4
ii. Flagstar Bank
Defendant argues next that this court has already adopted a “heightened”
standard for demonstrating “loss resulting directly from” forgery under a fidelity bond.
Flagstar Bank, FSB v. Fed. Ins. Co., 260 F. App’x 820 (6th Cir. 2008) (Mich. law)
(unpublished); see also Merchants Bank & Trust v. Cincinnati Ins. Co., No. 06-cv-561,
2008 WL 728332, at *4 (S.D. Ohio Mar. 14, 2006) (unpublished). However, this
argument overstates both the holding in Flagstar and its application to this case.
First, there was no issue of liability to third parties in Flagstar as the insured was
seeking coverage for its own losses incurred when a mortgage broker defaulted on a
$20 million line of credit obtained using fraudulent mortgage documents that were
premised on fictitious collateral. Flagstar, 260 F. App’x at 821. This court held that
because the forged promissory notes “would not have held value even if they had
authentic signatures,” Flagstar’s loss did not result directly from the forgery. Id. at 822-
23. We explained that: “The district court correctly followed the logic of cases holding
that financial institution bonds, which cover losses resulting either directly or indirectly
from forgery, do not cover losses arising from the extension of loans based on fictitious
4
Even these cases, however, recognize that “there are instances when third party losses may be
covered under fidelity bonds.” Tri City, 674 N.W.2d at 805, n.9. A direct loss may be caused by an
“employee’s theft of property for which it is legally liable, the typical case being where the insured is a
bailee or trustee of property.” Vons, 212 F.3d at 491; see also First Defiance Fin. Corp. v. Progressive
Cas. Ins. Co., 688 F. Supp. 2d 703, 707 (N.D. Ohio 2010) (holding that employer incurred direct loss
resulting from the theft of customer funds held in trust by the employer under fidelity bond), aff’d in part,
__ F.3d __, 2012 WL 3104517 (6th Cir. Aug. 1, 2012). We do not reach plaintiffs’ alternative argument
that even under a direct-means-direct approach the losses would not be excluded because this case involves
“theft” of insured property from plaintiffs’ computer system.
Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 11
collateral.” Id. at 823 (citations omitted); see also Beach Comm. Bank v. St. Paul
Mercury Ins. Co., 635 F.3d 1190, 1196 (11th Cir. 2011). This was also the basis for
distinguishing this court’s prior decision in Union Planters Bank, which involved forged
signatures on duplicate mortgages. See Union Planters Bank, NA v. Cont’l Cas. Co.,
478 F.3d 759 (6th Cir. 2007).
Further, Flagstar’s reference to a “heightened” causation standard arose in
distinguishing First National Bank of Manitowoc v. Cincinnati Insurance Co., 485 F.3d
971, 979 (7th Cir. 2007), which held that loss involving fictitious collateral could be
covered as loss “by reason of” the forgery under Insuring Agreement E (even if it would
not be covered as a loss “resulting directly from” forgery under Insuring Agreement D).
This court also distinguished dicta from Manitowoc that criticized a decision of the
Georgia Court of Appeals for failing to address the separate language of Insuring
Agreements D and E. Flagstar, 260 F. App’x at 824 n.1. Despite this court’s implicit
acceptance of the distinction drawn in Manitowoc, it overstates the case to say Flagstar
adopted a heightened causation standard for the phrase “resulting directly from” in a
financial institution bond or commercial crime policy. Cf. Union Planters, 478 F.3d at
764 (applying Tennessee’s proximate cause standard to determine whether loss “resulted
directly from” loans extended on the basis of forged collateral).
iii. Proximate Cause
Plaintiffs maintain that the district court correctly concluded that the Ohio
Supreme Court would follow those courts that have adopted proximate cause as the
standard for determining “direct loss” in the fidelity coverage context. See, e.g., Auto
Lenders Acceptance Corp. v. Gentilini Ford, Inc., 854 A.2d 378, 385-86 (N.J. 2004)
(N.J. law); Frontline Processing Corp. v. Am. Econ. Ins. Co., 149 P.3d 906, 909-11
(Mont. 2006); Scirex Corp. v. Fed. Ins. Co., 313 F.3d 841, 850 (3d Cir. 2002) (Pa. law);
FDIC v. Nat’l Union Fire Ins. Co. of Pittsburgh, 205 F.3d 66, 76 (2d Cir. 2000)
(N.J. law); Resolution Trust Corp. v. Fid. & Deposit Co. of Md., 205 F.3d 615, 655
(3d Cir. 2000) (N.J. law); Jefferson Bank v. Progressive Cas. Ins. Co., 965 F.2d 1274,
1281-82 (3d Cir. 1992) (Pa. law).
Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 12
In Auto Lenders, the most prominently cited of these cases, the insurer argued
that losses incurred by the insured in repurchasing fraudulent installment loan contracts
were not covered because there was no “direct loss of or damage to” property, money,
or securities as a result of employee dishonesty. Rejecting this contention, the New
Jersey Supreme Court adopted “the conventional proximate cause test as the correct
standard to apply when determining whether a loss resulted from the dishonest acts of
an employee.” Auto Lenders, 854 A.2d at 387. The Court explained (1) that although
the New Jersey courts had not decided the issue in the context of fidelity or dishonest
employee coverage, proximate cause had been applied in determining direct loss under
other kinds of insurance; (2) that federal courts, including the Second and Third Circuits
in Scirex, FDIC, and Resolution Trust, had adopted a proximate cause standard for
determining “direct loss” as a result of employee dishonesty; and (3) that this standard
was consistent with the general principle of New Jersey law that coverage provisions are
to be interpreted broadly.
Similarly, the Montana Supreme Court held that “the term ‘direct loss’ when
used in the context of employee dishonesty coverage afforded under a business owner’s
liability policy, applies to consequential damages incurred by the insured that were
proximately caused by the alleged dishonesty.” Frontline Processing, 149 P.3d at 911.
After its CFO embezzled funds and failed to pay its payroll and income taxes, Frontline
sought coverage for costs it incurred to investigate its employee’s misconduct, address
the financial condition of the company, and pay costs, fees, penalties and interest
assessed by the IRS. The Court distinguished Tri City, RBC, and Vons because they
involved third party claims; concluded that—as in Jefferson, Scirex, and Auto
Lenders—“a proximate cause analysis [was] appropriate in determining whether a loss
is ‘direct’ under a fidelity insurance policy”; and added that this comported with the
general application of proximate cause to losses under other kinds of insurance policies
under state law. Id. at 911.
Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 13
b. Analysis
Without ignoring that this is a commercial crime policy directed at the insured’s
loss and not a commercial liability policy, our task is to determine the intention of the
parties from the plain and ordinary meaning of the specific language used. A policy
prepared by an insurer “must be construed liberally in favor of the insured and strictly
against the insurer if the language used is doubtful, uncertain or ambiguous.” Am. Fin.
Corp. v. Fireman’s Fund Ins. Co., 239 N.E.2d 33, 35 (Ohio 1968). Despite defendant’s
arguments to the contrary, we find that the phrase “resulting directly from” does not
unambiguously limit coverage to loss resulting “solely” or “immediately” from the theft
itself. In fact, Endorsement 17 provided coverage for loss that the insured sustained
“resulting directly from” the “theft of any Insured property by Computer Fraud,” which
includes the “wrongful conversion of assets under the direct or indirect control of a
Computer System by means of . . . fraudulent accessing of such Computer System.” Nor
are we persuaded that the general exclusions in Section 2(k), (m), and (n) clarify the
scope of the computer fraud coverage under Endorsement 17. When the exclusionary
language is taken with the computer fraud coverage provisions in Endorsement 17, the
meaning of the phrase “resulting directly from” is still ambiguous.
The Ohio courts have not decided whether to apply proximate cause in the
context of a fidelity bond or commercial crime policy. Despite plaintiffs’ suggestion
otherwise, no implicit holding on the issue of causation can be read into the one Ohio
court decision that involved a claim for loss “resulting directly from” forgery under a
financial institution bond. See Bank One, Steubenville, NA v. Buckeye Union Ins. Co.,
683 N.E.2d 50 (Ohio App. 1996) (holding that use of a signature stamp without
authorization constituted forgery), appeal not allowed, 674 N.E.2d 1186 (Ohio
Jan. 29, 1997). Nonetheless, plaintiffs have identified a few Ohio court decisions in
which the court applied a proximate cause standard to determine whether there was a
“direct loss” under other kinds of first party coverage. See, e.g., Amstutz Hatcheries of
Celina, Inc. v. Grain Dealers Mut. Ins. Co., No. 4-77-4, 1978 WL 215799, at *1-2
(Ohio App. Mar. 15, 1978) (finding coverage against loss of chickens “directly and
Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 14
immediately resulting from” lightning included suffocation when lightning knocked out
power to ventilation system); Yunker v. Republic-Franklin Ins. Co., 442 N.E.2d 108,
113-14 (Ohio App. 1982) (applying proximate cause standard to determine “direct loss”
under windstorm policy). Defendant argues that these cases are distinguishable, but has
not identified any Ohio decisions that decline to apply a proximate cause standard in
determining “direct” loss. Although not relied upon by the district court, these cases
support the conclusion that the Ohio courts would apply a proximate cause standard to
determine whether the loss was covered in this case.
Consistent with general principles of insurance contract interpretation under Ohio
law, we agree with the district court’s determination that the Ohio Supreme Court would
apply a proximate cause standard to determine whether plaintiffs sustained loss
“resulting directly from” the “theft of Insured property by Computer Fraud.”
2. Exclusion 9
There is a general presumption under Ohio law that what is not clearly excluded
from coverage is included. Moorman v. Prudential Ins. Co. of Am., 445 N.E.2d 1122,
1124 (Ohio 1983). That is, “an exclusion from liability must be clear and exact in order
to be given effect.” Lane v. Grange Mut. Cos., 543 N.E.2d 488, 490 (Ohio 1989). If an
exclusion is ambiguous, it is construed in favor of affording coverage to the insured. St.
Marys Foundry, Inc. v. Emp’rs Ins. of Wausau, 332 F.3d 989, 993 (6th Cir. 2003) (Ohio
law). The insurer bears the burden of proving the applicability of an exclusion in its
policy. Cont’l Ins. Co. v. Louis Marx Co., 415 N.E.2d 315, 317 (Ohio 1980).
Apart from the question of coverage, defendant relied on the following specific
exclusion in Paragraph 9 of Endorsement 17:
9. Coverage does not apply to any loss of proprietary
information, Trade Secrets, Confidential Processing
Methods, or other confidential information of any kind.
Defendant argues that the district court erred in finding that this exclusion did not bar
coverage in this case.
Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 15
Relying on dictionary definitions for the word “loss,” the district court found that
“loss of” was ambiguous because it could reasonably mean either “destruction of” or
“deprivation/losing possession of” the specified items. However, as defendant argues,
the existence of more than one dictionary definition does not make a term ambiguous.
See AGK Holdings, Inc. v. Essex Ins. Co., 142 F. App’x 889, 892 (6th Cir. 2005)
(unpublished). By excluding coverage for any loss, Paragraph 9 plainly excludes
coverage for both loss by destruction and loss of possession of the specified items.
Plaintiffs also argue that “any loss” should not be read to include fraudulent accessing
and copying of information without removing, interfering with access, or destroying the
data on plaintiffs’ computer system. However, the plain and ordinary meaning of “any
loss” encompasses the “theft” of such data even if it is not destroyed or rendered
inaccessible in the process. Finally, the district court found that the exclusion did not
clearly include financial loss because “any loss of” an item is not the same as financial
loss attributed to the loss of an item. However, if there were no coverage for the loss of
the information itself, there would also be no coverage for damages resulting from the
loss of the information.
Nonetheless, the district court also concluded that even if the copying of
customer information was a “loss” it was not a loss of “proprietary information . . . or
other confidential information of any kind.” Defendant has not shown that this was
error. Defendant argues first that plaintiffs should be bound to an interpretation
consistent with the assertions made by counsel in five short cover letters to the FTC
stating that plaintiffs considered “the enclosed documents to be highly confidential, as
the documents address security measures used by DSW to maintain the confidentiality
of its trade secret and proprietary information (which includes customer information).”
On the contrary, the parenthetical reference to “customer information” cannot be
considered an admission regarding the applicability of the Exclusion in paragraph 9.
Moreover, plaintiffs respond that the documents which were disclosed under these cover
letters did not actually include the downloaded customer payment information in
question.
Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 16
Examining the exclusion for its plain and ordinary meaning, the district court
concluded that loss of proprietary information would mean the loss of information “to
which Plaintiffs own or hold single or sole right.” In fact, as the district court found, the
stolen customer information was not “proprietary information” at all, since the
information is owned or held by many, including the customer, the financial institution,
and the merchants to whom the information is provided in the ordinary stream of
commerce. The district court did not err in finding that the stored data consisting of
customer credit card and checking account information would not come within the plain
and ordinary meaning of “proprietary information.”5
Defendant made no claim that the customer information constituted “Trade
Secrets” or “Confidential Processing Methods,” but argued that the customer information
came within the broad “catch-all” clause excluding coverage for “loss of . . . confidential
information of any kind.” As defendant argued, the evidence shows that plaintiffs
recognized in contracts with credit card companies, under standards applicable to the
processing of credit card payments, and in internal policies and procedures, that the
confidentiality of customer credit card and checking account information would and
should be protected from unauthorized access or disclosure. However, to interpret
“other confidential information of any kind” as defendant urges—to mean any
information belonging to anyone that is expected to be protected from unauthorized
disclosure—would swallow not only the other terms in this exclusion but also the
coverage for computer fraud.
The district court rejected the broad interpretation of “confidential information”
urged by defendant because, under the principle of ejusdem generis, the general term
must take its meaning from the specific terms with which it appears. See Allinder v.
Inter-City Prods. Corp., 152 F.3d 544, 549 (6th Cir. 1998). Although defendant argues
5
Defendant cites to a partially reversed decision that described extensive and detailed customer
profiles (including personal information, preferences, and travel histories) kept by the Four Seasons Hotels
as proprietary in a case alleging misappropriation of trade secrets and violation of federal statutes. See
Four Seasons Hotels & Resorts BV v. Consorcio Barr, SA., 267 F. Supp. 2d 1268, 1276-78 (S.D. Fla.
2003), rv’d in part without opinion, 138 F. App’x 297 (11th Cir. 2005). There is no indication that
plaintiffs’ centrally stored file of customer payment data contained similarly proprietary information.
Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 17
that this rule of statutory construction does not apply to insurance contracts, the Ohio
courts have used the doctrine of ejusdem generis in interpreting insurance and other
contracts. See, e.g., Sherwin-Williams Co. v. Travelers Cas. & Sur. Co., No. 82867,
2003 WL 22671621, at *4 (Ohio App. Nov. 13, 2003) (applying doctrine to limit
“invasion of right to private occupancy” to preceding terms “wrongful entry” and
“eviction”); Direct Carpet Mills Outlet v. Amalg. Realty Co., No. 87AP-101, 1988 WL
84405, at *3 (Ohio App. Aug. 11, 1988) (finding “accident of any kind” in exclusion
must be read to refer to accidents similar in kind to the terms “fire, explosion, and wind”
that preceded it). Moreover, defendant’s contention that the doctrine does not apply
because the exclusion does not list specific terms followed by a general term is without
merit. The terms “Trade Secrets” and “Confidential Processing Methods” were
capitalized, suggesting a specific meaning, although they were not defined in the policy.
Looking to the common law definition of “trade secrets,” and dictionary
definitions for “confidential” “processing” and “method,” the district court reasonably
concluded that the term “Trade Secrets” means “Plaintiffs’ information which is used
in Plaintiffs’ business, and which gives Plaintiff an opportunity to obtain advantage over
competitors who do not know or use the information.” Similarly, “Confidential
Processing Methods” means plaintiffs’ secret process or technique for doing something,
“which in the context of the Exclusion, relates to Plaintiff[s’] business operation.” The
district court did not err in finding that “proprietary information,” “Trade Secrets,” and
“Confidential Processing Methods,” are specific terms that all pertain to secret
information of plaintiffs involving the manner in which the business is operated. The
last item, “other confidential information of any kind,” is most certainly general and
should be interpreted as part of the sequence to refer to “other secret information of
Plaintiffs which involves the manner in which the business is operated.” The “stolen”
customer information was not plaintiffs’ confidential information, but was obtained from
customers in order to receive payment, and did not involve the manner in which the
business is operated. The district court did not err in finding that the loss in this case
was not clearly excluded by Paragraph 9 of Endorsement 17.
Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 18
B. Plaintiffs’ Cross-Appeal
Plaintiffs appeal the decision granting summary judgment to defendant on the tort
claim for breach of the duty of good faith and fair dealing under Ohio law. See Hoskins
v. Aetna Life Ins. Co., 452 N.E.2d 1315, 1316 (Ohio 1983). An insurer fails to exercise
good faith when it refuses to pay a claim without “reasonable justification.” Zoppo v.
Homestead Ins. Co., 644 N.E.2d 397, 399-400 (Ohio 1994) (holding that actual intent
is not an element of the tort of bad faith); see also Corbo Props., Ltd. v. Seneca Ins. Co.,
771 F. Supp. 2d 877, 880 (N.D. Ohio 2011). Denial of a claim may be reasonably
justified when “the claim was fairly debatable and the refusal was premised on either the
status of the law at the time of the denial or the facts that gave rise to the claim.”
Tokles & Son, Inc. v. Midwestern Indemn. Co., 605 N.E.2d 936, 943 (Ohio 1992).
First, arguing that the district court applied the wrong legal standard, plaintiffs
contend that Ohio’s default-ambiguity rule of construction means that an insurer can
deny coverage in good faith only if it had reason to believe that its interpretation was the
only reasonable one. There is no support for this proposition in Ohio law, which
recognizes distinct standards for determining breach of contract and breach of the duty
of good faith. In fact, the Ohio Supreme Court has stated that “[m]ere refusal to pay
insurance is not, in itself, conclusive of bad faith.” Hoskins, 452 N.E.2d at 1320; see
Schuetz v. State Farm Fire & Cas. Co., 890 N.E.2d 374, 393-94 (Ohio Ct. Com. Pl.
2007) (rejecting argument that breach of the duty to defend also establishes bad faith).
To incorporate the default-ambiguity cannon into a bad faith claim as plaintiffs suggest
would conflate the two claims and equate bad faith with breach of contract.6
Next, plaintiffs challenge the district court’s conclusion that the coverage
question was “fairly debatable” on the grounds that the defendant did not, in fact, rely
on the “direct loss” issue in denying coverage. Although the denial letters did not
specifically reference the “resulting directly from” language, there was mention of the
fact that the policy did not cover “indirect losses” such as fines, penalties and interest.
6
Plaintiffs’ reliance on the Tenth Circuit’s decision to the contrary in Wolf v. Prudential
Insurance Co. of America, 50 F.3d 793, 800 (10th Cir. 1995), is misplaced.
Nos. 10-4576/4608 Retail Ventures, et al. v. Nat’l Union Fire Ins. Page 19
Further, as the district court concluded, the failure to reference the “resulting directly
from” language in the claim file itself does not demonstrate bad faith on the part of the
insurer.
Moreover, the district court also concluded that defendant had reasonable
justification for the refusal to pay because its interpretation of the Exclusion in paragraph
9 was incorrect but not unreasonable. Plaintiffs disagree and again argue that defendant
did not have an objectively reasonable basis to believe that its interpretation of the
exclusion was the only reasonable one. On the contrary, as the district court found,
defendant’s claim that the consumer information fell within the plain and ordinary
meaning of “other confidential information of any kind” was factually and legally
reasonable in light of the confidential nature of the customer information and the claim
that esjudem generis did not apply.
Nor is there a question about the adequacy or reasonableness of defendant’s
investigation of the claim. In truth, plaintiffs’ complaint is not really that the
investigation was inadequate, but rather that defendant was not satisfied with the first
legal opinion it received. We cannot conclude, however, that requesting a second
opinion under the circumstances made the investigation so one-sided as to constitute bad
faith.
AFFIRMED.