Court: Commercial general liability policy doesn't cover cyber loss

When Home Depot submitted its claim for the cyber attack, the cyber insurers indemnified the company up to the $100 million limit. Steadfast, however, rejected the claims as falling outside the scope of its policies. First of all, the electronic data lost as a result of the attack was not considered “tangible property.” Second, the policies contained an exclusion for "[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data” (emphasis added).

Settlement efforts were unsuccessful, and Home Depot sued. The trial judges ruled in favor of Steadfast, and Home Depot appealed.

Home Depot asserted its entitlement to indemnity for two reasons. First, under what the court called the “reissuance theory,” Home Depot said Steadfast had to pay the costs incurred in “reissuing physical payment cards” to customers whose personal data had been compromised. Second, under the “reduced usage” theory, Home Depot claimed the insurer was obligated to provide indemnity for "lost interest and transaction fees" related to fewer customers using their payment cards.

There was no meaningful debate over whether the payment card information was considered “electronic data.” Apart from falling squarely within the policy definition of “electronic data,” Home Depot had claimed that “hackers accessed electronic data on Home Depot's self-checkout machines." With that definition in mind, the court began its analysis of whether there had been an actual “loss of use” of the electronic data, and whether that loss had been precipitated by a covered peril.

Loss of use

Even though Georgia is not part of the Sixth Circuit Court of Appeals, which covers Michigan, Ohio, Tennessee and Kentucky, the judges applied Georgia law because it was “the only state with a significant relationship to the transaction and parties.” There was no Georgia case law relating to “loss of use” in the insurance context, so the judges applied the ordinary meaning of the term. A “loss of use,” the court said, referred to a situation where “an item exists but has lost its function.” The stolen payment card information was useful as a method of payment at Home Depot. After the cyber event, the information was rendered useless when consumers began cancelling their payment cards as a safety precaution. Since the electronic data regarding payment cards was rendered useless as a result of the data breach, the incident was within the scope of the electronic data exclusion.

Home Depot, however, argued that the payment card information had actually become “more, not less, accessible.” The payment information was already available to the card issuers and the consumers; after the data breach, it became available to not only those who had taken the payment information, but also anyone to whom the payment card information was sold.

The judges disagreed, analogizing the situation to a bank account password. The account owner’s banking information is secure so long as the owner is the only person who knows the password. If an unauthorized person discovers that password and uses it, the password has lost its protective function for the account owner.

The court said Home Depot couldn’t have it both ways. The company argued the payment card information was “more accessible” and therefore did not lose its usefulness, then turned around and argued the insurers were still obligated to provide coverage for “reduced usage.” The court was likewise not persuaded by Home Depot’s arguments that the exclusion only applied to events like a ransomware attack. The policy listed six specific events subject to the electronic data exclusion that “cover[ed] more than a cyberattack.” The judges refused to narrow the scope of the electronic data exclusion.

Cause of loss

According to Georgia precedent, the phrase “arising out of” necessitated use of the “but for” causation standard in the context of an insurance policy. (Barrett v. Nat'l Union Fire Ins. Co., 696 S.E.2d 326 (Ga. Ct. App. 2010). The judges were tasked with determining whether the damages asserted by Home Depot under its reissuance and reduced usage theories would have arisen “but for” the data breach.

Considering the reissuance theory, the suits filed against Home Depot by the financial institutions specifically alleged that they had been “forced to cancel and reissue payment cards” (emphasis omitted) as a consequence of the cyberattack on Home Depot. The judges said this was a clear cut example of “but for” causation, but Home Depot insisted that reissuing the payment cards had actually “caused the loss of use” (emphasis omitted) of the electronic data rather than the loss preceding the reissuance. In other words, the payment cards were not rendered useless until the payment information had been changed by the financial institutions.

The judges were not convinced. The financial institutions had not changed the payment information for millions of customers on a whim. Those customers had requested reissuance of the payment cards because that information had been rendered useless by the data breach.

Under its “reduced usage” theory, Home Depot argued that, “[a]fter the breach became public, the issuers' customers used their physical payment cards less,” which shrank both the number of transaction fees and the amount of interest. This argument, the judges said, is tantamount to an admission that the data breach came first. The “reduced usage” occurred after the data breach was announced to the general public and was therefore the “but for” cause of the loss.

Conclusion

Since the data breach was subject to the electronic data exclusion as well as the “but for” cause of the damages asserted, the court determined that the district court had been correct to award summary judgment to the insurers. The verdict was affirmed.

Editor’s Note: Part of the issue in this case was exactly when the information became useless, because the event that rendered the information useless would be the relevant cause of loss. Home Depot argued that the payment information wasn’t rendered useless until the financial institutions reissued the payment cards. However, this argument does not consider who is intended to use the information. Home Depot’s argument implies that the payment information is intended to be useful for anyone who happens to have it, which is not true.

Payment card information for a personal account, in general, is intended for the use of one person, or maybe two for joint accounts: the account owner and maybe an authorized user. The payment card information is only useful as intended so long as it remains useful to the account owner. If that payment information is compromised in a data breach like the one described in this case, it is rendered useless to the account owner because any unauthorized person who has the information may access the account. Here, the payment account information was rendered useless to the payment card holders when the information was stolen by unauthorized persons. Therefore, the relevant cause of loss would be the data breach. Since the cause of loss was within the scope of the electronic data exclusion, the loss was not covered.

Related:

• Most top insurer data breaches result from third-party attacks
• How will Trump’s presidency impact the cyber insurance market?
• Estimate for number affected by UnitedHealth breach grows to 190M