RALPH B. GUY, JR., Circuit Judge.
Defendant National Union Fire Insurance Company of Pittsburgh, PA, a subsidiary of AIG, Inc., appeals from the final judgment entered in favor of plaintiffs Retail Ventures, Inc., DSW Inc., and DSW Shoe Warehouse, Inc., for more than $6.8 million in stipulated losses and prejudgment interest. Plaintiffs prevailed on cross-motions for summary judgment with respect to the claim for coverage under a computer fraud rider to a "Blanket Crime Policy" for losses resulting from a computer hacking scheme that compromised customer credit card and checking account information. Defendant claims the district court erred: (1) in finding that plaintiffs suffered a loss "resulting directly from" the "theft of any Insured property by Computer Fraud"; and (2) in rejecting application of the exclusion of "any loss of proprietary information, Trade Secrets, Confidential Processing Methods or other confidential information of any kind." Plaintiffs' cross-appeal challenges the district court's rejection of the tort claim for breach of the duty of good faith and fair dealing. After review of the record and consideration of the arguments presented on appeal, the judgment of the district court is affirmed.
The circumstances surrounding the hacking incident are not at issue on appeal, although it is now known that it was part of a larger scheme led by convicted computer hacker Albert Gonzalez. Briefly, between February 1 and February 14, 2005, hackers used the local wireless network at one DSW store to make unauthorized access to plaintiffs' main computer system and download credit card and checking account information pertaining to more than 1.4 million customers of 108 stores.
In the wake of the data breach, plaintiffs incurred expenses for customer communications, public relations, customer claims and lawsuits, and attorney fees in connection with investigations by seven state Attorney Generals and the Federal Trade Commission (FTC). The FTC's inquiry was resolved administratively with a consent decree requiring, inter alia, that plaintiffs establish and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. In the Matter of DSW, Inc., No. C-4157, 2006 WL 752215 (F.T.C. Mar. 7, 2006). The largest share of the losses — more than $4 million — arose from the compromised credit card information: namely, costs associated with charge backs, card reissuance, account monitoring, and fines imposed by VISA/MasterCard. That amount was determined by the settlement of plaintiffs' contractual obligations with credit card processor, National Processing Company,
Plaintiffs submitted an initial partial proof of loss and supporting information in September 2005. Defendant sent that partial claim to outside counsel for analysis of the coverage question — first to John Petro, Esq., and then to Thomas Hanlon, Esq. — before denying coverage for the reasons stated in a letter dated January 30, 2006. Petro initially opined that there was coverage under the computer fraud rider, but he later backtracked and agreed with Hanlon's assessment that the loss was excluded. Asserting that defendant's investigation was so inadequate or "one-sided" as to establish bad faith, plaintiffs point to defendant's pursuit of the second opinion from an attorney whose firm regularly provided services to AIG and Petro's explanation of how he "missed" the exclusion pointed out by Hanlon.
The January 2006 denial letter questioned the "location" of the loss; stated that the loss appeared to be excluded because it related to the theft of confidential customer information excluded by Paragraph 9 of the computer fraud rider; and added in a footnote that the policy did not cover "indirect loss" in light of Exclusion 2(m). Plaintiffs responded by disclosing additional information — including the forensic analysis of the computer breach prepared a year earlier — to defendant on April 24, 2006; submitting a supplemental partial proof of loss on May 8, 2006; and commencing this lawsuit on May 9, 2006. Defendant subsequently clarified its position, but continued to deny coverage in a letter dated May 12, 2006. That letter explained that coverage would still be excluded because the claims arose from "third party theft of proprietary confidential customer credit card information." A final proof of loss was not submitted by plaintiffs until June 29, 2007.
Plaintiffs' claims for declaratory judgment, breach of contract, and breach of the duty of good faith and fair dealing were answered by defendant's counterclaim seeking declaratory judgment in its favor. Defendant alleged that plaintiffs had not sustained loss "resulting directly from" the theft of customer information; that general exclusions in Paragraph 2(k), (m) and (n) applied; and that coverage was specifically excluded under Paragraph 9 of Endorsement 17. After discovery, cross-motions for summary judgment were filed in two waves. The district court resolved the coverage and exclusion issues in plaintiffs' favor in the opinion and order issued March 30, 2009, and rejected plaintiffs' claims of bad faith in a separate opinion and order issued September 28, 2010. Then, to resolve the issues that remained for trial without waiving the right to appeal, the parties stipulated to a summary of losses incurred by plaintiffs (minus the self-insured retention) totaling more than $5.3 million and the calculation of associated prejudgment interest in excess of $1.49 million. Judgment was entered accordingly. Defendant appealed, and plaintiffs have cross-appealed.
Summary judgment is appropriate when, viewing the factual inferences and all reasonable inferences in favor of the nonmoving party, there are no genuine issues of material fact in dispute and the moving party is entitled to judgment as a
In this diversity action governed by Ohio law, contract interpretation is a question of law for the court. Leber v. Smith, 70 Ohio St.3d 548, 639 N.E.2d 1159, 1163 (1994). The district court correctly summarized the general principles of contract interpretation as follows:
We must determine how the Ohio courts would interpret the policy by looking first to Ohio law as determined by the Ohio Supreme Court, and then to all other sources. Bovee v. Coopers & Lybrand CPA, 272 F.3d 356, 361 (6th Cir.2001).
The only coverage provisions at issue are found in Endorsement 17's "Insuring Agreement XVIII," entitled "Computer & Funds Transfer Fraud Coverage." Specifically, defendant agreed in pertinent part to pay the insured for:
Endorsement 17 defines "Computer Fraud" to mean "the wrongful conversion of assets under the direct or indirect control
Endorsement 17 adds that coverage applied "only with respect to ... Money or Securities or Property located on the premises of the Insured."
Three general exclusions, which Endorsement 17 made applicable to Insuring Agreement XVIII, are relied upon by defendant to support the contention that only first party coverage was intended. Those exclusions, found in Section 2(k), (m), and (n) provide that the policy "does not apply":
Except for (m), these exclusions represent limits placed on coverage for an insured's own damages and do not speak to third party losses.
Defendant does not dispute that the unauthorized access and copying of customer information stored on plaintiffs' computer system involved the "theft of any Insured property by Computer Fraud," (although there is no indication whether it was property owned by plaintiffs, held in some capacity by plaintiffs, or was property for which plaintiffs were legally liable). What is disputed, however, is whether the district court was correct in concluding in this case of first impression that the loss plaintiffs sustained was loss resulting directly from the theft of insured property by computer fraud. The district court predicted that the Ohio Supreme Court would follow those cases that interpret "resulting directly from" as imposing a traditional proximate cause standard in this context.
Defendant argues first that the commercial crime policy is a "fidelity bond" and therefore must be interpreted to provide only first party coverage. The district court found that the policy was "not a fidelity bond, in toto, as it provided more than fidelity coverage." Further, the district court explained that Endorsement 17 "is not a fidelity bond as there is no mention of employee dishonesty" and that "the terms of Endorsement 17 indicate coverage for losses to third-party assets." While it is true that "fidelity bonds," or "financial institution bonds," typically provide more than just fidelity coverage (i.e., fidelity, forgery, on-premises and off-premises coverage), defendant overstates the significance of the analogy to the fidelity bond cases and the Standard Form 24, Standard Financial Institution Bond. See First State Bank of Monticello v. Ohio Cas. Ins. Co., 555 F.3d 564, 568 (7th Cir. 2009) (Ill.law) (discussing fidelity bonds).
Nonetheless, to the extent that the district court may have erroneously (or inconsistently) disregarded some fidelity bond cases on that basis, it is clear that the label given to a policy is not determinative of coverage. See Hillyer v. State Farm Fire & Cas. Co., 97 Ohio St.3d 411, 780 N.E.2d 262, 265 (2002) (holding that "it is the type of coverage provided, not the label affixed by the insurer, that determines the type of policy"). Moreover, even in the context of fidelity or dishonest employee coverage, there is no universal agreement among the courts concerning the meaning of the phrase "resulting directly from." See Universal Mortg. Corp. v. Wurttembergische Versicherung AG, 651 F.3d 759, 762 (7th Cir.2011) (describing two competing "interpretive camps"); The Question of Causation in Loan Loss Cases, 11 FIDELITY L. ASS'N J. 97, 98 (2005) (noting "split" of authority).
Defendant urges this court to interpret the "resulting directly from" language as unambiguously requiring that the theft of property by computer fraud be the "sole" and "immediate" cause of the insured's loss. See, e.g., RBC Mortg. Co. v. Nat'l Union Fire Ins. Co. of Pittsburgh, 349 Ill.App.3d 706, 285 Ill.Dec. 908, 812 N.E.2d 728 (2004) (Ill.law) (adopting a direct-means-direct standard). Under this approach, loss "resulting directly from" employee misconduct refers only to the insured's own loss from employee misconduct and not the insured's vicarious liability to third parties. See Vons Cos. v. Fed. Ins. Co., 212 F.3d 489, 492-93 (9th Cir. 2000) (direct means no vicarious liability); Aetna Cas. & Sur. Co. v. Kidder, Peabody & Co., 246 A.D.2d 202, 209-10, 676 N.Y.S.2d 559 (1998) (finding no coverage for third-party claims arising out of misconduct of employee who disclosed confidential information to others that resulted in massive insider trading losses). The Seventh Circuit describes this line of authority as holding that "when an insured incurs liability to a third party — whether in contract or tort — as a result of employee misconduct, financial loss resulting from that liability is not `directly' caused by the employee misconduct and therefore is not covered by fidelity bonds containing direct-loss language." Universal Mortg., 651 F.3d at 762 (discussing RBC (Ill.law) and Tri City Nat'l Bank v. Fed. Ins. Co., 268 Wis.2d 785, 674 N.W.2d 617, 622-24 (App.2003) (Wis.law)).
Defendant argues next that this court has already adopted a "heightened" standard for demonstrating "loss resulting directly from" forgery under a fidelity bond. Flagstar Bank, FSB v. Fed. Ins. Co., 260 Fed.Appx. 820 (6th Cir.2008) (Mich.law) (unpublished); see also Merchants Bank & Trust v. Cincinnati Ins. Co., No. 06-cv-561, 2008 WL 728332, at *4 (S.D.Ohio Mar. 14, 2006) (unpublished). However, this argument overstates both the holding in Flagstar and its application to this case.
First, there was no issue of liability to third parties in Flagstar as the insured was seeking coverage for its own losses incurred when a mortgage broker defaulted on a $20 million line of credit obtained using fraudulent mortgage documents that were premised on fictitious collateral. Flagstar, 260 Fed.Appx. at 821. This court held that because the forged promissory notes "would not have held value even if they had authentic signatures," Flagstar's loss did not result directly from the forgery. Id. at 822-23. We explained that: "The district court correctly followed the logic of cases holding that financial institution bonds, which cover losses resulting either directly or indirectly from forgery, do not cover losses arising from the extension of loans based on fictitious collateral." Id. at 823 (citations omitted); see also Beach Comm. Bank v. St. Paul Mercury Ins. Co., 635 F.3d 1190, 1196 (11th Cir.2011). This was also the basis for distinguishing this court's prior decision in Union Planters Bank, which involved forged signatures on duplicate mortgages. See Union Planters Bank, NA v. Cont'l Cas. Co., 478 F.3d 759 (6th Cir.2007).
Plaintiffs maintain that the district court correctly concluded that the Ohio Supreme Court would follow those courts that have adopted proximate cause as the standard for determining "direct loss" in the fidelity coverage context. See, e.g., Auto Lenders Acceptance Corp. v. Gentilini Ford, Inc., 181 N.J. 245, 854 A.2d 378, 385-86 (2004) (N.J.law); Frontline Processing Corp. v. Am. Econ. Ins. Co., 335 Mont. 192, 149 P.3d 906, 909-11 (2006); Scirex Corp. v. Fed. Ins. Co., 313 F.3d 841, 850 (3d Cir. 2002) (Pa.law); FDIC v. Nat'l Union Fire Ins. Co. of Pittsburgh, 205 F.3d 66, 76 (2d Cir.2000) (N.J.law); Resolution Trust Corp. v. Fid. & Deposit Co. of Md., 205 F.3d 615, 655 (3d Cir.2000) (N.J.law); Jefferson Bank v. Progressive Cas. Ins. Co., 965 F.2d 1274, 1281-82 (3d Cir.1992) (Pa. law).
In Auto Lenders, the most prominently cited of these cases, the insurer argued that losses incurred by the insured in repurchasing fraudulent installment loan contracts were not covered because there was no "direct loss of or damage to" property, money, or securities as a result of employee dishonesty. Rejecting this contention, the New Jersey Supreme Court adopted "the conventional proximate cause test as the correct standard to apply when determining whether a loss resulted from the dishonest acts of an employee." Auto Lenders, 854 A.2d at 387. The Court explained (1) that although the New Jersey courts had not decided the issue in the context of fidelity or dishonest employee coverage, proximate cause had been applied in determining direct loss under other kinds of insurance; (2) that federal courts, including the Second and Third Circuits in Scirex, FDIC, and Resolution Trust, had adopted a proximate cause standard for determining "direct loss" as a result of employee dishonesty; and (3) that this standard was consistent with the general principle of New Jersey law that coverage provisions are to be interpreted broadly.
Similarly, the Montana Supreme Court held that "the term `direct loss' when used in the context of employee dishonesty coverage afforded under a business owner's liability policy, applies to consequential damages incurred by the insured that were proximately caused by the alleged dishonesty." Frontline Processing, 149 P.3d at 911. After its CFO embezzled funds and failed to pay its payroll and income taxes, Frontline sought coverage for costs it incurred to investigate its employee's misconduct, address the financial condition of the company, and pay costs, fees, penalties and interest assessed by the IRS. The
Without ignoring that this is a commercial crime policy directed at the insured's loss and not a commercial liability policy, our task is to determine the intention of the parties from the plain and ordinary meaning of the specific language used. A policy prepared by an insurer "must be construed liberally in favor of the insured and strictly against the insurer if the language used is doubtful, uncertain or ambiguous." Am. Fin. Corp. v. Fireman's Fund Ins. Co., 15 Ohio St.2d 171, 239 N.E.2d 33, 35 (1968). Despite defendant's arguments to the contrary, we find that the phrase "resulting directly from" does not unambiguously limit coverage to loss resulting "solely" or "immediately" from the theft itself. In fact, Endorsement 17 provided coverage for loss that the insured sustained "resulting directly from" the "theft of any Insured property by Computer Fraud," which includes the "wrongful conversion of assets under the direct or indirect control of a Computer System by means of ... fraudulent accessing of such Computer System." Nor are we persuaded that the general exclusions in Section 2(k), (m), and (n) clarify the scope of the computer fraud coverage under Endorsement 17. When the exclusionary language is taken with the computer fraud coverage provisions in Endorsement 17, the meaning of the phrase "resulting directly from" is still ambiguous.
The Ohio courts have not decided whether to apply proximate cause in the context of a fidelity bond or commercial crime policy. Despite plaintiffs' suggestion otherwise, no implicit holding on the issue of causation can be read into the one Ohio court decision that involved a claim for loss "resulting directly from" forgery under a financial institution bond. See Bank One, Steubenville, NA v. Buckeye Union Ins. Co., 114 Ohio App.3d 248, 683 N.E.2d 50 (1996) (holding that use of a signature stamp without authorization constituted forgery), appeal not allowed, 77 Ohio St.3d 1548, 674 N.E.2d 1186 (Ohio Jan. 29, 1997). Nonetheless, plaintiffs have identified a few Ohio court decisions in which the court applied a proximate cause standard to determine whether there was a "direct loss" under other kinds of first party coverage. See, e.g., Amstutz Hatcheries of Celina, Inc. v. Grain Dealers Mut. Ins. Co., No. 4-77-4, 1978 WL 215799, at *1-2 (Ohio App. Mar. 15, 1978) (finding coverage against loss of chickens "directly and immediately resulting from" lightning included suffocation when lightning knocked out power to ventilation system); Yunker v. Republic-Franklin Ins. Co., 2 Ohio App.3d 339, 442 N.E.2d 108, 113-14 (1982) (applying proximate cause standard to determine "direct loss" under windstorm policy). Defendant argues that these cases are distinguishable, but has not identified any Ohio decisions that decline to apply a proximate cause standard in determining "direct" loss. Although not relied upon by the district court, these cases support the conclusion that the Ohio courts would apply a proximate cause standard to determine whether the loss was covered in this case.
Consistent with general principles of insurance contract interpretation under Ohio law, we agree with the district court's determination that the Ohio Supreme Court would apply a proximate cause standard to determine whether plaintiffs sustained loss
There is a general presumption under Ohio law that what is not clearly excluded from coverage is included. Moorman v. Prudential Ins. Co. of Am., 4 Ohio St.3d 20, 445 N.E.2d 1122, 1124 (1983). That is, "an exclusion from liability must be clear and exact in order to be given effect." Lane v. Grange Mut. Cos., 45 Ohio St.3d 63, 543 N.E.2d 488, 490 (1989). If an exclusion is ambiguous, it is construed in favor of affording coverage to the insured. St. Marys Foundry, Inc. v. Emp'rs Ins. of Wausau, 332 F.3d 989, 993 (6th Cir.2003) (Ohio law). The insurer bears the burden of proving the applicability of an exclusion in its policy. Cont'l Ins. Co. v. Louis Marx Co., 64 Ohio St.2d 399, 415 N.E.2d 315, 317 (1980).
Apart from the question of coverage, defendant relied on the following specific exclusion in Paragraph 9 of Endorsement 17:
Defendant argues that the district court erred in finding that this exclusion did not bar coverage in this case.
Relying on dictionary definitions for the word "loss," the district court found that "loss of" was ambiguous because it could reasonably mean either "destruction of" or "deprivation/losing possession of" the specified items. However, as defendant argues, the existence of more than one dictionary definition does not make a term ambiguous. See AGK Holdings, Inc. v. Essex Ins. Co., 142 Fed.Appx. 889, 892 (6th Cir.2005) (unpublished). By excluding coverage for any loss, Paragraph 9 plainly excludes coverage for both loss by destruction and loss of possession of the specified items. Plaintiffs also argue that "any loss" should not be read to include fraudulent accessing and copying of information without removing, interfering with access, or destroying the data on plaintiffs' computer system. However, the plain and ordinary meaning of "any loss" encompasses the "theft" of such data even if it is not destroyed or rendered inaccessible in the process. Finally, the district court found that the exclusion did not clearly include financial loss because "any loss of" an item is not the same as financial loss attributed to the loss of an item. However, if there were no coverage for the loss of the information itself, there would also be no coverage for damages resulting from the loss of the information.
Nonetheless, the district court also concluded that even if the copying of customer information was a "loss" it was not a loss of "proprietary information ... or other confidential information of any kind." Defendant has not shown that this was error. Defendant argues first that plaintiffs should be bound to an interpretation consistent with the assertions made by counsel in five short cover letters to the FTC stating that plaintiffs considered "the enclosed documents to be highly confidential, as the documents address security measures used by DSW to maintain the confidentiality of its trade secret and proprietary information (which includes customer information)." On the contrary, the parenthetical reference to "customer information" cannot be considered an admission regarding the applicability of the Exclusion in paragraph 9. Moreover, plaintiffs respond that the documents which were disclosed under these cover letters did not actually include the downloaded customer payment information in question.
Examining the exclusion for its plain and ordinary meaning, the district court
Defendant made no claim that the customer information constituted "Trade Secrets" or "Confidential Processing Methods," but argued that the customer information came within the broad "catch-all" clause excluding coverage for "loss of... confidential information of any kind." As defendant argued, the evidence shows that plaintiffs recognized in contracts with credit card companies, under standards applicable to the processing of credit card payments, and in internal policies and procedures, that the confidentiality of customer credit card and checking account information would and should be protected from unauthorized access or disclosure. However, to interpret "other confidential information of any kind" as defendant urges — to mean any information belonging to anyone that is expected to be protected from unauthorized disclosure — would swallow not only the other terms in this exclusion but also the coverage for computer fraud.
The district court rejected the broad interpretation of "confidential information" urged by defendant because, under the principle of ejusdem generis, the general term must take its meaning from the specific terms with which it appears. See Allinder v. Inter-City Prods. Corp., 152 F.3d 544, 549 (6th Cir.1998). Although defendant argues that this rule of statutory construction does not apply to insurance contracts, the Ohio courts have used the doctrine of ejusdem generis in interpreting insurance and other contracts. See, e.g., Sherwin-Williams Co. v. Travelers Cas. & Sur. Co., No. 82867, 2003 WL 22671621, at *4 (Ohio App. Nov. 13, 2003) (applying doctrine to limit "invasion of right to private occupancy" to preceding terms "wrongful entry" and "eviction"); Direct Carpet Mills Outlet v. Amalg. Realty Co., No. 87AP-101, 1988 WL 84405, at *3 (Ohio App. Aug. 11, 1988) (finding "accident of any kind" in exclusion must be read to refer to accidents similar in kind to the terms "fire, explosion, and wind" that preceded it). Moreover, defendant's contention that the doctrine does not apply because the exclusion does not list specific terms followed by a general term is without merit. The terms "Trade Secrets" and "Confidential Processing Methods" were capitalized, suggesting a specific meaning, although they were not defined in the policy.
Looking to the common law definition of "trade secrets," and dictionary definitions for "confidential" "processing" and "method," the district court reasonably concluded that the term "Trade Secrets" means "Plaintiffs' information which is used in
Plaintiffs appeal the decision granting summary judgment to defendant on the tort claim for breach of the duty of good faith and fair dealing under Ohio law. See Hoskins v. Aetna Life Ins. Co., 6 Ohio St.3d 272, 452 N.E.2d 1315, 1316 (1983). An insurer fails to exercise good faith when it refuses to pay a claim without "reasonable justification." Zoppo v. Homestead Ins. Co., 71 Ohio St.3d 552, 644 N.E.2d 397, 399-400 (1994) (holding that actual intent is not an element of the tort of bad faith); see also Corbo Props., Ltd. v. Seneca Ins. Co., 771 F.Supp.2d 877, 880 (N.D.Ohio 2011). Denial of a claim may be reasonably justified when "the claim was fairly debatable and the refusal was premised on either the status of the law at the time of the denial or the facts that gave rise to the claim." Tokles & Son, Inc. v. Midwestern Indemn. Co., 65 Ohio St.3d 621, 605 N.E.2d 936, 943 (1992).
First, arguing that the district court applied the wrong legal standard, plaintiffs contend that Ohio's default-ambiguity rule of construction means that an insurer can deny coverage in good faith only if it had reason to believe that its interpretation was the only reasonable one. There is no support for this proposition in Ohio law, which recognizes distinct standards for determining breach of contract and breach of the duty of good faith. In fact, the Ohio Supreme Court has stated that "[m]ere refusal to pay insurance is not, in itself, conclusive of bad faith." Hoskins, 452 N.E.2d at 1320; see Schuetz v. State Farm Fire & Cas. Co., 147 Ohio Misc.2d 22, 890 N.E.2d 374, 393-94 (Ohio Ct.Com.Pl.2007) (rejecting argument that breach of the duty to defend also establishes bad faith). To incorporate the default-ambiguity cannon into a bad faith claim as plaintiffs suggest would conflate the two claims and equate bad faith with breach of contract.
Next, plaintiffs challenge the district court's conclusion that the coverage question was "fairly debatable" on the grounds that the defendant did not, in fact, rely on the "direct loss" issue in denying coverage. Although the denial letters did not specifically reference the "resulting directly from" language, there was mention of the fact that the policy did not cover "indirect losses" such as fines, penalties and interest. Further, as the district court concluded, the failure to reference
Moreover, the district court also concluded that defendant had reasonable justification for the refusal to pay because its interpretation of the Exclusion in paragraph 9 was incorrect but not unreasonable. Plaintiffs disagree and again argue that defendant did not have an objectively reasonable basis to believe that its interpretation of the exclusion was the only reasonable one. On the contrary, as the district court found, defendant's claim that the consumer information fell within the plain and ordinary meaning of "other confidential information of any kind" was factually and legally reasonable in light of the confidential nature of the customer information and the claim that ejusdem generis did not apply.
Nor is there a question about the adequacy or reasonableness of defendant's investigation of the claim. In truth, plaintiffs' complaint is not really that the investigation was inadequate, but rather that defendant was not satisfied with the first legal opinion it received. We cannot conclude, however, that requesting a second opinion under the circumstances made the investigation so one-sided as to constitute bad faith.