The appellate court's decision noted that the commercial general liability policies precluded coverage of “damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” (Credit: Diego M. Radzinschi/ALM)
The U.S. Court of Appeals for the Sixth Circuit on Monday upheld a judge’s ruling that insurance companies did not have to cover Home Depot’s defense and settlement costs stemming from a data breach, pointing to an electronic data exclusion provision in their policies.
The Sixth Circuit’s decision noted that Steadfast Insurance Co. and Great American Assurance Co.’s commercial general liability policies precluded coverage of “damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”
After hackers stole Home Depot customers' payment card information, financial institutions sued the retailer over losses associated with reissuing physical payment cards. Home Depot settled the claims for $170 million and asked the two insurers to cover $50 million in costs not paid for by the retailer’s separate cyber insurers.
When the two insurers refused, Home Depot sued and alleged they have a duty to pay.
But the Sixth Circuit said that card data payment is clearly electronic data and that card re-issuance and diminished card usage after the breach involves a “loss of” that electronic data, making the claims not covered by the insurance policies.
“A ‘loss of use’ is the inability to use an item. A 'loss of use' occurs when an item exists but has lost its function. That’s what happened here: Purchasers could no longer use their payment card data to make secure payments,” Judge Amul Thapar wrote for the court.
The panel went on to say the re-issuance and reduced usage damages would not have occurred but for the cyber attack and that the insurers had no duty to defend Home Depot under policies that exclude claims arising from the loss of electronic data.
“All told, these cases indicate that what matters isn’t whether the party can make an argument for coverage," Thapar wrote. "Instead, the ultimate question is whether the policy could arguably cover the complaint’s allegations. And here, the policy’s terms expressly deny coverage."
Thapar was joined in the opinion by Judges Jane Stranch and Eric Murphy.
In a concurrence, Judge Eric Murphy agreed that the insurance policies bar coverage for the data breach but said he wasn’t confident that the breach itself caused a “loss of use” of the electronic payment card data.
“In short, the data breach either caused a ‘loss of use’ of the physical payment cards and the electronic payment-card data or it caused a ‘loss of use’ of neither of them," Murphy wrote. "Either way, the policy would not cover the customers’ reduced usage (either because that reduced usage would not fall within the affirmative coverage language or because it would fall within the coverage exclusion).”
Latham & Watkins partner Roman Martinez, who argued for Home Depot, did not immediately return a request for comment Tuesday.
Steadfast Insurance was represented by Coughlin Midlige & Garland, and Great American Assurance Company was represented by Meagher + Geer.
The Sixth Circuit rendered its decision in Home Depot Inc. v. Steadfast Insurance Co., No. 23-3720.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.