July 18, 2018 by Greg Dalgetty
Personal identifiable information (PII) isn’t the only data targeted by hackers: loyalty points are becoming increasingly popular.
Last year, customers of Loblaws, Air Miles and Petro Canada had loyalty points stolen from their accounts. It’s a trend that Brian Rosenbaum, national director of Aon Risk Solutions’ legal and research practice, expects will continue.
“I believe it’s just going to become more common,” Rosenbaum told Canadian Insurance Top Broker.
And as the problem keeps cropping up, the question of whether the theft of loyalty points is covered by existing insurance policies could become increasingly relevant.
When it comes to cyber policies, loyalty points are typically excluded from the definition of loss or damages. So if a company were sued by customers whose points were stolen, the points wouldn’t be covered. That, of course, doesn’t mean consumers wouldn’t get their points back.
“In terms of customer service, I would imagine the organization in the majority of cases would just give the points back to the aggrieved individual regardless as to whether there is a lawsuit—which would be unlikely—or insurance coverage,” Rosenbaum said.
There’s also the matter of whether a cyber policy would even kick in if, for instance, hackers were able to steal points without also accessing customers’ PII— although it’s unclear how easily they would be able to do that.
“If they did that, then a cyber policy actually might not even trigger,” Rosenbaum said. “Unless you can say the points themselves constitute confidential information, you may not trigger third-party cyber liability coverage at all.”
That leaves the possibility of a commercial crime policy kicking in to cover a theft of points. Such policies typically include a computer fraud insuring agreement, which covers the insured for a direct loss of money, securities or property resulting from computer fraud committed by a third party.
However, there are two reasons why a crime policy might not cover the loss of points.
“Number one, are points tangible property?” Rosenbaum questioned. “It’s not money, it’s not securities, and that’s a tight definition in most of these policies. So would you be able to pass the smell test that points are tangible property? I have some doubts.
“The other part that’s really significant is who actually owns the points? If the points are owned by a third party, then your commercial crime policy may not provide coverage for it. The points generally have to be owned by the insured organization.”
So, who actually owns loyalty points— the company providing them or the consumer? According to a review by Aon, a case could be made for the points being the property of the company, but there’s currently a lack of case law to support this theory.
“There’s a lot of evidence to suggest that the points are owned by the company, but we don’t know that for sure until it’s tested,” Rosenbaum said. “I think there’ going to be a real eye-opener for a lot of companies that may believe that a number of the insuring agreements on their commercial crime policy will cover this loss. I can see a lot of reasons why insurers would deny coverage based on typical wording.”
If points theft keeps picking up steam, Rosenbaum predicts we may start to see insurers exclude loyalty points from their policies.
“I think many insurers will feel they have enough ammunition in their current policies to deny coverage, but they may want to create express wording that makes it clear,” he said. “So we may see exclusions of that nature in the future.”
It’s also possible that insurers may start offering additional coverage that covers points theft.
“There might be a groundswell of motivation to create some coverage, in which case insurers will create it and charge for it,” Rosenbaum said. “They did the same for impersonation fraud coverage a few years ago.”
Copyright © 2018 Transcontinental Media G.P. This article first appeared in the April edition of Canadian Insurance Top Broker magazine
This story was originally published by Canadian Insurance Top Broker.