The U.S. District Court in St. Paul has reconsidered its prior decision and ruled that Target Corp. can recover settlements it paid to banks in connection to a 2013 data breach under its general liability policy from its insurer, ACE American Insurance Company.
In 2013, Target discovered that a hacker had stolen payment card data and personal contact information of individuals with Target payment cards. This data breach included payment cards. As a result, the banks that issued those cards canceled the cards and issued replacements. The issuing banks incurred costs when they issued the replacement cards, and sought compensation for those costs from Target. Target settled the issuing banks’ claims.
Target alleges that under ACE’s general liability policies, ACE is obligated to indemnify Target for the payments they made to the issuing banks in the form of settlements. The applicable policies provided coverage for losses resulting from property damage, including “loss of use of tangible property that is not physically injured.” The policies applied to property damage only if that damage was caused by an “occurrence.”
Target gave ACE notice and a detailed accounting of the loss. ACE denied coverage and refused to compensate Target for the losses. Target filed suit in federal district court in St. Paul in November 2019 charging the insurer improperly refused to indemnify it for part of the costs it incurred in connection with the data breach. The suit asked for $74 million in costs that Target incurred.
In the ruling this week, the court stated that it had “erred in its prior judgment,” and that Target must satisfy three requirements to establish coverage for the cost of replacing the payment cards: (1) the losses must have been the result of an “occurrence;” (2) the “occurrence” must have resulted in the “loss of use” of the property; and (3) the property lacking use must have been “tangible property that is not physically injured.”
Previously, the court found that Target could not demonstrate loss of use. This ruling said that neither party “has presented controlling legal authority squarely addressing” whether loss of use includes the inoperability of payment cards, and its research “has not identified legal authority directly on point.”
Target relied on a ruling from 2010 out of the 8th U.S. Circuit Court of Appeals in St. Louis. Eyeblaster Inc. v. Federal Insurance Co. is factually analogous to the Target case, according to the court, which now holds that Target meets the “loss of use” requirement.
According to the ruling, “[b]ecause the payment cards are tangible property and the payment cards are not physically injured, Target has met the third requirement to establish a basis for its claim for coverage.”
The court vacated its prior ruling, denied ACE’s motion for summary judgment and ruled that Target has coverage for the losses under its policies.
Gretchen Hoff Varner, a partner with Covington & Burling LLP, and lead attorney on the Covington team who represented Target commented: ”After nearly a decade of hard-fought dispute, we are delighted with the court’s decision to award our client Target with summary judgment, adopting our position and ordering ACE to indemnify Target for the costs of replacing payment cards that were affected by the 2013 data breach. This is an important decision for policyholders who have experienced a data breach or other type of cyber event.”
Editor’s Note: As far as we here at ICLC know, this is one of the first decisions in the country to find that there is coverage for losses stemming from a data breach under a general liability policy. This may lead to more cases with a similar fact pattern being litigated, likely with varying results. Because of the intangible nature of data, how data can be damaged is of utmost importance for the industry to determine and define. Standard concepts of physical damage and loss of use do not apply.