Target’s general liability policy covers certain data loss, court rules

In what may be the first finding that a general liability policy will cover certain data breach losses, a U.S. District Court has ruled that Target can recover settlements it paid to banks in connection with a breach. from 2013. (Credit: Craig Lassig/Target Corp.)

The U.S. District Court in St. Paul reconsidered its earlier decision and ruled that Target Corp. can recover settlements it paid to banks in connection with a 2013 data breach under its general liability policy from its insurer, ACE American Insurance Company.

In 2013, Target discovered that a hacker had stolen payment card data and personal contact information from people with Target payment cards. This data breach concerned payment cards. As a result, the banks that issued these cards canceled the cards and issued replacements. The issuing banks incurred costs when they issued the replacement cards and sought compensation for those costs from Target. Target settled the claims of the issuing banks.

Target alleges that under ACE’s general liability policies, ACE is required to indemnify Target for payments it made to issuing banks in the form of settlements. The applicable policies provided coverage for losses resulting from property damage, including “loss of use of tangible property not physically injured”. The policies only applied to property damage if that damage was caused by an “event”.

Target gave notice to ACE and a detailed account of the loss. ACE denied coverage and refused to compensate Target for the losses. Target filed a lawsuit in St. Paul Federal District Court in November 2019, accusing the insurer of wrongfully refusing to compensate it for a portion of the costs it incurred in connection with the data breach. The lawsuit sought $74 million in costs incurred by Target.

In this week’s decision, the court said it had “erred in its prior judgment” and that Target had to meet three requirements to establish coverage for the cost of replacing payment cards: (1) losses must to have been the result of an “event”; (2) the “event” must have resulted in the “loss of use” of the property; and (3) the non-use property must have been “tangible property that is not physically damaged”.

Previously, the court found that Target could not demonstrate loss of use. That decision said neither party “has presented a legal oversight authority dealing squarely” with whether loss of use includes payment card inoperability, and its research “did not identify the authority legal directly on the point”.

Target relied on a 2010 decision from the 8th US Circuit Court of Appeals in St. Louis. Eyeblaster Inc. c. Federal Insurance Co. is factually analogous to the Target case, according to the court, which now finds that Target meets the “loss of use” requirement.

According to the judgement,[b]because payment cards are tangible property and payment cards are not physically harmed, Target has met the third requirement to establish a basis for its claim for coverage.

The court reversed its previous decision, denied ACE’s motion for summary judgment and ruled that Target had coverage for losses under its policies.

Gretchen Hoff Varner, partner at Covington & Burling LLP and lead counsel for the Covington team representing Target, said, “After nearly a decade of fierce litigation, we are pleased with the court’s decision to grant our Target client for summary judgment. , adopting our position and ordering ACE to compensate Target for the costs of replacing payment cards affected by the 2013 data breach. This is an important decision for policyholders who suffered a breach. of data or another type of cyber event. »

Editor’s note: As far as we know here at ICLC, this is one of the first rulings in the country to conclude that there is coverage for losses resulting from a data breach under a general liability policy. This may lead to more cases with a similar pattern of facts being litigated, likely with varying results. Due to the intangible nature of data, it is of the utmost importance for the industry to determine and define how data can be damaged. The standard concepts of physical damage and loss of use do not apply.