In 2014, Home Depot suffered a data breach when hackers accessed its
systems and stole payment card information from millions of customers. At the time, this data breach was one of the largest and made national headlines. Eventually, financial
institutions sued Home Depot, alleging losses due to reissuing payment cards, covering
fraudulent charges, and increased fraud monitoring. Home Depot settled these claims for
$170 million.
The settlement exhausted Home Depot's $100 million cyber-insurance
policy. So, it sought additional coverage under its commercial general liability (CGL) policies, Steadfast and Great
American. Home Depot had the following tower of insurance.
Table 1. Home Depot's Commercial Liability Insurance
Tower
The CGL insurers denied coverage for multiple reasons, including
based on the electronic data exclusion. The exclusion in the primary CGL policy
issued by Steadfast stated:
p. Electronic Data
Damages arising out of the loss of, loss of use of, damage to,
corruption of, inability to access, or inability to manipulate electronic data.
As used in this exclusion, electronic data means information,
facts or programs stored as or on, created or used on, or transmitted to or from
computer software, including systems and applications software, hard or floppy
disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media
which are used with electronically controlled equipment.
Source: Zurich Commercial General
Liability Coverage Form (U-GL-1287-A CW (09/06) ), at
page 5.
A coverage lawsuit was filed. Home Depot asserted that the CGL and
excess insurers should indemnify it for costs the issuers incurred by reissuing
physical payment cards (the "reissuance theory"). Second, Home Depot sought
indemnification for the issuers' claims about "lost interest and transaction fees,"
which stemmed from consumers using their cards less after the breach than before
(the "reduced usage theory"). Third, Home Depot alleged that the insurers should
reimburse its defense costs.
The federal district court, applying Georgia law, ruled in favor
of the insurers and held that the electronic data exclusion precluded coverage; an
appeal was filed.
Want to know more about emerging exposures and significant
coverage rulings? IRMI's Insurance Law
Essentials product summarizes the most important cases in the
industry and delivers them in an e-newsletter directly to your inbox. Many
of the summaries include the actual policy forms that the court analyzed,
which is a feature not available anywhere else. Now, you can see the actual
policy containing the form number and the complete text of the actual
endorsement or policy that brought the case to the court. We alert you
semimonthly* to breaking coverage decisions organized by coverage line and
jurisdiction, so you can quickly find the cases that are important to you.
*Except for November and December, when the newsletter is
sent monthly.
Ruling
Affirming the district court, the Sixth Circuit Court of Appeals
held that the CGL and excess insurers did not owe coverage for the data breach due
to the electronic data exclusion. In reaching this result, the court first noted
that whether the exclusion applied turned on the answer to three questions:
The first is whether payment card data is electronic data. The
second is whether there was a "loss of use of" (or other covered harm to)
electronic data. The third is whether the damages "arose out of" that loss.
The court answered the questions affirmatively, holding that the
exclusion barred coverage.
1. Payment Card
Data Is Electronic Data
First, the court analyzed whether payment card data is
"electronic data" under the exclusion's terms. The court held that it was,
reasoning:
Payment card information falls within the policy's terms:
"information, facts, or programs stored as or on, created or used on, or
transmitted to or from computer software, including systems and applications
software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data
processing devices or any other media which are used with electronically
controlled equipment.…" Because payment card data is a creature of the
computer, it falls under the policy's definition of "electronic data."
Thus, the court ruled that this first question favored the
exclusion applying to the loss.
2. There Was a
Loss of Use of Electronic Data
Next, the court addressed whether reissuance and reduced usage
of payment cards was a loss of use of electronic data. In answering this
question in the affirmative, the court focused on the meaning of "loss of use."
It held that the phrase meant an item could not be used under Georgia law. The
court concluded that a loss of use occurred here, as consumers couldn't use
payment card data to make purchases.
Interestingly, the court rejected Home Depot's argument to the
contrary, that there was no loss of use:
In response, Home Depot makes a handful of arguments. Its
principal point is that the data breach made electronic payment card data
more, not less, accessible. As Home Depot sees things, the breach let many
people use the data, "allowing not only use by the issuers and cardholders
but also misuse by the hackers and those to whom the hackers sold the
data."
But this argument isn't how an ordinary reader would read
the policies at issue. Consider the following hypothetical. If a man creates
a password that he uses for his bank accounts, and then a hacker learns it
and starts logging into the accounts, the password isn't useful anymore.
Why? The password no longer keeps his accounts secure. Thus, the man has
lost the use of his password. It wouldn't matter that the password exists on
his bank's servers and still allows him to log in. No ordinary person would
think that his password was just as good as before. So too here.
Home Depot runs into a second problem. It makes two
contradictory claims: (1) there was no loss of use and (2) it's nevertheless
entitled to recovery for reduced usage. But if the data was just as good as
before the breach—and even "more accessible"—then it makes little sense for
Home Depot to seek to collect for reduced usage of the cards.
Thus, the second question favored the insurers.
3. The Damages
Arose Out of the Electronic Data Loss
Finally, the court asked whether the reissuance and reduced
usage damages arose out of the electronic data loss. In a similar ruling that
they did, the court noted that, under Georgia law, the term "arising out of"
should be broadly interpreted to require a "but for" standard.
Applying this standard, the court held that "but for" the
electronic data breach, the reissuance and reduced usage damages would not have
occurred. Specifically, the court determined that reissuing cards was directly
caused by the electronic data breach, not by any loss of use of the physical
cards themselves. Moreover, the decline in card usage stemmed from compromised
electronic data, falling squarely under the exclusion. Thus, the court ruled
that all losses related to the data breach satisfied the "but for" standard, as
it caused both forms of damages and the lawsuit.
Notably, the court sidestepped the issue of whether the data
breach led to "loss of use" of tangible property (the payment cards themselves)
under both the reissuance and reduced usage theories. Even if we assume that
this loss of use occurred, the electronic data exclusion would unambiguously bar
coverage.
Takeaway—CGL Policies Are Often Inadequate for Coverage of Cyber Risks
The ruling highlights how CGL policies are not designed to address
the unique and evolving risks associated with cyber incidents. By contrast,
cyber-insurance policies specifically cover the exposures associated with data
breaches, providing essential financial protection to companies. Relying on
traditional insurance products like CGL policies creates significant gaps in
protection, as they were not intended to address the distinct nature of
cyber-related liabilities.
The case also illustrates the financial vulnerability businesses
face when cyber-policy limits are inadequate. Although Home Depot initially relied
on a $100 million cyber-insurance policy to address the costs of the breach, the
company sought additional coverage from its CGL policies after exhausting the
cyber-policy’s limits. However, the CGL policy's electronic data exclusion precluded
coverage, leaving Home Depot without indemnification for a significant amount of
losses. This reinforces the need for businesses to carefully assess their
cyber-insurance limits and policy terms to ensure sufficient coverage.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
In 2014, Home Depot suffered a data breach when hackers accessed its systems and stole payment card information from millions of customers. At the time, this data breach was one of the largest and made national headlines. Eventually, financial institutions sued Home Depot, alleging losses due to reissuing payment cards, covering fraudulent charges, and increased fraud monitoring. Home Depot settled these claims for $170 million.
The settlement exhausted Home Depot's $100 million cyber-insurance policy. So, it sought additional coverage under its commercial general liability (CGL) policies, Steadfast and Great American. Home Depot had the following tower of insurance.
$9 million (deductible)
$1 million (self-insured retention)
The Commercial Liability Insurers Deny Coverage
The CGL insurers denied coverage for multiple reasons, including based on the electronic data exclusion. The exclusion in the primary CGL policy issued by Steadfast stated:
A coverage lawsuit was filed. Home Depot asserted that the CGL and excess insurers should indemnify it for costs the issuers incurred by reissuing physical payment cards (the "reissuance theory"). Second, Home Depot sought indemnification for the issuers' claims about "lost interest and transaction fees," which stemmed from consumers using their cards less after the breach than before (the "reduced usage theory"). Third, Home Depot alleged that the insurers should reimburse its defense costs.
The federal district court, applying Georgia law, ruled in favor of the insurers and held that the electronic data exclusion precluded coverage; an appeal was filed.
Want to know more about emerging exposures and significant coverage rulings? IRMI's Insurance Law Essentials product summarizes the most important cases in the industry and delivers them in an e-newsletter directly to your inbox. Many of the summaries include the actual policy forms that the court analyzed, which is a feature not available anywhere else. Now, you can see the actual policy containing the form number and the complete text of the actual endorsement or policy that brought the case to the court. We alert you semimonthly* to breaking coverage decisions organized by coverage line and jurisdiction, so you can quickly find the cases that are important to you.
If you are not a subscriber, subscribe today!
*Except for November and December, when the newsletter is sent monthly.
Ruling
Affirming the district court, the Sixth Circuit Court of Appeals held that the CGL and excess insurers did not owe coverage for the data breach due to the electronic data exclusion. In reaching this result, the court first noted that whether the exclusion applied turned on the answer to three questions:
The court answered the questions affirmatively, holding that the exclusion barred coverage.
1. Payment Card Data Is Electronic Data
First, the court analyzed whether payment card data is "electronic data" under the exclusion's terms. The court held that it was, reasoning:
Thus, the court ruled that this first question favored the exclusion applying to the loss.
2. There Was a Loss of Use of Electronic Data
Next, the court addressed whether reissuance and reduced usage of payment cards was a loss of use of electronic data. In answering this question in the affirmative, the court focused on the meaning of "loss of use." It held that the phrase meant an item could not be used under Georgia law. The court concluded that a loss of use occurred here, as consumers couldn't use payment card data to make purchases.
Interestingly, the court rejected Home Depot's argument to the contrary, that there was no loss of use:
Thus, the second question favored the insurers.
3. The Damages Arose Out of the Electronic Data Loss
Finally, the court asked whether the reissuance and reduced usage damages arose out of the electronic data loss. In a similar ruling that they did, the court noted that, under Georgia law, the term "arising out of" should be broadly interpreted to require a "but for" standard.
Applying this standard, the court held that "but for" the electronic data breach, the reissuance and reduced usage damages would not have occurred. Specifically, the court determined that reissuing cards was directly caused by the electronic data breach, not by any loss of use of the physical cards themselves. Moreover, the decline in card usage stemmed from compromised electronic data, falling squarely under the exclusion. Thus, the court ruled that all losses related to the data breach satisfied the "but for" standard, as it caused both forms of damages and the lawsuit.
Notably, the court sidestepped the issue of whether the data breach led to "loss of use" of tangible property (the payment cards themselves) under both the reissuance and reduced usage theories. Even if we assume that this loss of use occurred, the electronic data exclusion would unambiguously bar coverage.
Takeaway—CGL Policies Are Often Inadequate for Coverage of Cyber Risks
The ruling highlights how CGL policies are not designed to address the unique and evolving risks associated with cyber incidents. By contrast, cyber-insurance policies specifically cover the exposures associated with data breaches, providing essential financial protection to companies. Relying on traditional insurance products like CGL policies creates significant gaps in protection, as they were not intended to address the distinct nature of cyber-related liabilities.
The case also illustrates the financial vulnerability businesses face when cyber-policy limits are inadequate. Although Home Depot initially relied on a $100 million cyber-insurance policy to address the costs of the breach, the company sought additional coverage from its CGL policies after exhausting the cyber-policy’s limits. However, the CGL policy's electronic data exclusion precluded coverage, leaving Home Depot without indemnification for a significant amount of losses. This reinforces the need for businesses to carefully assess their cyber-insurance limits and policy terms to ensure sufficient coverage.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.